1 1.1 tron <!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN" 2 1.1.1.6 christos "https://www.w3.org/TR/html4/loose.dtd"> 3 1.1 tron 4 1.1 tron <html> 5 1.1 tron 6 1.1 tron <head> 7 1.1 tron 8 1.1 tron <title>Postfix Per-Client/User/etc. Access Control</title> 9 1.1 tron 10 1.1.1.4 christos <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> 11 1.1.1.5 christos <link rel='stylesheet' type='text/css' href='postfix-doc.css'> 12 1.1 tron 13 1.1 tron </head> 14 1.1 tron 15 1.1 tron <body> 16 1.1 tron 17 1.1 tron <h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix 18 1.1 tron Per-Client/User/etc. Access Control</h1> 19 1.1 tron 20 1.1 tron <hr> 21 1.1 tron 22 1.1 tron <h2>Postfix restriction classes</h2> 23 1.1 tron 24 1.1 tron <p> The Postfix SMTP server supports access restrictions such as 25 1.1 tron <a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a> or <a href="postconf.5.html#reject_unknown_client_hostname">reject_unknown_client_hostname</a> on the right-hand side 26 1.1 tron of SMTP server <a href="access.5.html">access(5)</a> tables. This allows you to implement 27 1.1 tron different junk mail restrictions for different clients or users. 28 1.1 tron </p> 29 1.1 tron 30 1.1 tron <p> Having to specify lists of access restrictions for every 31 1.1 tron recipient becomes tedious quickly. Postfix restriction classes 32 1.1 tron allow you to give easy-to-remember names to groups of UCE restrictions 33 1.1 tron (such as "permissive", "restrictive", and so on). </p> 34 1.1 tron 35 1.1 tron <p> The real reason for the existence of Postfix restriction classes 36 1.1 tron is more mundane: you can't specify a lookup table on the right-hand 37 1.1 tron side of a Postfix access table. This is because Postfix needs to 38 1.1 tron open lookup tables ahead of time, but the reader probably does not 39 1.1 tron care about these low-level details. </p> 40 1.1 tron 41 1.1 tron <p> Example: </p> 42 1.1 tron 43 1.1 tron <blockquote> 44 1.1 tron <pre> 45 1.1 tron /etc/postfix/<a href="postconf.5.html">main.cf</a>: 46 1.1 tron <a href="postconf.5.html#smtpd_restriction_classes">smtpd_restriction_classes</a> = restrictive, permissive 47 1.1 tron # With Postfix < 2.3 specify <a href="postconf.5.html#reject_unknown_client_hostname">reject_unknown_client</a>. 48 1.1 tron restrictive = <a href="postconf.5.html#reject_unknown_sender_domain">reject_unknown_sender_domain</a> <a href="postconf.5.html#reject_unknown_client_hostname">reject_unknown_client_hostname</a> ... 49 1.1 tron permissive = permit 50 1.1 tron 51 1.1 tron <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> = 52 1.1.1.2 tron <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a> 53 1.1.1.3 tron # <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a> is not needed here if the mail 54 1.1.1.3 tron # relay policy is specified with <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a> 55 1.1.1.3 tron # (available with Postfix 2.10 and later). 56 1.1.1.2 tron <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a> 57 1.1.1.3 tron <a href="postconf.5.html#check_recipient_access">check_recipient_access</a> <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/recipient_access 58 1.1.1.2 tron ... 59 1.1 tron 60 1.1 tron /etc/postfix/recipient_access: 61 1.1.1.2 tron joe (a] my.domain permissive 62 1.1.1.2 tron jane (a] my.domain restrictive 63 1.1 tron </pre> 64 1.1 tron </blockquote> 65 1.1 tron 66 1.1 tron <p> With this in place, you can use "restrictive" or "permissive" 67 1.1 tron on the right-hand side of your per-client, helo, sender, or recipient 68 1.1 tron SMTPD access tables. </p> 69 1.1 tron 70 1.1 tron <p> The remainder of this document gives examples of how Postfix 71 1.1 tron access restriction classes can be used to: </p> 72 1.1 tron 73 1.1 tron <ul> 74 1.1 tron 75 1.1 tron <li> <a href="#internal"> Shield an internal mailing list from 76 1.1 tron outside posters</a>, 77 1.1 tron 78 1.1 tron <li> <a href="#external"> Prevent external access by internal 79 1.1 tron senders</a>. 