0

since I'm running a domain for development teams and I want to use this domain as dev mail server i see a need to restrict the possibilities for sending mails. Fact is: - the domain is up and running - mail and webmail is up and running

I'm using plesk and the fact that there are multiple domains running on this server makes it some how confusing.

right now I'm searching for a solution that only inbetween this domain email were exchanged. If the domain would be admin.ch all @admin.ch mail accounts are restricted to send and receive mails from @admin.ch.

Do you understand what I mean and have you any suggestion for me?

I found this entry: Postfix on development server, allow mail to be sent to only one domain

but the problem is that there are multiple hostings running within this server.

Thanks in advance for the fish - best regards, chiuchemandli

-- situation:

Server serving multiple domains: -domain1.ch -domain2.ch -domain3.ch -devdomain.ch

Now i want all users from devdomain.ch be able to send and receive mails only from devdomain.ch. All other domains works as usual. ATM I'm not sure if header_check is the right thing for my problem!?

Community
  • 1
chiuchemand.li
  • 1
  • 1
  • 2
  • The examples offered will work perfectly, just decide on a destination for misdirected mail, the others you can "authorize". Just add all the domains to /^To:.*@(allowed-domain.com|another-domain.com)/ DUNNO with as many | as you need, then add the /^To:.*@/ REDIRECT redirect@example.com to send any other mail to an account of your choice. Those go in the header_checks. – NickW Apr 08 '13 at 08:42
  • @NickW here's my header_checks file: - #only soreco-stakeholder.info mails should be checked !/^To:.*@soreco-stakeholder.info/ DUNNO !/^From:.*@soreco-stakeholder.info/ DISCARD - but it won't work :( any idea? Thanks in advance... – chiuchemand.li Apr 08 '13 at 12:32
  • What do the logs show for those emails? And why do you want to discard emails from the same domain? – NickW Apr 08 '13 at 12:39
  • Apr 8 15:11:05 papst postfix/cleanup[12754]: F017E145442: discard: header To: "papst@soreco-stakeholder.info" from mail.admin.ch[164.x.x.x]; from= to= proto=ESMTP helo=. cause i just want them to correspond inbetween the same domain? – chiuchemand.li Apr 08 '13 at 13:30
  • But if they are corresponding between the same domains, shouldn't someone from that domain be able to send? I would discard from To:.*@/ that way any mails to any other domains is discarded. – NickW Apr 08 '13 at 13:38
  • /^To:.*@soreco-stakeholder.info/ DUNNO /^To:.*@/ REJECT but now admin.ch can't send / receive any mails? – chiuchemand.li Apr 08 '13 at 13:58
  • Try this. /^To:.*@(soreco-stakeholder.info|admin.ch)/ DUNNO, then the line after add /^To:.*@/ REJECT – NickW Apr 08 '13 at 14:02
  • still not possible :( i tried to explain a little better the situation in the main question maybe it is useful. – chiuchemand.li Apr 08 '13 at 14:14
  • Your edit makes things a bit clearer. That does need a different setup. – NickW Apr 08 '13 at 14:15
  • okay - sorry for the confusion. Do you have any idea? – chiuchemand.li Apr 08 '13 at 14:21
  • Yeah actually, it's not going to be simple though.. – NickW Apr 08 '13 at 14:22
  • 1 question, do the senders only send mail from the outside.. ie no scripts that use sendmail locally? – NickW Apr 08 '13 at 16:21
  • Hi Nick sorry for my late response. Yes dev sending mails from outside - not from the local machine. – chiuchemand.li Apr 09 '13 at 05:57

1 Answers1

1

I can think of three possible solutions to your problem, one would be to pass all your email through a content filter (can be a simple script that parses the headers, and sends it back into postfix on another port if the conditions you set are met). There is a bit of work involved in this though. Have a look at the Postfix Filter Readme for more information.

The second would be to run two servers (or two instances of postfix), hosting the normal domains on one, the devdomain at the other, that way you can lock the second down as suggested in the other answer.

On the primary server:

/^From:.*devdomain.ch/ FILTER transport:relay

If you set up the devdomain.ch in main.cf to use the relay transport, in the relay_maps put the second server address, then mails From or To devdomain will be relayed to the second server. Then on the second server set up a header_check like this:

!/^From:.*devdomain.ch/ REJECT

Make sure the second one by default accepts only mail for devdomain.ch.

Then you can have both instances of postfix deliver to dovecot, or courier in a single location.

The problem with mixing the two domains is that postfix header checks check the headers line by line, so you can't confirm that if the To: matches that the From does as well. It's the normally functional domains that makes things more complicated.

An option to allow users only to send with their username would be to use smtpd_sender_login_maps which maps SASL usernames to emails. This will make sending with scripts or programs installed on the machine more difficult (unless they can do SASL). This would solve half your problems, and the other half could be resolved with

check_sender_access=hash:/etc/postfix/restricted_senders

postfix restricted senders
user1@devdomain.com dev_only
user2@devdomain.com dev_only

You would then need to define dev_only

smtpd_restriction_classes = dev_only
dev_only = check_recipient_access hash:/etc/postfix/local_domains, reject

/etc/postfix/local_domains:
devdomain.ch OK

Community
  • 1
NickW
  • 10,183
  • 1
  • 18
  • 26
  • ouw - i think it would be easier to set up a second server which handels devdomain.com. i thought it is a common issue... argh! Thanks anyway for your support – chiuchemand.li Apr 09 '13 at 08:06
  • If it's from outside, I'd do the third method, you can have the maps all in mysql, it should be super simple to set up and admin. – NickW Apr 09 '13 at 08:11
  • But with the third solution I could imagine some problems. I want to allow the dev teams to manage their accounts by their own within plesk. If I do the third solution I have to take care about the restricted_senders or did I missunderstood something?` – chiuchemand.li Apr 09 '13 at 08:19
  • No, the nice thing is if they use postfixadmin, all the lookup tables are in mysql, you could have a simple trigger that adds dev_only to their local_domain field for example (if their username is @devdomina.ch) then a simple `select email, local domain from user where user like $user` <-- there are tons of examples mysql and postfix integration.. or you could just say two servers is easier :) – NickW Apr 09 '13 at 08:28