NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2007-11

Re: mynetworks=<empty> vs mynetworks=<default> (via mynetworks_style)

From: Alain Spineux (aspineuxgmail.com)
Date: Thu Nov 29 2007 - 14:01:14 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Nov 29, 2007 8:09 PM, Wietse Venema <wietseporcupine.org> wrote:
> Alain Spineux:
> > Hi
> >
> > I want to have mynetworks=<empty>
> > I mean no host taking advantage of the "mynetworks" advantage,
> > including 127.0.0.1 !
> >
> > If a set "mynetworks="
> > then, postfix use the default from mynetworks_style!
>
> No it doesn't.

How can I not trust you!
Then my problem is somewhere else,
and goes away if a set mynetworks to 0.0.0.0 !

I have

smtpd_sender_restrictions =
        permit_mynetworks,
# permit_sasl_authenticated,
        # this policy verify sender=username and more
        check_policy_service unix:private/egpolicy,
        reject_non_fqdn_sender,
        reject_unknown_sender_domain,
        permit

and

465 inet n - n - - smtpd
        -o smtpd_tls_wrappermode=yes
        -o smtpd_sasl_auth_enable=yes
        -o mynetworks=0.0.0.0

and force my webmail to login on port 465,
then my egpolicy is check when sending email.

If I set
-o mynetworks=
or remove this line (with mynetworks=127.0.0.0/8 in main.cf)
then my egpolicy is not checked

This is why I supposed mynetworks was using the default behavior of
mynetworks_style.

I know I can set smtp=<my_ip> in my webmail configuration
instead of localhost and keep mynetworks=127.0.0.1 but I want
to reproduce this config on multiple server without to much changes.

any idea what's wrong ? And why set mynetworks=0.0.0.0 does what I want ?

# postconf -c /kolab/etc/postfix_front -n
alias_database =
alias_maps =
broken_sasl_auth_clients = yes
command_directory = /kolab/sbin
config_directory = /kolab/etc/postfix_front
content_filter = smtpdup:127.0.0.1:10035
daemon_directory = /kolab/libexec/postfix
default_privs = kolab-n
disable_mime_input_processing = yes
disable_vrfy_command = yes
mail_owner = kolab
masquerade_domains =
message_size_limit = 20971520
mydestination =
mydomain = eg01.emailgency.loc
myhostname = eg01.emailgency.loc
mynetworks = 127.0.0.0/8
myorigin = $mydomain
queue_directory = /kolab/var/postfix_front
relay_domains = hash:$config_directory/relayed
relay_recipient_maps =
setgid_group = kolab-r
smtpd_recipient_restrictions = permit_mynetworks,
  permit_sasl_authenticated,
  reject_non_fqdn_recipient,
  reject_unknown_recipient_domain,
  reject_unauth_destination,
  reject_unlisted_recipient,
  check_client_access pcre:$config_directory/reject_client,
  check_sender_access pcre:$config_directory/reject_sender,
  check_recipient_access pcre:$config_directory/reject_recipient,
  check_recipient_access hash:$config_directory/domain_rbl,
  check_recipient_access hash:$config_directory/domain_greylist,
  permit
smtpd_restriction_classes = greylist_policy, reject_rbl
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions =
  permit_mynetworks,
  check_policy_service unix:private/egpolicy,
  reject_non_fqdn_sender,
  reject_unknown_sender_domain,
  permit
smtpd_starttls_timeout = 300s
smtpd_timeout = 300s
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /kolab/etc/kolab/cert.pem
smtpd_tls_key_file = /kolab/etc/kolab/key.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = no
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
syslog_name = postfix_front
tls_random_source = dev:/dev/urandom
transport_maps = hash:/kolab/etc/postfix_front/transport

>
> With mynetworks at the default:

How do you set mynetworks=<default> , using postfonf -e ?

>
> % telnet bristle smtp
> Trying 9.X.X.X...
> Connected to bristle.example.com.
> Escape character is '^]'.
> 220 bristle.example.com ESMTP Postfix
> mail from:<wietse>
> 250 2.1.0 Ok
> rcpt to:<wietse>
> 250 2.1.5 Ok
> quit
> 221 2.0.0 Bye
> Connection closed by foreign host.
>
> With "postconf -e mynetworks=" and "postfix reload"
>
> % telnet bristle smtp
> Trying 9.X.X.X...
> Connected to bristle.example.com.
> Escape character is '^]'.
> 220 bristle.example.com ESMTP Postfix
> mail from:<wietse>
> 250 2.1.0 Ok
> rcpt to:<wietseexample.com>
> 554 5.7.1 <wietseexample.com>: Relay access denied
> quit
> 221 2.0.0 Bye
> Connection closed by foreign host.
>
> Domains and IP addresses anonymized.
>
> Wietse

I suppose bristle is the name of the machine you
are issuing the telnet

>
>
> > I use mynetworks=0.0.0.0 to reach my need.
> >
> > Do someone know a more official way ?
> >
> > Can 0.0.0.0 open a hole ?
> >
> > Regards.
> >
> > Alain
> >
> > --
> > Alain Spineux
> > aspineux gmail com
> > May the sources be with you
> >
> >
>
>

--
Alain Spineux
aspineux gmail com
May the sources be with you

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]