0

I am using postfix, I need to configure sender based restrictions so nobody that is not authenticated & not part of mynetworks can send mail through this server,

this is my smptd sender restrictions:

smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, reject

I am unable to find this on postfix official documentation

(permit_mynetworks && permit_sasl_authenticated)

what is the correct syntax to achieve this

csx4
  • 101
  • 1
  • What software is doing the SASL part? There is a chance your desired configuration is more closely matched by adding the additional restriction there. – anx Jul 21 '23 at 15:35
  • 1
    I cannot test the full thing right now, so I will just drop a pointer: Postfix distributes in the file `RESTRICTION_CLASS_README` a description on how the right-hand sides of one lookup can again reference other lookups. Because you can replace `permit_mynetworks` as an explicit `cidr:` lookup (or whatever is able to match your current `mynetworks` value), you can use this to create logical AND. AFAIK this requires that your extra class ends with `reject`, meaning all local submissions without authentication are rejected even if they would be accepted from non-local sources. – anx Jul 21 '23 at 15:49
  • I am using ldap authentication with saslauthd, actually I am not trusting the whole subnet but few servers which requires email sending facility, – csx4 Jul 22 '23 at 17:46

2 Answers2

1

According to Getting selective with SMTP access restriction lists in Postfix SMTP relay and access control documentation:

Postfix allows you to specify lists of access restrictions for each stage of the SMTP conversation. Individual restrictions are described in the postconf(5) manual page.

It would indeed be possible to limit the IP addresses earlier in smtpd_client_restrictions and then require SASL authentication later in smtpd_sender_restrictions. Please notice that the first matching reject* or permit* is used, so if you need to reject unknown sender domains and non FQDN sender, you must place those before the permit_sasl_authenticated.

Restrictions are applied in the order as specified; the first restriction that matches wins.

Example configuration matching your desired behaviour:

smtpd_client_restrictions =
    permit_mynetworks,
    reject

smtpd_sender_restrictions =
    reject_non_fqdn_sender,
    reject_unknown_sender_domain, 
    permit_sasl_authenticated,
    reject

Furthermore, you could even limit which addresses the users could use based on their login with smtpd_sender_login_maps.

smtpd_sender_login_maps = hash:/etc/postfix/sender_login_maps

smtpd_client_restrictions =
    permit_mynetworks,
    reject

smtpd_sender_restrictions =
    reject_sender_login_mismatch,
    permit_sasl_authenticated,
    reject

Here, the reject_non_fqdn_sender & reject_unknown_sender_domain from the previous example are rather pointless as you would not have such domains in your /etc/postfix/sender_login_maps, e.g.,

# Personal addresses
joe.bloggs@example.com  joe
jane.doe@example.com    jane

# Shared addresses
info@example.com        joe
info@example.com        jane

As always, remember to run postmap /etc/postfix/sender_login_maps as you are using the hash: i.e. Berkeley DB database lookup table type.

Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129
0

I don't believe this is possible with Postfix configuration alone.

However if you separate the traffic going out from the traffic coming in, you can use firewall rules to apply additional restrictions to the client IP address.

Either add a second postfix server or configure your existing instance to ONLY allow sending on port 465

symcbean
  • 21,009
  • 1
  • 31
  • 52
  • actually this server is for sending mails only I have not configured it to receive mails, yes I can allow traffic by using firewall but my concern was if it is possible through postfix – csx4 Jul 22 '23 at 17:49