Difference between revisions of "RestrictPostfixRecipients"

(Replaced content with "{{Unsupported}} Use the zimbra milter server to correctly restrict distribution lists. See http://wiki.zimbra.com/wiki/Enabling_and_administering_the_Zimbra_milter")
Line 1: Line 1:
Use the zimbra milter server to correctly restrict distribution lists.  See http://wiki.zimbra.com/wiki/Enabling_and_administering_the_Zimbra_milter
=Restrict Postfix Recipients=
* This will show how you can modify postfix to restrict who can send to certain addresses in your domain such as distribution lists like all@mydomain.com
* These changes will most likely not persist between upgrades! (UPDATE: Just updated to 4.0.4 and the only thing that was wiped out was the change to /opt/zimbra/conf/postfix_recipient_restrictions.cf. Also, permissions on files created in /opt/zimbra/postfix/conf got changed.)
* This method can be spoofed by forging the MAIL FROM: header (so mail appears to originate from within the domain), so it isn't foolproof, but it works for basic needs.
* Per testing with ZCS (Open Source) v6.0.6: The method shown below will only work if the order of smtpd_recipient_restrictions is correct inside main.cf.  Your check_recipient_access addition, needs to be before any permit lineRecommended to place this at the beginning of the line per Postfix.Org's examples at [http://www.postfix.org/RESTRICTION_CLASS_README.html#internal](placing at the first place in the line will prevent system resources from being used to perform other validation checks if the address simply isn't authorized to receive from the sender).
* Create a 'permitted senders' list (as user zimbra) - This is your list of domains and/or users who can email your protected email addresses:
vi /opt/zimbra/postfix/conf/permitted_senders
[paste in contents below editing as required]
localhost              OK
mydomain.com            OK
zimbra.mydomain.com    OK
okuser@externaldom.com OK
* Create a 'protected recipients' list (as user zimbra) - This is your list of email addresses that may only receive email from 'permitted senders'
vi /opt/zimbra/postfix/conf/protected_recipients
[paste in contents below editing as required]
test-dist-list@mydomain.com        permitted_senders_list
protected-user@mydomain.com        permitted_senders_list
* Create a simple bash script to create postfix DB files (as user zimbra):
vi /opt/zimbra/postfix/conf/update_protected_recipients
[paste in contents below editing as required]
echo "rebuild permitted_senders..."
postmap /opt/zimbra/postfix/conf/permitted_senders
echo "rebuild protected_recipients..."
postmap /opt/zimbra/postfix/conf/protected_recipients
* Make new script executable,
  chmod 755 /opt/zimbra/postfix/conf/update_protected_recipients
* then run it...
* You should now see permitted_senders.db and protected_recipients.db in the directory
* Add necessary settings to /opt/zimbra/postfix/conf/main.cf
vi /opt/zimbra/postfix/conf/main.cf
[add these items to the file - note permitted_senders_list must match value in protected_recipients]
permitted_senders_list = check_sender_access hash:/opt/zimbra/postfix/conf/permitted_senders, reject
smtpd_restriction_classes = permitted_senders_list
  **Note this change to the main.cf won't survive upgrades. Be sure to save a copy of your main.cf file**
While in /opt/zimbra/postfix/conf/main.cf: You must also add the following snippet to smtpd_recipient_restrictions (first is preferred, otherwise anywhere before the last "permit", THE ORDER IN WHICH ITEMS APPEAR HERE IS IMPORTANT (if it appears after the "permit", mail will always be accepted for the restricted recipient):
smtpd_recipient_restrictions = check_recipient_access hash:/opt/zimbra/postfix/conf/protected_recipients, (rest of line here)
  **Footnote: reference [http://www.postfix.org/RESTRICTION_CLASS_README.html#internal] for examples.
* Now add your new restriction to the '''top''' of postfix_recipient_restrictions.cf
vi /opt/zimbra/conf/postfix_recipient_restrictions.cf
[paste this into the '''first''' line of the file, above any other settings]
check_recipient_access hash:/opt/zimbra/postfix/conf/protected_recipients
* Edit /opt/zimbra/conf/zmmta.cf and then remove the following line;
# POSTCONF smtpd_recipient_restrictions FILE postfix_recipient_restrictions.cf
* IMPORTANT- During upgrades, the main.cf file will revert to defaults, and may no longer match the edited /opt/zimbra/conf/zmmta.cf file- SO BE SURE TO MAKE A BACKUP of zmmta.cf
* Reload postfix to activate settings:
postfix reload
Note 3 from talk: files ownership should be set to root:postfix before reloading postfix. This avoids annoying warning messages in logfile.
===Test it out===
* Test your settings via telnet:
Enter command:
telnet zimbra.mydomain.com 25
You will see:
Connected to zimbra.mydomain.com.
Escape character is '^]'.
220 zimbra.mydomain.com ESMTP Postfix
Enter command:
HELO test.com
You will see:
250 zimbra.mydomain.com
Enter command:
MAIL FROM: jdoe@test.com
You will see:
250 Ok
Enter command:
RCPT TO: test-dist-list@mydomain.com
You will see:
554 <test-dist-list@mydomain.com>: Recipient address rejected: Access denied
221 Bye
Connection closed by foreign host.
* That's it.  If you need to protect new distribution lists or emails, or add new senders, just edit and re-run the update script, then reload postfix.
'''To further tune sender/recipients, check this wiki.'''
=Additional Resources=
* [[Irfan-Notes#Further_Restricting_Postfix_Recipient]]
* [[Restrict_sending_to_certain_domains]]

Revision as of 16:40, 9 September 2014

Use the zimbra milter server to correctly restrict distribution lists. See http://wiki.zimbra.com/wiki/Enabling_and_administering_the_Zimbra_milter

Jump to: navigation, search