NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2006-07

Re: Restricting incoming connections

From: Paul Tader (ptaderlinuxscope.com)
Date: Tue Jul 04 2006 - 22:37:05 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Sandy Drobic wrote:
> Paul Tader wrote:
>> Wietse Venema wrote:
>>> Paul Tader:
>>>> A client has signed up with a third party company, Postini
>>>> (postini.com)
>>>> to do addition filtering. I want to configure the local postfix server
>>>> to now accept only incoming smtp connections from the Postini network
>>>> instead of the entire Internet. Previously, this host was the MX
>>>> server.
>>>>
>>>> I setup "mynetworks" to be:
>>>>
>>>> mynetworks = 216.141.226.0/28, 123.456.789.16/28 10.1.10.0/24
>>>> (Postini's network, DMZ, Internal network)
>>>>
>>>> and configured smtpd_recipient_restrictions in main.cf:
>>>>
>>>> smtpd_recipient_restrictions =
>>>> hash:/etc/postfix/access
>>> That will permit spam that has the right recipient address
>>>
>>>> permit_mynetworks,
>>>> reject_unauth_destination,
>>> That will permit spam that has the right destination domain.
>>>
>>> Why not replace reject_unauth_destination by reject.
>>>
>>> Wietse
>>>
>>
>> When I made the changes above, mail was rejected.
>>
>> With only these lines
>>
>> smtpd_recipient_restrictions
>> permit_mynetworks,
>> reject
>>
>> ...caused:
>>
>> Jul 2 22:02:47 mail1 postfix/smtpd[1713]: connect from
>> exprod8mx27.postini.com[64.18.3.127]
>> Jul 2 22:02:47 mail1 postfix/smtpd[1713]: 442E469784:
>> client=exprod8mx27.postini.com[64.18.3.127]
>> Jul 2 22:02:47 mail1 postfix/smtpd[1713]: 442E469784: reject: RCPT from
>> exprod8mx27.postini.com[64.18.3.127]: 554
>> <exprod8mx27.postini.com[64.18.3.127]>: Client host rejected: Access
>> denied; from=<ptaderlinuxscope.com> to=<a.usermydomain.com> proto=SMTP
>> helo=<psmtp.com>
>>
>>
>> A clarification. In my original email I mentioned that this was the
>> only MX server for this site. Beside recieving email from Postini, it
>> will still send email for this domain, and DNS is configured as such.
>
> Of course, the ip of the sending Postini server was not in mynetworks.
>
> Sandy
>

Sorry, my fault. What I meant to post was:

mynetworks = 64.18.0.0/28, 123.456.789.0/28, 10.1.10.0/24 (Postini,
DMZ, private LAN).

Problem persist. Thanks for any pointers.

Paul

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]