Restricted incoming users ruleset

Drew Marshall drew at themarshalls.co.uk
Fri Jul 14 17:19:56 IST 2006 

On Fri, July 14, 2006 06:43, Industry Standard Computers wrote:
> Drew,
> Sorry it took a while to get a "who cares what blows up" box and a test
> domain. One single domain, 4 users.
> Thanks,
> Butch
>
> -------------------------------------------------------
> I did a log rotate & a service MS restart and then sent an email to the
> restricted user "joejoe".
> -------------------------------------------------------
> here is maillog log:
>
> Jul 14 01:25:05 butch MailScanner[19599]: MailScanner E-Mail Virus
> Scanner version 4.53.8 starting...
> Jul 14 01:25:05 butch MailScanner[19599]: Read 746 hostnames from the
> phishing whitelist
> Jul 14 01:25:10 butch MailScanner[19599]: Using locktype = flock
> Jul 14 01:25:12 butch postfix/smtpd[19690]: connect from
> mail.cybrhost.net[67.99.202.39]
> Jul 14 01:25:12 butch postfix/smtpd[19690]: warning: unknown smtpd
> restriction: "restrictive"

There's your problem

> --------------------------------------------------------
> Here is main.cf:
>
>Snipped<

> smtpd_restriction_classes = restrictive, permissive
> restrictive = reject_unknown_sender_domain, reject_unknown_client_hostname
> permissive = permit
>
>
> smtpd_restriction_classes = local_only, local_plus
> local_only = reject_unauth_destination
>
> local_plus = check_recipient_access hash:/etc/postfix/local_plus
>    reject_unauth_destination

I think this should be tidied up like:

smtpd_restriction_classes = restrictive, permissive, local_only, local_plus
restrictive = reject_unknown_sender_domain, reject_unknown_client_hostname
permissive = permit
local_only = reject_unauth_destination
local_plus = check_recipient_access hash:/etc/postfix/local_plus

> smtpd_delay_reject = yes
> smtpd_sender_restrictions =
>    check_sender_access hash:/etc/postfix/restricted_senders
>
> smtpd_recipient_restrictions =
>     permit_mynetworks
>     check_recipient_access hash:/etc/postfix/restricted_incoming_users
>     reject_unauth_destination
>     permit_sasl_authenticated

OK so what is in your 2 'restricted_*' files?

Sender should have something like:

not.outgoinguser at example.com     local_only
ok.foroutgoing at example.com       local_plus

incoming should have:

not.incoming at example.com         REJECT:<Reason why here>
incoming.ok at example.com          OK

You probably don't need the table values for the incoming side if you
order your recipient restrictions properly. Remember it's first match
wins.

> ---------------------------------------------------------------------
> person who send the email to joejoe gets this back a few times:
>
>  Out: 220 butch.homelinux.com ESMTP Postfix
>  In:  EHLO cybrhost.net
>  Out: 250-butch.homelinux.com
>  Out: 250-PIPELINING
>  Out: 250-SIZE 10240000
>  Out: 250-VRFY
>  Out: 250-ETRN
>  Out: 250-AUTH DIGEST-MD5 PLAIN LOGIN CRAM-MD5
>  Out: 250-AUTH=DIGEST-MD5 PLAIN LOGIN CRAM-MD5
>  Out: 250 8BITMIME
>  In:  MAIL FROM:<sales11 at iscnetwork.com> SIZE=1320
>  Out: 250 Ok
>  In:  RCPT TO:<joejoe at butch.homelinux.com>
>  Out: 451 Server configuration error

This is due to the error in the logs.

Drew


-- 
In line with our policy, this message has 
been scanned for viruses and dangerous 
content by MailScanner, and is believed to be clean.
www.themarshalls.co.uk/policy

More information about the MailScanner mailing list