|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Restricting incoming connections
From: Sandy Drobic (postfix-users
japantest.homelinux.com)
Date: Wed Jul 05 2006 - 03:10:26 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Paul Tader wrote:
> Sandy Drobic wrote:
>
>> Paul Tader wrote:
>>
>>> Wietse Venema wrote:
>>>
>>>> Paul Tader:
>>>>
>>>>> A client has signed up with a third party company, Postini
>>>>> (postini.com)
>>>>> to do addition filtering. I want to configure the local postfix server
>>>>> to now accept only incoming smtp connections from the Postini network
>>>>> instead of the entire Internet. Previously, this host was the MX
>>>>> server.
>>>>>
>>>>> I setup "mynetworks" to be:
>>>>>
>>>>> mynetworks = 216.141.226.0/28, 123.456.789.16/28 10.1.10.0/24
>>>>> (Postini's network, DMZ, Internal network)
>>>>>
>>>>> and configured smtpd_recipient_restrictions in main.cf:
>>>>>
>>>>> smtpd_recipient_restrictions =
>>>>> hash:/etc/postfix/access
>>>>>
>>>> That will permit spam that has the right recipient address
>>>>
>>>>
>>>>> permit_mynetworks,
>>>>> reject_unauth_destination,
>>>>>
>>>> That will permit spam that has the right destination domain.
>>>>
>>>> Why not replace reject_unauth_destination by reject.
>>>>
>>>> Wietse
>>>>
>>>>
>>> When I made the changes above, mail was rejected.
>>>
>>> With only these lines
>>>
>>> smtpd_recipient_restrictions
>>> permit_mynetworks,
>>> reject
>>>
>>> ...caused:
>>>
>>> Jul 2 22:02:47 mail1 postfix/smtpd[1713]: connect from
>>> exprod8mx27.postini.com[64.18.3.127]
>>> Jul 2 22:02:47 mail1 postfix/smtpd[1713]: 442E469784:
>>> client=exprod8mx27.postini.com[64.18.3.127]
>>> Jul 2 22:02:47 mail1 postfix/smtpd[1713]: 442E469784: reject: RCPT from
>>> exprod8mx27.postini.com[64.18.3.127]: 554
>>> <exprod8mx27.postini.com[64.18.3.127]>: Client host rejected: Access
>>> denied; from=<ptaderlinuxscope.com> to=<a.usermydomain.com> proto=SMTP
>>> helo=<psmtp.com>
>>>
>>>
>>> A clarification. In my original email I mentioned that this was the
>>> only MX server for this site. Beside recieving email from Postini, it
>>> will still send email for this domain, and DNS is configured as such.
>>>
>> Of course, the ip of the sending Postini server was not in mynetworks.
>>
>> Sandy
>>
>>
>
> Sorry, my fault. What I meant to post was:
>
> mynetworks = 64.18.0.0/28, 123.456.789.0/28, 10.1.10.0/24 (Postini,
> DMZ, private LAN).
>
The postini ip is still not in your definition of mynetworks! You
probably wanted to include all hosts in 64.18.x.x where x is any
possible ip address.
Use 64.18.0.0/16 in that case. Though I definitely think postini has too
many ip addresses, they should give some of them to poor little me!
Please check the documentation on cidr notations.
Sandy
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]