NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2009-03

Re: Restrict external hosts

From: Vernon A. Fort (vfortprovident-solutions.com)
Date: Mon Mar 02 2009 - 16:58:43 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Noel Jones wrote:
> Vernon A. Fort wrote:
>> I have a setup which we use an external mail filtering service and
>> need to limit/restrict external client access. Meaning the MX for
>> the domain points to the filtering service and they relay checked
>> email. I need to limit access to just these network blocks but also
>> allow sasl authenticated as well as the internal network.
>>
>> I also do not want to blindly trust this service so i would like to
>> check the IP address as well as ensuring the recipient is for my domain.
>>
>> can someone point me to an example or man page. I cannot seem to
>> find anything related to limiting inbound smtp clients/servers.
>>
>> Vernon
>
> Minimal config:
>
> # main.cf
>
> # do not include filter service IPs in mynetworks
> mynetworks = 127.0.0.0/8 ...
> smtpd_recipient_restrictions =
> permit_sasl_authenticated
> permit_mynetworks
> reject_unauth_destination
> check_client_access cidr:/etc/postfix/filter_service
> reject
>
> # filter_service
> 192.1.0.0/24 OK
> ... other cidr ranges filter service uses ...
>
>
> -- Noel Jones
Hey Noel,
What i have now under the smtpd_*_restrictions:

smtpd_sender_restrictions =
smtpd_client_restrictions =
smtpd_etrn_restrictions = reject
smtpd_recipient_restrictions =
       reject_non_fqdn_sender,
       reject_non_fqdn_recipient,
       permit_sasl_authenticated,
       permit_mynetworks,
       reject_unauth_destination,
       check_helo_access .....
       check_sender_access ...
       check_client_access (for white listing client sites - just in
case they get rbl listed)
       reject_rbl_client ....
       permit
smtpd_data_restrictions =
       reject_unauth_pipelining,
       permit

What i 'thinking' of is:

smtpd_sender_restrictions =
smtpd_client_restrictions =
       permit_sasl_authenticated,
       permit_mynetworks,
       check_client_access cidr:/etc/postfix/filter_service.cidr,
       reject

The filter_service.cidr would look like
    1.2.3.4/29 OK
    1.2.4.4/29 OK
    0.0.0.0/0 REJECT

Would it be redundant to have the permit_sasl and permit_mynetworks
under both the smtpd_client and smtpd_recipient?

Vernon

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]