[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: postfix relay



On Tue, Jul 16, 2002 at 09:44:26AM +0300, Noah K Sematimba wrote:
> > MAIL FROM:<user at yourisp.net>
> >                 ^^^^^^^^^^^
> 
> exactly.
> 
> What I am thinking of is
> 
> 1. Check address and make sure it is in $mynetworks
> if 1 = false; deny
> elsif
>    1= true
> then
> 
> 2. Check that domain of envelope sender is in $relaydomains
>   if 2 =false ; deny
> elsif
>     2=true; relay
> 
> i.e I only relay mail for a user if BOTH conditions 1 and 2 are satisifed
> if a mail fails any one of the two tests then DENY relay for that user.

By "address" in 1, I presume you mean "source IP address of SMTP connection"

That policy is easily implemented in Exim 4 ACLs. See
http://www.exim.org/exim-html-4.00/doc/html/spec_37.html#CHAP37

Your second condition would be

    require   sender_domains = +source_domains
              message = "Unauthorised envelope sender domain"

Put this before "accept hosts = +relay_from_hosts". Or you could combine the
two conditions:

    accept    hosts = +relay_from_hosts
              sender_domains = +source_domains

which is exactly your "condition 1 and condition 2" that you gave.

Beware that in the default Exim configuration, the domain list
"relay_domains" has a different meaning - it is the list of domains which we
allow relaying _to_ from _any_ IP address, i.e. domains for which we have
agreed to act as backup MX.

> Basically if a user I have wants to send mail as <user at otherdomain.com>
> using my mail server then he has to inform me and I add that domain to me
> $relaydomains otherwise he better send that mail himself.

Or better, you can check the entire sender address: then you don't have to
add "hotmail.com" as an allowed domain, you can allow just
"fred at hotmail.com". One neat way of doing this is:

  require     senders =  at  at lsearch;/etc/senders
              message = "Unauthorised envelope sender"

where the /etc/senders file contains:

myisp.net:	*
hotmail.com:	fred : jim

See http://www.exim.org/exim-html-4.00/doc/html/spec_10.html#IX573 for the
full set of things you can put in an address list.

Or I think you could do something like this:

  require     condition = ${lookup{$sender_address}lsearch* at {/etc/senders}{1}{0}}
              message = "Unauthorised envelope sender"

In which case /etc/senders can contain:

* at myisp.net
fred at hotmail.com
jim at hotmail.com

which is easier to read. Note that I have not actually tested any of these
examples :-) You can convert "lsearch" to "dbm" for lookups in .db files for
better efficiency if they start to get big.

In both cases you'll need to make some minor mods to ensure that the empty
envelope sender is allowed; for example,

  require     senders = :  at  at lsearch;/etc/senders

I haven't looked at Postfix for a while, but I doubt its policy control is
anywhere near as flexible as Exim's.

Regards,

Brian.

-----
This is the afnog mailing list, managed by Majordomo 1.94.5

To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)

This list is maintained by owner-afnog at afnog.org