NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2006-07

Re: Restricting incoming connections

From: Sandy Drobic (postfix-usersjapantest.homelinux.com)
Date: Mon Jul 03 2006 - 00:26:06 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Paul Tader wrote:
> Wietse Venema wrote:
>> Paul Tader:
>>> A client has signed up with a third party company, Postini (postini.com)
>>> to do addition filtering. I want to configure the local postfix server
>>> to now accept only incoming smtp connections from the Postini network
>>> instead of the entire Internet. Previously, this host was the MX server.
>>>
>>> I setup "mynetworks" to be:
>>>
>>> mynetworks = 216.141.226.0/28, 123.456.789.16/28 10.1.10.0/24
>>> (Postini's network, DMZ, Internal network)
>>>
>>> and configured smtpd_recipient_restrictions in main.cf:
>>>
>>> smtpd_recipient_restrictions =
>>> hash:/etc/postfix/access
>> That will permit spam that has the right recipient address
>>
>>> permit_mynetworks,
>>> reject_unauth_destination,
>> That will permit spam that has the right destination domain.
>>
>> Why not replace reject_unauth_destination by reject.
>>
>> Wietse
>>
>
> When I made the changes above, mail was rejected.
>
> With only these lines
>
> smtpd_recipient_restrictions
> permit_mynetworks,
> reject
>
> ...caused:
>
> Jul 2 22:02:47 mail1 postfix/smtpd[1713]: connect from
> exprod8mx27.postini.com[64.18.3.127]
> Jul 2 22:02:47 mail1 postfix/smtpd[1713]: 442E469784:
> client=exprod8mx27.postini.com[64.18.3.127]
> Jul 2 22:02:47 mail1 postfix/smtpd[1713]: 442E469784: reject: RCPT from
> exprod8mx27.postini.com[64.18.3.127]: 554
> <exprod8mx27.postini.com[64.18.3.127]>: Client host rejected: Access
> denied; from=<ptaderlinuxscope.com> to=<a.usermydomain.com> proto=SMTP
> helo=<psmtp.com>
>
>
> A clarification. In my original email I mentioned that this was the
> only MX server for this site. Beside recieving email from Postini, it
> will still send email for this domain, and DNS is configured as such.

Of course, the ip of the sending Postini server was not in mynetworks.

Sandy

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]