Re: Restrict external hosts

From: Vernon A. Fort (no email)
Date: Mon Mar 02 2009 - 17:58:43 EST

  • Next message: MacShane, Tracy: "RE: mysql lookup errors"

    Noel Jones wrote:
    > Vernon A. Fort wrote:
    >> I have a setup which we use an external mail filtering service and
    >> need to limit/restrict external client access. Meaning the MX for
    >> the domain points to the filtering service and they relay checked
    >> email. I need to limit access to just these network blocks but also
    >> allow sasl authenticated as well as the internal network.
    >>
    >> I also do not want to blindly trust this service so i would like to
    >> check the IP address as well as ensuring the recipient is for my domain.
    >>
    >> can someone point me to an example or man page. I cannot seem to
    >> find anything related to limiting inbound smtp clients/servers.
    >>
    >> Vernon
    >
    > Minimal config:
    >
    > # main.cf
    >
    > # do not include filter service IPs in mynetworks
    > mynetworks = 127.0.0.0/8 ...
    > smtpd_recipient_restrictions =
    > permit_sasl_authenticated
    > permit_mynetworks
    > reject_unauth_destination
    > check_client_access cidr:/etc/postfix/filter_service
    > reject
    >
    > # filter_service
    > 192.1.0.0/24 OK
    > ... other cidr ranges filter service uses ...
    >
    >
    > -- Noel Jones
    Hey Noel,
      What i have now under the smtpd_*_restrictions:

    smtpd_sender_restrictions =
    smtpd_client_restrictions =
    smtpd_etrn_restrictions = reject
    smtpd_recipient_restrictions =
           reject_non_fqdn_sender,
           reject_non_fqdn_recipient,
           permit_sasl_authenticated,
           permit_mynetworks,
           reject_unauth_destination,
           check_helo_access .....
           check_sender_access ...
           check_client_access (for white listing client sites - just in
    case they get rbl listed)
           reject_rbl_client ....
           permit
    smtpd_data_restrictions =
           reject_unauth_pipelining,
           permit

    What i 'thinking' of is:

    smtpd_sender_restrictions =
    smtpd_client_restrictions =
           permit_sasl_authenticated,
           permit_mynetworks,
           check_client_access cidr:/etc/postfix/filter_service.cidr,
           reject

    The filter_service.cidr would look like
        1.2.3.4/29 OK
        1.2.4.4/29 OK
        0.0.0.0/0 REJECT

    Would it be redundant to have the permit_sasl and permit_mynetworks
    under both the smtpd_client and smtpd_recipient?

    Vernon

          


  • Next message: MacShane, Tracy: "RE: mysql lookup errors"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    Powered By FreeBSD   Powered By FreeBSD