80 1.1 tron 81 1.1 tron </ul> 82 1.1 tron 83 1.1 tron <p> These questions come up frequently, and the examples hopefully 84 1.1 tron make clear that Postfix restriction classes aren't really the right 85 1.1 tron solution. They should be used for what they were designed to do, 86 1.1 tron different junk mail restrictions for different clients or users. 87 1.1 tron </p> 88 1.1 tron 89 1.1 tron <h2><a name="internal">Protecting internal email distribution 90 1.1 tron lists</a></h2> 91 1.1 tron 92 1.1 tron <blockquote> 93 1.1 tron 94 1.1 tron <p> We want to implement an internal email distribution list. 95 1.1 tron Something like all (a] our.domain.com, which aliases to all employees. 96 1.1 tron My first thought was to use the aliases map, but that would lead 97 1.1 tron to "all" being accessible from the "outside", and this is not 98 1.1 tron desired... :-) </p> 99 1.1 tron 100 1.1 tron </blockquote> 101 1.1 tron 102 1.1 tron <p> Postfix can implement per-address access controls. What follows 103 1.1 tron is based on the SMTP client IP address, and therefore is subject 104 1.1 tron to IP spoofing. </p> 105 1.1 tron 106 1.1 tron <blockquote> 107 1.1 tron <pre> 108 1.1 tron /etc/postfix/<a href="postconf.5.html">main.cf</a>: 109 1.1 tron <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> = 110 1.1.1.2 tron ... 111 1.1.1.3 tron <a href="postconf.5.html#check_recipient_access">check_recipient_access</a> <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/access 112 1.1 tron <i>...the usual stuff...</i> 113 1.1 tron 114 1.1 tron /etc/postfix/access: 115 1.1 tron all (a] my.domain <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>,reject 116 1.1 tron all (a] my.hostname <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>,reject 117 1.1 tron </pre> 118 1.1 tron </blockquote> 119 1.1 tron 120 1.1 tron <p> Specify <b>dbm</b> instead of <b>hash</b> if your system uses 121 1.1 tron <b>dbm</b> files instead of <b>db</b> files. To find out what map 122 1.1 tron types Postfix supports, use the command <b>postconf -m</b>. </p> 123 1.1 tron 124 1.1 tron <p> Now, that would be sufficient when your machine receives all 125 1.1 tron Internet mail directly from the Internet. That's unlikely if your 126 1.1 tron network is a bit larger than an office. For example, your backup 127 1.1 tron MX hosts would "launder" the client IP address of mail from the 128 1.1 tron outside so it would appear to come from a trusted machine. </p> 129 1.1 tron 130 1.1 tron <p> In the general case you need two lookup tables: one table that 131 1.1 tron lists destinations that need to be protected, and one table that 132 1.1 tron lists domains that are allowed to send to the protected destinations. 133 1.1 tron </p> 134 1.1 tron 135 1.1 tron <p> What follows is based on the sender SMTP envelope address, and 136 1.1 tron therefore is subject to SMTP sender spoofing. </p> 137 1.1 tron 138 1.1 tron <blockquote> 139 1.1 tron <pre> 140 1.1 tron /etc/postfix/<a href="postconf.5.html">main.cf</a>: 141 1.1 tron <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> = 142 1.1.1.2 tron ... 143 1.1.1.3 tron <a href="postconf.5.html#check_recipient_access">check_recipient_access</a> <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/protected_destinations 144 1.1 tron <i>...the usual stuff...