Discussion:
smtpd restrictions on mail that comes from certain servers
(too old to reply)
James Reynolds
2016-07-18 21:12:55 UTC
Permalink
My server's MX records points to some servers that do spam filtering then they send it to my server. However, some servers ignore the MX record and are connecting directly to my server (using the IP returned by the DNS A record I presume). I am trying to set up an smtpd restrictions for all incoming mail except when it comes from the servers I know about. I'm struggling to figure out how I'd do this.

I think the solution is to use check_helo_access by changing my main.cf like so:

smtpd_recipient_restrictions =
...
reject_unauth_destination
check_helo_access hash:/etc/postfix/helo_access
...
permit

Then inside of /etc/postfix/helo_access I don't know exactly what to put for the "everything else" condition.

.example.com OK
?? WARN

Does anyone have any ideas how I'd specify this? Would I have to use a pcre like the following?

/[^e][^x][^a][^m][^p][^l][^e][^\.][^c][^o][^m]$/ WARN

Would that even work? I think it's a valid regex and I think it's the best way to specify a not condition.

Or would I have to use a negative lookahead assertions (something I don't really understand)?

James Reynolds
Sr Systems Administrator
Department of Biology
The University of Utah
801-585-3086
Wietse Venema
2016-07-18 21:22:49 UTC
Permalink
Post by James Reynolds
My server's MX records points to some servers that do spam filtering
then they send it to my server. However, some servers ignore the
MX record and are connecting directly to my server (using the IP
returned by the DNS A record I presume). I am trying to set up
an smtpd restrictions for all incoming mail except when it comes
from the servers I know about. I'm struggling to figure out how
I'd do this.
I think the solution is to use check_helo_access by changing my
smtpd_recipient_restrictions = ... reject_unauth_destination
check_helo_access hash:/etc/postfix/helo_access
Use "check_client_access cidr:/etc/postfix/client_access" with
a table that "permit"s the IP addresses that are allowed to connect.

Wietse
James Reynolds
2016-07-18 21:30:45 UTC
Permalink
Post by Wietse Venema
Post by James Reynolds
My server's MX records points to some servers that do spam filtering
then they send it to my server. However, some servers ignore the
MX record and are connecting directly to my server (using the IP
returned by the DNS A record I presume). I am trying to set up
an smtpd restrictions for all incoming mail except when it comes
from the servers I know about. I'm struggling to figure out how
I'd do this.
I think the solution is to use check_helo_access by changing my
smtpd_recipient_restrictions = ... reject_unauth_destination
check_helo_access hash:/etc/postfix/helo_access
Use "check_client_access cidr:/etc/postfix/client_access" with
a table that "permit"s the IP addresses that are allowed to connect.
Wietse
Would it look like this?

smtpd_client_restrictions =
permit_mynetworks
permit_sasl_authenticated
check_client_access cidr:/etc/postfix/client_access
deny

/etc/postfix/client_access
127.0.0.0/8 OK
[::1]/128 OK
# my networks OK

Is there any way to test this first? Would this work or is it pure silliness?

smtpd_client_restrictions =
permit_mynetworks
permit_sasl_authenticated
check_client_access cidr:/etc/postfix/client_access
warn_if_reject reject
permit


James Reynolds
Sr Systems Administrator
Department of Biology
The University of Utah
801-585-3086
Michael Fox
2016-07-18 22:55:38 UTC
Permalink
Post by James Reynolds
Does anyone have any ideas how I'd specify this? Would I have to use a
pcre like the following?
/[^e][^x][^a][^m][^p][^l][^e][^\.][^c][^o][^m]$/ WARN
If you choose to use pcre, see: http://www.postfix.com/pcre_table.5.html
It includes an example: !/<pattern>/<flags> <result>
Note that by default, matches are case insensitive (see -i flag)

Michael
Wietse Venema
2016-07-18 23:38:42 UTC
Permalink
Post by James Reynolds
Post by Wietse Venema
Post by James Reynolds
My server's MX records points to some servers that do spam filtering
then they send it to my server. However, some servers ignore the
MX record and are connecting directly to my server (using the IP
returned by the DNS A record I presume). I am trying to set up
an smtpd restrictions for all incoming mail except when it comes
from the servers I know about. I'm struggling to figure out how
I'd do this.
I think the solution is to use check_helo_access by changing my
smtpd_recipient_restrictions = ... reject_unauth_destination
check_helo_access hash:/etc/postfix/helo_access
Use "check_client_access cidr:/etc/postfix/client_access" with
a table that "permit"s the IP addresses that are allowed to connect.
Wietse
Would it look like this?
smtpd_client_restrictions =
permit_mynetworks
permit_sasl_authenticated
check_client_access cidr:/etc/postfix/client_access
deny
/etc/postfix/client_access
127.0.0.0/8 OK
[::1]/128 OK
# my networks OK
I suppose that permit_mynetworks already takes care of those.
But you will want to add the networks of your primary MX provider.
Post by James Reynolds
Is there any way to test this first? Would this work or is it
pure silliness?
You can use XCLIENT to test how Postfix responds to a client with
an arbitrary name and IP address.

/etc/postfix/main.cf:
smtpd_authorized_xclient_hosts = 127.0.0.1
# Don't forget to "postfix reload".

Example:
$ telnet 127.0.0.1 25
220 server.example ESMTP Postfix
xclient name=mail.example.com addr=10.0.0.2
220 server.example ESMTP Postfix
ehlo mail.example.com
250-server.example
...
mail from:<>
250 2.1.0 Ok
rcpt to:<***@example.com>
454 4.7.1 <***@example.com>: Relay access denied

Logging:
Jul 18 19:30:07 server postfix/smtpd[4134]: NOQUEUE: reject:
RCPT from example.com[10.0.0.2]: 454 4.7.1 <***@example.com>:
Relay access denied; from=<> to=<***@example.com> proto=ESMTP
helo=<mail.example.com>

More at http://www.postfix.org/XCLIENT_README.html

Wietse

Continue reading on narkive:
Loading...