Join Log in
Score:0
csx4 avatar Server

Postfix smtpd_sender_restrictions with logical AND

cn flag
csx4

I am using postfix, I need to configure sender based restrictions so nobody that is not authenticated & not part of mynetworks can send mail through this server,

this is my smptd sender restrictions:

smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, reject

I am unable to find this on postfix official documentation

(permit_mynetworks && permit_sasl_authenticated)

what is the correct syntax to achieve this

59
2 + 3
anx avatar
fr flag
anx
What software is doing the SASL part? There is a chance your desired configuration is more closely matched by adding the additional restriction there.
0
Reply
anx avatar
fr flag
anx
I cannot test the full thing right now, so I will just drop a pointer: Postfix distributes in the file `RESTRICTION_CLASS_README` a description on how the right-hand sides of one lookup can again reference other lookups. Because you can replace `permit_mynetworks` as an explicit `cidr:` lookup (or whatever is able to match your current `mynetworks` value), you can use this to create logical AND. AFAIK this requires that your extra class ends with `reject`, meaning all local submissions without authentication are rejected even if they would be accepted from non-local sources.
1
Reply
csx4 avatar
cn flag
csx4
I am using ldap authentication with saslauthd, actually I am not trusting the whole subnet but few servers which requires email sending facility,
0
Reply
Score:1
avatar Server
jp flag
Esa Jokinen

According to Getting selective with SMTP access restriction lists in Postfix SMTP relay and access control documentation:

Postfix allows you to specify lists of access restrictions for each stage of the SMTP conversation. Individual restrictions are described in the postconf(5) manual page.

It would indeed be possible to limit the IP addresses earlier in smtpd_client_restrictions and then require SASL authentication later in smtpd_sender_restrictions. Please notice that the first matching reject* or permit* is used, so if you need to reject unknown sender domains and non FQDN sender, you must place those before the permit_sasl_authenticated.

Restrictions are applied in the order as specified; the first restriction that matches wins.

Example configuration matching your desired behaviour:

smtpd_client_restrictions =
    permit_mynetworks,
    reject

smtpd_sender_restrictions =
    reject_non_fqdn_sender,
    reject_unknown_sender_domain, 
    permit_sasl_authenticated,
    reject

Furthermore, you could even limit which addresses the users could use based on their login with smtpd_sender_login_maps.

smtpd_sender_login_maps = hash:/etc/postfix/sender_login_maps

smtpd_client_restrictions =
    permit_mynetworks,
    reject

smtpd_sender_restrictions =
    reject_sender_login_mismatch,
    permit_sasl_authenticated,
    reject

Here, the reject_non_fqdn_sender & reject_unknown_sender_domain from the previous example are rather pointless as you would not have such domains in your /etc/postfix/sender_login_maps, e.g.,

# Personal addresses
[email protected]  joe
[email protected]    jane

# Shared addresses
[email protected]        joe
[email protected]        jane

As always, remember to run postmap /etc/postfix/sender_login_maps as you are using the hash: i.e. Berkeley DB database lookup table type.

+ 0
Score:0
avatar Server
ws flag
symcbean

I don't believe this is possible with Postfix configuration alone.

However if you separate the traffic going out from the traffic coming in, you can use firewall rules to apply additional restrictions to the client IP address.

Either add a second postfix server or configure your existing instance to ONLY allow sending on port 465

+ 1
csx4 avatar
cn flag
csx4
actually this server is for sending mails only I have not configured it to receive mails, yes I can allow traffic by using firewall but my concern was if it is possible through postfix
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.