RestrictPostfixRecipients

Revision as of 23:35, 17 November 2006 by Jdell (talk | contribs) (note on upgrade)
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Restrict Postfix Recipients

  • This will show how you can modify postfix to restrict who can send to certain addresses in your domain such as distribution lists like all@mydomain.com
  • These changes will most likely not persist between upgrades! (UPDATE: Just updated to 4.0.4 and the only thing that was wiped out was the change to /opt/zimbra/conf/postfix_recipient_restrictions.cf. Also, permissions on files created in /opt/zimbra/postfix/conf got changed.)
  • This method can be spoofed by forging the MAIL FROM: header (so mail appears to originate from within the domain), so it isn't foolproof, but it works for basic needs.

Steps

  • Create a 'permitted senders' list (as user zimbra) - This is your list of domains and/or users who can email your protected email addresses:
vi /opt/zimbra/postfix/conf/permitted_senders

[paste in contents below editing as required]

localhost               OK
mydomain.com            OK
zimbra.mydomain.com     OK
okuser@externaldom.com  OK
  • Create a 'protected recipients' list (as user zimbra) - This is your list of email addresses that may only receive email from 'permitted senders'
vi /opt/zimbra/postfix/conf/protected_recipients

[paste in contents below editing as required]

test-dist-list@mydomain.com         permitted_senders_list
protected-user@mydomain.com         permitted_senders_list 
  • Create a simple bash script to create postfix DB files (as user zimbra):
vi /opt/zimbra/postfix/conf/update_protected_recipients

[paste in contents below editing as required]

#!/bin/bash
echo "rebuild permitted_senders..."
postmap /opt/zimbra/postfix/conf/permitted_senders
echo "rebuild protected_recipients..."
postmap /opt/zimbra/postfix/conf/protected_recipients
  • Make new script executable, then run it
chmod 755 /opt/zimbra/postfix/conf/update_protected_recipients
/opt/zimbra/postfix/conf/update_protected_recipients
  • You should now see permitted_senders.db and protected_recipients.db in the directory
  • Add necessary settings to /opt/zimbra/postfix/conf/main.cf
vi /opt/zimbra/postfix/conf/main.cf

[add these items to the file - note permitted_senders_list must match value in protected_recipients]

permitted_senders_list = check_sender_access hash:/opt/zimbra/postfix/conf/permitted_senders, reject
smtpd_restriction_classes = permitted_senders_list
  • Now add your new restriction to postfix_recipient_restrictions.cf
vi /opt/zimbra/conf/postfix_recipient_restrictions.cf

[paste this into the first line of the file above any other settings]

hash:/opt/zimbra/postfix/conf/protected_recipients
  • Reload postfix to activate settings:
postfix reload

Test it out

  • Test your settings via telnet:

Enter command:

telnet zimbra.mydomain.com 25

You will see:

Trying 192.168.1.1...
Connected to zimbra.mydomain.com.
Escape character is '^]'.
220 zimbra.mydomain.com ESMTP Postfix

Enter command:

HELO test.com

You will see:

250 zimbra.mydomain.com

Enter command:

MAIL FROM: jdoe@test.com

You will see:

250 Ok

Enter command:

RCPT TO: test-dist-list@mydomain.com

You will see:

554 <test-dist-list@mydomain.com>: Recipient address rejected: Access denied
QUIT
221 Bye
Connection closed by foreign host.
  • That's it. If you need to protect new distribution lists or emails, or add new senders, just edit and re-run the update script, then reload postfix.
Jump to: navigation, search