2

I'm trying to set up a policyd server on Centos x64 (selinux disabled), which will allow me for limiting numer of messages incoming from different servers and (more important) outgoing from different user accounts. At the moment, i believe i have a working configuration for limiting incoming mail (for example, from google) but I cannot make postfix do same policy checks for internal and outgoing mail.

Here's the problem (at the moment i'm just trying to make postfix use the policy service at all)

I added following lines to main.cf

smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10031,   reject_unauth_destination
smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031

And disabled policyd (for testing)

When sending mail from other host (from gmail for ex) to this machine, in postfix logs there is an error that policyd server cannot be accessed

Sep 10 10:40:23 centosvbox1 postfix/smtpd[9378]: connect from unknown[IP_ADDRESS]
Sep 10 10:40:23 centosvbox1 postfix/smtpd[9378]: warning: connect to 127.0.0.1:10031: Connection refused
Sep 10 10:40:23 centosvbox1 postfix/smtpd[9378]: warning: problem talking to server 127.0.0.1:10031: Connection refused
Sep 10 10:40:24 centosvbox1 postfix/smtpd[9378]: warning: connect to 127.0.0.1:10031: Connection refused
Sep 10 10:40:24 centosvbox1 postfix/smtpd[9378]: warning: problem talking to server 127.0.0.1:10031: Connection refused

which means that postfix tries to access policyd server (which works as expected)

However, when i try to send mail from console (with mailx) to user root (local account) or somewhere else (gmail), no such lookups are made - mail just slides through, without even trying to access policyd

echo "ksfdhjksf" | mail -s "kjfhkjsfkjsfd" root

Sep 10 10:42:03 centosvbox1 postfix/cleanup[9386]: 9B606417D9: message-id=<20130910084203.9B606417D9@domain>
Sep 10 10:42:03 centosvbox1 postfix/qmgr[9342]: 9B606417D9: from=<root@domain>, size=458, nrcpt=1 (queue active)
Sep 10 10:42:03 centosvbox1 postfix/local[9388]: 9B606417D9: to=<root@domain>, orig_to=<root>, relay=local, delay=0.04, delays=0.03/0.01/0/0.01, dsn=2.0.0, status=sent (delivered to mailbox)
Sep 10 10:42:03 centosvbox1 postfix/qmgr[9342]: 9B606417D9: removed

Which makes me wonder - why check_policy_service does not work? (i believe this is a postfix issue)

Anybody has any idea how to make policyd limit system users (for example webapp) in sending mails?

gds.jerry
  • 61
  • 1
  • 5

1 Answers1

1

You defined the policy check in smtpd_*_restrictions, therefore it will never be queried for mail generated locally, because this kind of mails is injected into the Postfix queue using the pickup(8) service. To circumvent this, you will need to modify master.cf and add a content_filter instance to the pickup(8) service (and of course, you will also need to add said content filtering instance, take a look at Content Filtering.

FWIW, I don't think it's worth the effort to do this. Nobody should be able to generate local mail on a mail gateway, and is not the central mail gateway, then you are limiting in the wrong place, anyways.

Stefan Förster
  • 1,141
  • 5
  • 8
  • well, the environment I'm trying to set up is basically a standard hosting server, with mail system and users on the same machine, therefore i cannot set up a gateway for mail only, and enforce limits in that way. Thanks for advice with pickup and content filter, great thanks, will try it out :) appreciate your help :) – gds.jerry Oct 14 '13 at 09:38
  • The secure way of doing that on hosting machine is to disallow access to port 25 on other machines and for localhost require sasl authentification. – Marki555 May 04 '15 at 19:42