RestrictPostfixRecipients: Difference between revisions
(Adding Article Footer, Category:MTA, and Category:Configuration, and Additional Resources heading) |
No edit summary |
||
Line 34: | Line 34: | ||
permitted_senders_list = check_sender_access hash:/opt/zimbra/postfix/conf/permitted_senders, reject | permitted_senders_list = check_sender_access hash:/opt/zimbra/postfix/conf/permitted_senders, reject | ||
smtpd_restriction_classes = permitted_senders_list | smtpd_restriction_classes = permitted_senders_list | ||
**Note this change to the main.cf won't survive upgrades. Be sure to save a copy of your main.cf file** | |||
* Now add your new restriction to postfix_recipient_restrictions.cf | * Now add your new restriction to postfix_recipient_restrictions.cf | ||
vi /opt/zimbra/conf/postfix_recipient_restrictions.cf | vi /opt/zimbra/conf/postfix_recipient_restrictions.cf |
Revision as of 15:59, 21 March 2008
Restrict Postfix Recipients
- This will show how you can modify postfix to restrict who can send to certain addresses in your domain such as distribution lists like all@mydomain.com
- These changes will most likely not persist between upgrades! (UPDATE: Just updated to 4.0.4 and the only thing that was wiped out was the change to /opt/zimbra/conf/postfix_recipient_restrictions.cf. Also, permissions on files created in /opt/zimbra/postfix/conf got changed.)
- This method can be spoofed by forging the MAIL FROM: header (so mail appears to originate from within the domain), so it isn't foolproof, but it works for basic needs.
Steps
- Create a 'permitted senders' list (as user zimbra) - This is your list of domains and/or users who can email your protected email addresses:
vi /opt/zimbra/postfix/conf/permitted_senders
[paste in contents below editing as required]
localhost OK mydomain.com OK zimbra.mydomain.com OK okuser@externaldom.com OK
- Create a 'protected recipients' list (as user zimbra) - This is your list of email addresses that may only receive email from 'permitted senders'
vi /opt/zimbra/postfix/conf/protected_recipients
[paste in contents below editing as required]
test-dist-list@mydomain.com permitted_senders_list protected-user@mydomain.com permitted_senders_list
- Create a simple bash script to create postfix DB files (as user zimbra):
vi /opt/zimbra/postfix/conf/update_protected_recipients
[paste in contents below editing as required]
#!/bin/bash echo "rebuild permitted_senders..." postmap /opt/zimbra/postfix/conf/permitted_senders echo "rebuild protected_recipients..." postmap /opt/zimbra/postfix/conf/protected_recipients
- Make new script executable, then run it
chmod 755 /opt/zimbra/postfix/conf/update_protected_recipients /opt/zimbra/postfix/conf/update_protected_recipients
- You should now see permitted_senders.db and protected_recipients.db in the directory
- Add necessary settings to /opt/zimbra/postfix/conf/main.cf
vi /opt/zimbra/postfix/conf/main.cf
[add these items to the file - note permitted_senders_list must match value in protected_recipients]
permitted_senders_list = check_sender_access hash:/opt/zimbra/postfix/conf/permitted_senders, reject smtpd_restriction_classes = permitted_senders_list **Note this change to the main.cf won't survive upgrades. Be sure to save a copy of your main.cf file**
- Now add your new restriction to postfix_recipient_restrictions.cf
vi /opt/zimbra/conf/postfix_recipient_restrictions.cf
[paste this into the first line of the file above any other settings]
hash:/opt/zimbra/postfix/conf/protected_recipients
Note 2 from talk: the line to be added to /opt/zimbra/conf/postfix_recipient_restrictions.cf should read:
check_recipient_access hash:/opt/zimbra/postfix/conf/protected_recipients
- Reload postfix to activate settings:
postfix reload
Note 3 from talk: files ownership should be set to root:postfix before reloading postfix. This avoids annoying warning messages in logfile.
Test it out
- Test your settings via telnet:
Enter command:
telnet zimbra.mydomain.com 25
You will see:
Trying 192.168.1.1... Connected to zimbra.mydomain.com. Escape character is '^]'. 220 zimbra.mydomain.com ESMTP Postfix
Enter command:
HELO test.com
You will see:
250 zimbra.mydomain.com
Enter command:
MAIL FROM: jdoe@test.com
You will see:
250 Ok
Enter command:
RCPT TO: test-dist-list@mydomain.com
You will see:
554 <test-dist-list@mydomain.com>: Recipient address rejected: Access denied QUIT 221 Bye Connection closed by foreign host.
- That's it. If you need to protect new distribution lists or emails, or add new senders, just edit and re-run the update script, then reload postfix.
Additional Resources
Also: http://wiki.zimbra.com/index.php?title=Restrict_sending_to_certain_domains