2

I'm setting up a postfix cloud server and I'd like to restrict communication inside the domain. That is, users can only communicate with other users who own an address in the email domain - no incoming or outgoing messages to other domains (like Gmail, Hotmail, etc):

YES: joe@domain.com <----> jane@domain.com
NO:  joe@domain.com <----> jane@gmail.com

What's a simple way to do this? I'm using postfix/courier. Thanks.

UPDATE - how to do this:

In /etc/postfix/main.cf:

# first rule makes sure users cannot sent to people outside the domain
# (check_recipient_access is the one you want)
smtpd_recipient_restrictions =
 check_recipient_access regexp:/etc/postfix/recipient-access, 
 permit_sasl_authenticated,
 permit_mynetworks,
 reject_unauth_destination,
 permit


# block sends from external users
# (who cannot be authenticated by the system)
smtpd_sender_restrictions =
 permit_sasl_authenticated,
 permit_mynetworks,
 reject_authenticated_sender_login_mismatch, 
 reject

# use mysql to find authenticated addresses
smtpd_sender_login_maps = mysql:/etc/postfix/mysql-sender-login-maps.cf
# (could also use pcre or some other method)
#smtpd_sender_login_maps = pcre:/etc/postfix/sender-login-maps.pcre

In /etc/postfix/mysql-sender-login-maps.cf:

user = dbuser
password = dbpassword
hosts = 127.0.0.1
dbname = dbname
# this will depend on your db/table structure
query = SELECT email FROM users WHERE email='%s' and enabled=1;

Test with:

$ postmap -q user@domain.com mysql:/etc/postfix/mysql-sender-login-maps.cf

Should return the user@domain.com if it exists in the users table, or nothing if it isn't.

If you decided to use pcre (apt-get install postfix-pcre in Ubuntu), then in /etc/postfix/sender-login-maps.pcre:

/^(.*@domain.com)$/   ${1}

Test with:

$ postmap -q user@domain.com pcre:/etc/postfix/sender-login-maps.pcre

Should return the user@domain.com if the domain matches, or nothing if it doesn't.

Finally, in /etc/postfix/recipient-access:

!/@domain.com/ REJECT

Thanks @NickW !

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
sa125
  • 325
  • 1
  • 7
  • 14

1 Answers1

5

The easiest manner to restrict people from outside sending to your server is to allow only SASL authenticated people to send, then define smtpd_sender_restrictions as reject_sender_login_mismatch, reject which will only allow SASL authenticated users, and only when their FROM address matches their login name. Creating an SQL query which selects the user's email as the authorized address is pretty straight forward.

The you'd set up smtpd_recipient_restrictions as check_recipient_access regexp:/etc/postfix/recipient-access, inside the recipient_access you'd have something similar to !/@domain.com/ REJECT which means any TO/CC/BCC address that isn't your domain gets rejected.

This isn't a complete writeup, but it should get you on the right track.

NickW
  • 10,263
  • 1
  • 20
  • 27
  • Blocking users inside the domain from sending outside was indeed pretty straight forward using `smtpd_recipient_restrictions = check_recipient_access regexp:/etc/postfix/recipient-access`. Could you please expand a bit more (implementation) about the first paragraph, e.g how to block external users from sending into the domain? Thanks! – sa125 Nov 19 '14 at 14:41
  • 1
    Basically, what you will do is set up both SASL and TLS authentication (both of which you can find ample documentation on), then you will add the line I suggest. You might even want to be more restrictive by using `restrict_sender_login_mismatch` – NickW Nov 19 '14 at 15:39
  • Yeah, that did the trick. It was also important to permit sasl authentication - I'll update my question. – sa125 Nov 19 '14 at 15:55
  • 1
    Once you've done that, you will need to have a DB or file which lists the `user valid_email` or like I said, you could write a simple SQL query that selects the email AS the `allowed_user`.. I don't think that the field has to come back with more than an `email:allowed_email` format, so it could be `joe@go.com:joe@go.com ` and so on. – NickW Nov 19 '14 at 15:58
  • 1
    If you only have a few users, it might be easier to just put em in a text file.. really whatever you feel more comfortable with. – NickW Nov 19 '14 at 15:59
  • My pleasure, glad I could help. – NickW Nov 20 '14 at 09:46