Join Log in
Score:1
avatar Server

Issue blocking a user's account to send email through Postfix

cn flag
Fabrizio

When trying to block outgoing emails for a specific user both locally and outside I entered the Postfix configuration in main.cf SMTPD_Recipient_Restrictions = Check_sender_access hash: /etc/postfix/sender_access with this text [email protected] Reject then Postmap Sender_access for create the .db file.

Via webmail and with mail clients such as Thunderbird or Outlook everything is ok. Sending is locked either using port 25 and 465 ssl/tls but if the clients use port 587 with STARTTLs sending succeeds.

How to stop sending also via port 587 with mail clients?

postconf -n

alias_maps = hash:/etc/aliases, nis:mail.aliases, hash:/var/spool/postfix/plesk/aliases
authorized_flush_users =
authorized_mailq_users =
command_directory = /usr/sbin
compatibility_level = 2
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 5
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailbox_size_limit = 0
mailman_destination_recipient_limit = 1
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 10240000
meta_directory = /etc/postfix
mydestination = localhost.$mydomain, localhost, localhost.localdomain
myhostname = mydomain.my
mynetworks =
newaliases_path = /usr/bin/newaliases.postfix
plesk_virtual_destination_recipient_limit = 1
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-3.5.9/README_FILES
recipient_canonical_classes = envelope_recipient,header_recipient
recipient_canonical_maps = tcp:127.0.0.1:12346
recipient_delimiter = +
sample_directory = /usr/share/doc/postfix-3.5.9/samples
sender_dependent_default_transport_maps = hash:/var/spool/postfix/plesk/sdd_transport_maps
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_bind_address = xxx.xxx.xxx.xxx
smtp_send_xforward_command = yes
smtp_tls_security_level = may
smtp_use_tls = no
smtpd_authorized_xforward_hosts = 127.0.0.0/8 [::1]/128
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated
smtpd_milters = , inet:127.0.0.1:12768
smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/sender_access, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sender_restrictions = hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated
smtpd_tls_cert_file = /etc/postfix/postfix.pem
smtpd_tls_ciphers = medium
smtpd_tls_dh1024_param_file = /usr/local/psa/etc/dhparams2048.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = TLSv1.2
smtpd_tls_protocols = TLSv1.2
smtpd_tls_security_level = may
smtpd_use_tls = yes
smtputf8_enable = no
tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
tls_preempt_cipherlist = yes
tls_server_sni_maps = hash:/var/spool/postfix/plesk/certs
transport_maps = hash:/var/spool/postfix/plesk/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/virtual
virtual_gid_maps = static:30
virtual_mailbox_base = /var/qmail/mailnames
virtual_mailbox_domains = $virtual_mailbox_maps, hash:/var/spool/postfix/plesk/virtual_domains
virtual_mailbox_limit = 0
virtual_mailbox_maps = , hash:/var/spool/postfix/plesk/vmailbox
virtual_transport = plesk_virtual
virtual_uid_maps = static:30

postconf-M

smtp       inet  n       -       n       -       -       smtpd
cleanup    unix  n       -       n       -       0       cleanup
tlsmgr     unix  -       -       n       1000?   1       tlsmgr
rewrite    unix  -       -       n       -       -       trivial-rewrite
bounce     unix  -       -       n       -       0       bounce
defer      unix  -       -       n       -       0       bounce
trace      unix  -       -       n       -       0       bounce
verify     unix  -       -       n       -       1       verify
flush      unix  n       -       n       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       n       -       -       smtp
relay      unix  -       -       n       -       -       smtp -o syslog_name=postfix/$service_name
showq      unix  n       -       n       -       -       showq
error      unix  -       -       n       -       -       error
retry      unix  -       -       n       -       -       error
discard    unix  -       -       n       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       n       -       -       lmtp
anvil      unix  -       -       n       -       1       anvil
scache     unix  -       -       n       -       1       scache
postlog    unix-dgram n  -       n       -       1       postlogd
plesk_virtual unix -     n       n       -       -       pipe flags=DORhu user=popuser:popuser argv=/usr/lib64/plesk-9.0/postfix-local -f ${sender} -d ${recipient} -p /var/qmail/mailnames -q ${queue_id}
127.0.0.1:12346 inet n   n       n       -       -       spawn user=popuser:popuser argv=/usr/lib64/plesk-9.0/postfix-srs
mailman    unix  -       n       n       -       -       pipe flags=R user=mailman:mailman argv=/usr/lib64/plesk-9.0/postfix-mailman ${nexthop} ${user} ${recipient}
pickup     fifo  n       -       n       60      1       pickup
qmgr       fifo  n       -       n       1       1       qmgr
smtps      inet  n       -       n       -       -       smtpd -o smtpd_tls_wrappermode=yes
submission inet  n       -       n       -       -       smtpd -o smtpd_enforce_tls=yes -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
plesk_saslauthd unix y   y       n       -       1       plesk_saslauthd status=5 listen=6 dbpath=/var/spool/postfix/plesk/passwd.db

Plesk Obsidian 18.0.40.1 OS version: CentOS 7.9.2009 x86_64

124
0 + 0
Score:1
avatar Server
in flag
Gerald Schneider

check_sender_access belongs in smtpd_sender_restrictions, not in smtpd_recipient_restrictions.

0 + 0
cn flag
Fabrizio
I tried the change you suggested but it's the same with the port 587 so I saw that in master.cf there is this line `-o smtpd_sender_restrictions =` empty and I tried to comment with # and maybe I found the solution because now the user is also blocked on port 587 but don't know if this change can make other issue...
0
Reply
Score:1
anx avatar Server
fr flag
anx

You are offering submission services on two ports, with different option overrides:

  1. legacy STARTTLS on port 587 (submission in first column in master.cf)
  2. SMTP wrapped in TLS on port 465 (smtps in first column in master.cf)

You currently do not require auth on both those ports, yet override restrictions for only one:

smtps      inet  n       -       n       -       -       smtpd
 -o smtpd_tls_wrappermode=yes
submission inet  n       -       n       -       -       smtpd
 -o smtpd_enforce_tls=yes
 -o smtpd_tls_security_level=encrypt
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 -o smtpd_sender_restrictions=
 -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination

What I expect what you want is something like this: requiring auth on both ports, and only overriding sender and client restrictions, while still applying global recipient restrictions:

smtps      inet  n       -       n       -       -       smtpd
 -o smtpd_tls_wrappermode=yes
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 -o smtpd_sender_restrictions=
submission inet  n       -       n       -       -       smtpd
 -o smtpd_enforce_tls=yes
 -o smtpd_tls_security_level=encrypt
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 -o smtpd_sender_restrictions=

If not overridden, your recipient restrictions from the main.cf file would then apply to both those services.

smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/sender_access, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

(unrelated: you may not want to allow authentication on port 25 - you are allowing connections without transport security there. When you override it for all (2) submission ports anyway, reconsider smtpd_sasl_auth_enable = yes in main.cf)

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.