Join Log in
Score:0
bithead avatar Server

postfix restrict smtp sender based on ip address

ky flag
bithead

I have a postfix server that I inherited many years ago. Originally it successfully controlled the sending of messages through authentication and IP addresses - if an authenticated user was sending from an IP address in 'mynetworks', it was allowed. Since then it's been through two major upgrades, from Lenny to Jesse in 2017 and from Jesse to Bullseye in 2022. It seems the IP address restriction requirement was lost with the Bullseye upgrade, and now authenticated users can send from any IP address.

All of the smtpd checks and restrictions in main.cf have historically been under smtpd_recipient_restrictions, with smtpd_helo/sender/data_restrictions all being empty. Here is are the current settings:

smtpd_recipient_restrictions =
        reject_unlisted_recipient,
        permit_mynetworks,
        check_client_access    hash:/etc/postfix/GEN000_override,
        check_client_access  regexp:/etc/postfix/fqrdns.regexp,
        check_helo_access      hash:/etc/postfix/access,
        check_helo_access    regexp:/etc/postfix/helo_blacklist.regexp,
        check_sender_access    hash:/etc/postfix/blacklist,
        check_sender_access  regexp:/etc/postfix/sender_blacklist.regexp,
        check_sender_mx_access cidr:/etc/postfix/mx_access.txt,
        check_sender_access    hash:/etc/postfix/bdwl
        check_client_access    hash:/etc/postfix/broken_helos,
        reject_invalid_hostname,
        reject_non_fqdn_sender,
        reject_unknown_sender_domain,
        reject_unknown_recipient_domain,
        reject_non_fqdn_hostname,
        reject_non_fqdn_recipient,
        reject_unauth_destination,
        check_recipient_access hash:/etc/postfix/restricted,
        reject_unknown_client,
        reject_unknown_hostname,
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client bl.spamcop.net

Although I've learned a lot about postfix over the years, I still find the system daunting. Needless to say, lots of packages were replaced and perhaps of significance, we had to move from SquirrelMail to RoundCube for our web-based clients (most use Thunderbird). FWIW I did try...

smtpd_client_restrictions = permit_mynetworks, reject

...and this worked, but had the undesired side effect bouncing all incoming mail from external sources (e.g. gmail.com) with 554 5.7.1 errors. I am hoping something simple was moved or lost during the upgrade. Pointers welcome!!

61
0 + 2
pmarkoulidakis avatar
cn flag
pmarkoulidakis
Assuming you are using debian's default packages, jessie shipped with postfix 2.11.3 but postfix megred "smtpd_client_restrictions" with relay in 2.10. So the problem was probably not caused when you upgraded to Bullseye Please read postifx documentation to have a better understanding about the changes. https://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions
1
Reply
anx avatar
fr flag
anx
Look at the [tag descriptions](https://serverfault.com/tags/postfix/info); I suspect you have different smtpd_mumble_restrictions for general exchange service on 25 and on a submission port such as 465 - that would be clearly visible in a config dump using postconf -n/-M.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.