NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2007-11

Re: Addresses filtering for only one supported domain

From: mouss (mlist.onlyfree.fr)
Date: Fri Nov 30 2007 - 04:48:13 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Laurent Neiger wrote:
> Hi Mouss & postfixers folks,
>
> One question about the solution you've found before applying it :
>
>> mouss wrote:
>>> smtpd_recipient_restrictions =
>>> ...
>>> reject_unauth_destination
>>> # allow our gateway
>>> check_client_access cidr:/etc/postfix/trusted_client
>>> # block mail to main domain
>>> check_recipient_access hash:/etc/postfix/block_main_domain
>>> ...
>>>
>>>
>>> == trusted_client:
>>> 10.1.2.0/24 OK
>>>
>>> == block_main_domain:
>>> main.example.com REJECT
>>>
>>>
>>> In short:
>>> 1. if it is our gateway, allow
>>> 2. if it is to main domain, block (the gateway was allowed in step 1)
>
>
> What if a single mail is addressed to both my main domain and another
> one I host too ?
> e.g. An external mail w/ RCPT TO: usermain.example.com,
> user2myconference.com
>
> Will postfix split the source into 2 separated mails then apply
> smtpd_recipient_restrictions checks ?
>
> If not, this mail directly reaching my postfix w/o using the gateway
> will not match rule #1,
> and how will it deal with rule #2 ?
>

smtpd restrictions apply to each RCPT TO command (separately).

In short, the client will send an "RCPT TO:<fooexample.com>" and before
postfix replies, it performs the checks. then the client issues a second
"RCPT TO..." etc. mail data comes later (after the DATA command).

> I don't really know how to bench it and before applying this policy I'd
> like to be sure no
> bad border effects will occur...
>

connect from different IPs (one in the allowed list) and do
# telnet server 25
EHLO client.example.org
...
MAIL FROM:<postmasterfoo.example>
...
RCPT TO:<onepublic.example>
...
RCPT TO:<otherrestricted.example>
...
QUIT

look at the response to the RCPT TO command. if you come from an
unauthorized client, one of the RCPT TO will result in a reject.

> Once more TIA for your hints.
>
> Regards,
>
> Laurent.
>
>

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]