由于我想伤害自己的原因,我需要支持的应用程序能够使用任何域的“MAIL FROM”地址发送邮件。 因为我无法进一步locking应用程序,所以我想让Postfix完整性检查所有试图离开我的networking去往世界其他地方的邮件。
我只想要发自内部的邮件,如果它有一个来自'example.com'的地址,就被允许出去。 如果源自内部的邮件具有来自“someotherdomain.com”的发件人地址,则邮件应该通过Postfix被阻止。
为了澄清,如何将Postfixconfiguration为只允许源自本地networking的邮件被允许,如果该邮件具有我的域名之一的FROM地址?
我已经想出了如何做到这一点的唯一方法如下。 但有什么更简单的?
/etc/postfix/main.cf: smtpd_restriction_classes = external_sender_access internal_sender_access # Intended for mail originating from outside our networks external_sender_access = # Verify MAIL_FROM on incoming mail check_sender_access hash:/etc/postfix/external_sender_access # Allow all other incoming mail permit # Intended for mail originating from within our networks internal_sender_access = # Verify MAIL_FROM on outgoing mail check_sender_access hash:/etc/postfix/internal_sender_access # Block all other outbound mail reject # Restrictions applied in the context of the MAIL FROM command. smtpd_sender_restrictions = reject_non_fqdn_sender reject_unknown_sender_domain # Access rules for specific 'sender' data based upon client IP check_client_access cidr:/etc/postfix/network_sender_access permit /etc/postfix/network_sender_access: # Localhost 127.0.0.0/24 internal_sender_access # Inside Networks 192.168.0.0/16 internal_sender_access # Everything else 0.0.0.0/0 external_sender_access
/etc/postfix/internal_sender_access: example.com OK .example.com OK
/etc/postfix/external_sender_access: example.com REJECT You're not from here! .example.com REJECT You're not from here!
这个configuration的postconf -n输出:
alias_database = dbm:/etc/aliases alias_maps = hash:/etc/aliases biff = no body_checks = pcre:/etc/postfix/body_checks config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 disable_vrfy_command = yes external_sender_access = check_sender_access hash:/etc/postfix/external_sender_access permit header_checks = pcre:/etc/postfix/header_checks home_mailbox = Maildir/ inet_protocols = ipv4,ipv6 internal_sender_access = check_sender_access hash:/etc/postfix/internal_sender_access reject local_header_rewrite_clients = permit_inet_interfaces,permit_mynetworks mailbox_command = /usr/bin/procmail -t mailbox_size_limit = 0 manpage_directory = /usr/share/man minimal_backoff_time = 1800s mydestination = $myorigin, $myhostname, localhost.$mydomain, localhost mynetworks = /etc/postfix/local_networks queue_directory = /data/postfix recipient_delimiter = + smtp_generic_maps = pcre:/etc/postfix/generic smtpd_banner = $myhostname ESMTP smtpd_client_restrictions = permit_mynetworks check_client_access hash:/etc/postfix/client_access permit smtpd_data_restrictions = reject_unauth_pipelining reject_multi_recipient_bounce permit smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_helo_hostname reject_non_fqdn_helo_hostname permit_mynetworks check_client_access hash:/etc/postfix/client_access permit smtpd_recipient_restrictions = permit_mynetworks check_client_access hash:/etc/postfix/rbl_override reject_rbl_client zen.spamhaus.org permit smtpd_relay_restrictions = reject_non_fqdn_recipient reject_unknown_recipient_domain regexp:/etc/postfix/regexp_access permit_mynetworks reject_unauth_destination reject_unlisted_recipient check_policy_service inet:127.0.0.1:10023 permit smtpd_restriction_classes = external_sender_access internal_sender_access smtpd_sender_restrictions = reject_non_fqdn_sender reject_unknown_sender_domain check_client_access cidr:/etc/postfix/network_sender_access permit strict_rfc821_envelopes = yes virtual_alias_domains = example.com virtual_alias_maps = hash:/etc/postfix/virtual.d/example.com
编辑:下面是我尝试使用'reject_unlisted_sender'的替代configuration。
当我尝试使用这种configuration时,发送的邮件“From:[email protected]”popup(如预期的那样),但发送的邮件“From:blah@not_my_domain.com”被允许出来没有问题,这正是我不想要的。
# Restrictions applied in the context of the MAIL FROM command. smtpd_sender_restrictions = reject_non_fqdn_sender reject_unknown_sender_domain check_client_access cidr:/etc/postfix/outgoing_senders # Access rules for specific 'sender' data check_sender_access hash:/etc/postfix/sender_access permit
/etc/postfix/outgoing_senders: 192.168.0.0/16 reject_unlisted_sender, permit
/etc/postfix/sender_access: example.com REJECT You're not from here! .example.com REJECT You're not from here!
