[prev in list] [next in list] [prev in thread] [next in thread]
List: kroupware
Subject: Re: Forged header detection and selective filtering (Solved)
From: Adam Tworkowski <atworkowski () masterfile ! com>
Date: 2006-02-17 14:23:50
Message-ID: 1140186230.20797.35.camel () atworkowski-ubuntu
[Download RAW message or body]
OK, I think I came up with a reasonable solution to my issue with a
little help from the postfix-users list. Posting my results since so my
initial post to the list may have value to someone in the future:
The key as to add "check_sender_access
hash:/kolab/etc/postfix/access" to smptd_*_restrictions and create the
rules in postfix/access as follows:
in postfix/main.cf
smtpd_recipient_restrictions =
permit_mynetworks,permit_sasl_authenticated,
reject_unauth_destination, reject_unlisted_recipient,check_sender_access
hash:/kolab/etc/postfix/access, check_policy_service
unix:private/kolabpolicy
smtpd_sender_restrictions = check_sender_access
hash:/kolab/etc/postfix/access, permit_mynetworks, check_policy_service
unix:private/kolabpolicy
in postfix/access:
fakeuser@domain.com OK # no leading | like I had before.
On Wed, 2006-15-02 at 13:21 -0500, Adam Tworkowski wrote:
> I am trying to allow certain email addresses using my local domain (say
> fakeuser@domain.com) to send mail from remote networks to valid local
> users (i.e.realuser@domain.com).
>
> Basically I am trying to poke a hole in Kolab's UCE policy on a per
> sender basis through Postfix.
>
> I am adding the senders address to /kolab/etc/postfix access (which is
> otherwise empty and mapping it with /kolab/sbin/postmap access.
>
> | fakeuser@domain.com OK
>
> I am then changing the following line in Postfix's main.cf from:
>
> smtpd_sender_restrictions = permit_mynetworks, check_policy_service
> unix:private/kolabpolicy
>
> to:
>
> smtpd_sender_restrictions = check_sender_access
> hash:/kolab/etc/postfix/access, permit_mynetworks, check_policy_service
> unix:private/kolabpolicy
>
> When attempting to send mail as the user I get the following (note that
> I am definitely not on a network local to Postfix):
>
> telnet 192.168.1.10 25
> Trying 192.168.1.10...
> Connected to 192.168.1.10.
> Escape character is '^]'.
> 220 kolab01.domain.com ESMTP Postfix
> ehlo hotmail.com
> 250-kolab01.domain.com
> 250-PIPELINING
> 250-SIZE 20971520
> 250-VRFY
> 250-ETRN
> 250-STARTTLS
> 250 8BITMIME
> MAIL FROM: fakeuser@domain.com
> 250 Ok
> RCPT TO: realuser@domain.com
> 554 <fakeuser@domain.com>: Sender address rejected: Invalid sender
>
> Am I going about this the right way? Is there another filter getting in
> the way? What am I missing?
>
> Also, if an address is not present during the "check_sender_access"
> check am I expecting it to bail, or move on to permit_mynetworks?
>
> Any help would be much appreciated. Thanks.
>
> -Adam
>
> On Tue, 2006-14-02 at 13:14 -0500, Adam Tworkowski wrote:
> > Hi,
> >
> > Our Kolab server (correctly) detects forged "from" headers so that if
> > you say you are "user@domain.com" where domain.com is local, and you are
> > sending from somewhere that is not domain.com and your message is
> > refused. How would I go about allowing certain "users" to by-pass this
> > feature so that user1@domain.com can be delivered as if local even
> > thought the headers are really forged?
> >
> > We have a business requirement to accept mail "from" certain "accounts"
> > that aren't local (affiliate users who we don't necessarily want on our
> > mail system, as well as some forwarders from an external mail system
> > via /etc/aliases.
> >
> > Thanks in advance.
--
Regards,
Adam Tworkowski, atworkowski@masterfile.com
Systems Administrator, Computer Department
Masterfile Corporation, www.masterfile.com
************************************************************************
This email message is intended only for the named recipient(s) above and
may contain information that is privileged, confidential, subject to
copyright and/or exempt from disclosure under applicable law. You are
hereby notified that any unauthorized use of this transmission is
strictly prohibited. If you are not the named recipient(s), please
immediately notify the sender and delete this email message.
************************************************************************
_______________________________________________
Kolab-users mailing list
Kolab-users@kolab.org
https://kolab.org/mailman/listinfo/kolab-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic