Setting up restriction classes in postfix for blocking receiving and sending mail to external domains.

Question

Hello everyone on serverfault,

I run a Debian Wheezy mailserver with postfix and several domains on it.

For one domain, I need some accounts to be unable to receive and send email to the external world, only to the same domain. The other accounts and domains remain normal.

Searching the web I found that I can do this with postfix restriction classes, so, I found a guide in postfix documentation: http://www.postfix.org/RESTRICTION_CLASS_README.html

Following the postfix documentation, I can’t apply my restriction, it gives me an unused parameter error when I restart postfix, the error is the following:

/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: local_only=check_recipient_access hash:/etc/postfix/local_domains, reject

Here’s some part of my main.cf where the restriction classes are located:

smtpd_client_restrictions =

permit_mynetworks,

check_client_access hash:/etc/postfix/custom_check_client_access,

permit_sasl_authenticated,

reject_sender_login_mismatch,

reject_unknown_client,

reject_unauth_pipelining,

reject_rbl_client sbl.spamhaus.org,

smtpd_recipient_restrictions =

check_sender_access hash:/etc/postfix/restricted_senders,

permit_mynetworks,

permit_sasl_authenticated,

reject_unauth_destination,

reject_invalid_hostname,

reject_unauth_pipelining,

reject_non_fqdn_sender,

reject_unknown_sender_domain,

reject_non_fqdn_recipient,

reject_unknown_recipient_domain,

check_recipient_access hash:/etc/postfix/protected_destinations,

check_policy_service inet:127.0.0.1:10023,

permit

smtpd_restriction_classes = local_only

local_only = check_recipient_access hash:/etc/postfix/local_domains, reject

smtpd_restriction_classes = insiders_only

insiders_only = check_sender_access hash:/etc/postfix/local_domains, reject

Here’s my /etc/postfix/protected_destinations file:

restrict01@mydomain.com insiders_only

Here’s my /etc/postfix/restricted_senders file:

restrict01@mydomain.com local_only

Here’s my /etc/postfix/local_domains file:

mydomain.com OK

I can’t figure out what I did wrong! I couldn’t see anywhere on the internet on how to do two restriction classes together, so the syntax of smtpd_restriction_classes may be wrong. The other thing that I suspect to be wrong is the order of smtpd_recipient_restrictions, I can’t figure out where to put the check_sender_access and the check_recipient_access.

If you guys could help me out on setting up this restriction class, I would be thankful.

Thank you, Giovanni

Answer 1

When defining a new restriction class, what you basically do is telling Postfix about a new generic restriction that can be used like the builtin checks, e.g. "permit_mynetworks".

Doing so will require you to specify all restriction classes in one go, i.e.

smtpd_restriction_classes = local_only, insiders_only
insiders_only = ...
local_only = ...

Doing it this way should silence the postconf warning about an unused parameter.

As for where to put the restrictions: By default, the parameter "smtpd_delay_reject" is set to "yes", which means that even smtpd_(client|sender)_restrictions will only be evaluated after the "rctp to:<...>" stage. For this reason, it has been a long standing advice to simply collapse all restrictions within smtpd_recipient_restrictions. In your case, where the sender "restrict01@..." should only be able to send to internal destinations, you could probably use something like this as a good starting point:

smtpd_recipient_restrictions =
  reject_non_fqdn_sender
  reject_non_fqdn_recipient
  reject_unlisted_sender
  reject_unlisted_recipient
  reject_unknown_sender_domain
  reject_unknown_recipient_domain
  check_sender_access hash:/etc/postfix/restricted_senders
  permit_mynetworks
  allow_sasl_authenticated
  reject_unauth_destination
  check_policy_service inet:127.0.0.1:10023
  reject_rbl_client zen.spamhaus.org
  permit_auth_destination
  reject
smtpd_restriction_classes = local_only
local_only = check_recipient_access hash:/etc/postfix/local_domains, reject

Another thing to note is that it's (probably) a bad idea to return an "OK" from a access map before you verified the client's credentials. Therefore, the file "/etc/postfix/local_domains" should contain a line like

example.com DUNNO

This will force the restricted sender to authenticate with SASL or be within $mynetworks. As you can see, you can get away with one restriction class and get rid of smtpd_(sender|client)_restrictions.