这个configuration的postconf -n输出:
alias_database = dbm:/etc/aliases alias_maps = hash:/etc/aliases biff = no body_checks = pcre:/etc/postfix/body_checks config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 disable_vrfy_command = yes header_checks = pcre:/etc/postfix/header_checks home_mailbox = Maildir/ inet_protocols = ipv4,ipv6 local_header_rewrite_clients = permit_inet_interfaces,permit_mynetworks mailbox_command = /usr/bin/procmail -t mailbox_size_limit = 0 manpage_directory = /usr/share/man minimal_backoff_time = 1800s mydestination = $myorigin, $myhostname, localhost.$mydomain, localhost mynetworks = /etc/postfix/local_networks queue_directory = /data/postfix recipient_delimiter = + smtp_generic_maps = pcre:/etc/postfix/generic smtpd_banner = $myhostname ESMTP smtpd_client_restrictions = permit_mynetworks check_client_access hash:/etc/postfix/client_access permit smtpd_data_restrictions = reject_unauth_pipelining reject_multi_recipient_bounce permit smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_helo_hostname reject_non_fqdn_helo_hostname permit_mynetworks check_client_access hash:/etc/postfix/client_access permit smtpd_recipient_restrictions = permit_mynetworks check_client_access hash:/etc/postfix/rbl_override reject_rbl_client zen.spamhaus.org permit smtpd_relay_restrictions = reject_non_fqdn_recipient reject_unknown_recipient_domain regexp:/etc/postfix/regexp_access permit_mynetworks reject_unauth_destination reject_unlisted_recipient check_policy_service inet:127.0.0.1:10023 permit smtpd_sender_restrictions = reject_non_fqdn_sender reject_unknown_sender_domain check_client_access cidr:/etc/postfix/outgoing_senders check_sender_access hash:/etc/postfix/sender_access permit strict_rfc821_envelopes = yes virtual_alias_domains = example.com virtual_alias_maps = hash:/etc/postfix/virtual.d/example.com
我可以确认你在postfix中看到的是reject_unlisted_sender行为。 这个文档页面明确规定了postfix拒绝你的电子邮件时的4个条件
- 发件人域匹配$ mydestination , $ inet_interfaces或$ proxy_interfaces ,但发件人不在$ local_recipient_maps中列出,并且$ local_recipient_maps不为空。
- 发件人域匹配$ virtual_alias_domains,但发件人未列在$ virtual_alias_maps中 。
- 发件人域匹配$ virtual_mailbox_domains,但发件人未列在$ virtual_mailbox_maps中 , $ virtual_mailbox_maps不为空。
- 发件人域匹配$ relay_domains,但发件人不在$ relay_recipient_maps中列出,并且$ relay_recipient_maps不为空。
当发件人地址不符合上述任何条件时, 默认情况下 postfix将允许它。
回到你原来的问题: 我已经想出了如何做到这一点的唯一方法如下。 但有什么更简单的 ?
不 ,您唯一的select可能是SMTPD恢复类。 对于其他解决scheme,您可以使用任何策略服务器插件 ,如postfwd,policyd等。