Discussion:
LDAP smtpd_recipient_restrictions
(too old to reply)
James Wilson
2007-09-23 22:43:00 UTC
Permalink
Hi All,

I have basic mailing lists configured via postfix and LDAP. I have
restrictions in place for some lists to allow / disallow external
users from mailing the list, which works fine. Recently a request
from the powers that be require this to be locked down further.
Essentially, they want to stop members of a different domain from
emailing a list; I know this is easily spoofed, but hey. For
example, ***@example.sch.uk can email ***@example.sch.uk, but
***@nowhere.sch.uk cannot. I've followed:

http://www.postfix.org/RESTRICTION_CLASS_README.html

And have successfully implemented with flat files for a single list.
When transferring this to LDAP lookups, I consistently get "554 5.7.1
<***@example.sch.uk>: Recipient address rejected: Access denied;"
from any domain, including the domain to which the list belongs.

The following are the smtpd_recipient_restrictions and
smtpd_restriction_classes along with the LDAP lookups.

main.cf:

smtpd_recipient_restrictions = check_recipient_access
proxy:ldap:ldapprotected_destinations, permit_mynetworks,
reject_unauth_destination
smtpd_restriction_classes = insiders_only
insiders_only = check_sender_access proxy:ldap:ldaplist_domain, reject

ldapprotected_destinations_query_filter = (&(listOwner=%s)
(accessibility=school)(accountStatus=active))
ldapprotected_destinations_result_attribute = listOwner
ldapprotected_destinations_result_filter = insiders_only
ldapprotected_destinations_bind = yes
ldapprotected_destinations_timeout = 50

ldaplist_domain_query_filter = (&(listOwner=%s)(accessibility=school)
(accountStatus=active))
ldaplist_domain_result_attribute = relayDomain
ldaplist_domain_result_filter = OK
ldaplist_domain_bind = yes
ldaplist_domain_timeout = 50

The LDAP entry is as follows:

dn: cn=Year 1,ou=example,o=list,dc=sch,dc=uk
cn: Year 1
fqGroupName: Year 1
leaverGroup: no
edportDisplay: no
objectClass: groupOfNames
objectClass: top
listOwner: ***@example.sch.uk
type: Reserved Group
description: Year 1
accountStatus: active
member: cn=james wilson.test,ou=example,o=schools,dc=sch,dc=uk
accessibility: school
relayDomain: example.sch.uk

Can anyone assist?

I have no control over why this isn't done via a purpose built
mailing lists manager, so please don't berate me.

Thanks,

James



---
http://www.silent-system.net/gallery
James Wilson
2007-09-27 10:46:12 UTC
Permalink
Post by James Wilson
And have successfully implemented with flat files for a single list.
When transferring this to LDAP lookups, I consistently get "554 5.7.1
from any domain, including the domain to which the list belongs.
I suggest following the suggestions in
http://www.postfix.org/DATABASE_README.html#preparing
for testing tables with the "postmap -q" command.
Simulate by hand all the lookups that Postfix makes, as described
example.com
com
The "postmap -q" command exits with non-zero status when it did not
find the lookup key.
Thanks - I now have this working. Turning on +v to smtpd in
master.cf helped no end! As suspected, my query was not correctly
matching the input key.

I'm now faced with one last issue... Say I have two domains for
which Postfix is authoritative and accepts mail; both of which do not
accept mail from the internet and are on internal relays.

domain1.sch.uk
domain2.sch.uk

Is it possible using built in policy restrictions to only allow
senders from domain1.sch.uk to email users from domain1.sch.uk, but
deny from domain2.sch.uk

Using the smtpd_recipient_restrictions and smtpd_restriction_classes
to check the sender address or recipient address doesn't give the
granularity I require.

As both domains exist in the access map, check_sender_access and
check_recipient_access will always match.

/etc/postfix/access:

domain1.sch.uk OK
domain2.sch.uk OK

etc


Cheers,

James
James Wilson
2007-09-29 00:00:52 UTC
Permalink
Post by James Wilson
Thanks - I now have this working. Turning on +v to smtpd in
master.cf helped no end! As suspected, my query was not correctly
matching the input key.
I'm now faced with one last issue... Say I have two domains for
which Postfix is authoritative and accepts mail; both of which do
not accept mail from the internet and are on internal relays.
domain1.sch.uk
domain2.sch.uk
Is it possible using built in policy restrictions to only allow
senders from domain1.sch.uk to email users from domain1.sch.uk, but
deny from domain2.sch.uk
Using the smtpd_recipient_restrictions and
smtpd_restriction_classes to check the sender address or recipient
address doesn't give the granularity I require.
As both domains exist in the access map, check_sender_access and
check_recipient_access will always match.
domain1.sch.uk OK
domain2.sch.uk OK
etc
Anyone able to assist?

Cheers,

James
mouss
2007-10-01 04:51:07 UTC
Permalink
Post by James Wilson
Thanks - I now have this working. Turning on +v to smtpd in master.cf
helped no end! As suspected, my query was not correctly matching the
input key.
I'm now faced with one last issue... Say I have two domains for which
Postfix is authoritative and accepts mail; both of which do not accept
mail from the internet and are on internal relays.
domain1.sch.uk
domain2.sch.uk
Is it possible using built in policy restrictions to only allow
senders from domain1.sch.uk to email users from domain1.sch.uk, but
deny from domain2.sch.uk
Using the smtpd_recipient_restrictions and smtpd_restriction_classes
to check the sender address or recipient address doesn't give the
granularity I require.
As both domains exist in the access map, check_sender_access and
check_recipient_access will always match.
domain1.sch.uk OK
domain2.sch.uk OK
etc
Anyone able to assist?
use 2 maps. nothing requires that you check senders and recipients using
a single map.
James Wilson
2007-10-01 09:10:07 UTC
Permalink
Post by mouss
use 2 maps. nothing requires that you check senders and recipients using
a single map.
Hi Mouss,

Could you please elaborate? Even with multiple maps, won't all
internal domains be trusted?

Cheers,

James

Loading...