</i> 145 1.1 tron 146 1.1 tron <a href="postconf.5.html#smtpd_restriction_classes">smtpd_restriction_classes</a> = insiders_only 147 1.1.1.3 tron insiders_only = <a href="postconf.5.html#check_sender_access">check_sender_access</a> <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/insiders, reject 148 1.1 tron 149 1.1 tron /etc/postfix/protected_destinations: 150 1.1 tron all (a] my.domain insiders_only 151 1.1 tron all (a] my.hostname insiders_only 152 1.1 tron 153 1.1 tron /etc/postfix/insiders: 154 1.1 tron my.domain OK <i>matches my.domain and subdomains</i> 155 1.1 tron another.domain OK <i>matches another.domain and subdomains</i> 156 1.1 tron </pre> 157 1.1 tron </blockquote> 158 1.1 tron 159 1.1 tron <p> Getting past this scheme is relatively easy, because all one 160 1.1 tron has to do is to spoof the SMTP sender address. </p> 161 1.1 tron 162 1.1 tron <p> If the internal list is a low-volume one, perhaps it makes more 163 1.1 tron sense to make it moderated. </p> 164 1.1 tron 165 1.1 tron <h2><a name="external">Restricting what users can send mail to 166 1.1 tron off-site destinations</a></h2> 167 1.1 tron 168 1.1 tron <blockquote> 169 1.1 tron 170 1.1 tron <p> How can I configure Postfix in a way that some users can send 171 1.1 tron mail to the internet and other users not. The users with no access 172 1.1 tron should receive a generic bounce message. Please don't discuss 173 1.1 tron whether such access restrictions are necessary, it was not my 174 1.1 tron decision. </p> 175 1.1 tron 176 1.1 tron </blockquote> 177 1.1 tron 178 1.1 tron <p> Postfix has support for per-user restrictions. The restrictions 179 1.1 tron are implemented by the SMTP server. Thus, users that violate the 180 1.1 tron policy have their mail rejected by the SMTP server. Like this: 181 1.1 tron </p> 182 1.1 tron 183 1.1 tron <blockquote> 184 1.1 tron <pre> 185 1.1 tron 554 <user@remote>: Access denied 186 1.1 tron </pre> 187 1.1 tron </blockquote> 188 1.1 tron 189 1.1 tron <p> The implementation uses two lookup tables. One table defines 190 1.1 tron what users are restricted in where they can send mail, and the 191 1.1 tron other table defines what destinations are local. It is left as an 192 1.1 tron exercise for the reader to change this into a scheme where only 193 1.1 tron some users have permission to send mail to off-site destinations, 194 1.1 tron and where most users are restricted. </p> 195 1.1 tron 196 1.1 tron <p> The example assumes DB/DBM files, but this could also be done 197 1.1 tron with LDAP or SQL. </p> 198 1.1 tron 199 1.1 tron <blockquote> 200 1.1 tron <pre> 201 1.1 tron /etc/postfix/<a href="postconf.5.html">main.cf</a>: 202 1.1 tron <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> = 203 1.1.1.2 tron ... 204 1.1.1.3 tron <a href="postconf.5.html#check_sender_access">check_sender_access</a> <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/restricted_senders 205 1.1 tron <i>...other stuff...</i> 206 1.1 tron 207 1.1 tron <a href="postconf.5.html#smtpd_restriction_classes">smtpd_restriction_classes</a> = local_only 208 1.1 tron local_only = 209 1.1.1.3 tron <a href="postconf.5.html#check_recipient_access">check_recipient_access</a> <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/local_domains, reject 210 1.1 tron 211 1.1 tron /etc/postfix/restricted_senders: 212 1.1 tron foo@domain local_only 213 1.1 tron bar@domain local_only 214 1.1 tron 215 1.1 tron /etc/postfix/local_domains: 216 1.1 tron this.domain OK <i>matches this.domain and subdomains</i> 217 1.1 tron that.domain OK <i>matches that.domain and subdomains</i> 218 1.1 tron </pre> 219 1.1 tron </blockquote> 220 1.1 tron 221 1.1 tron <p> Specify <b>dbm</b> instead of <b>hash</b> if your system uses 222 1.1 tron <b>dbm</b> files instead of <b>db</b> files. To find out what map 223 1.1 tron types Postfix supports, use the command <b>postconf -m</b>. </p> 224 1.1 tron 225 1.1 tron <p> Note: this scheme does not authenticate the user, and therefore it can be 226 1.1 tron bypassed in several ways: </p> 227 1.1 tron 228 1.1 tron <ul> 229 1.1 tron 230 1.1 tron <li> <p> By sending mail via a less restrictive mail 231 1.1 tron <a href="postconf.5.html#relayhost">relay host</a>. </p> 232 1.1 tron 233 1.1 tron <li> <p> By sending mail as someone else who does have permission 234 1.1 tron to send mail to off-site destinations. </p> 235 1.1 tron 236 1.1 tron </ul> 237 1.1 tron 238 1.1 tron </body> 239 1.1 tron 240 1.1 tron </html> 241
Indexes created Fri Jun 26 00:24:39 UTC 2026