[postfix-users] restriction class - irgendwo habe ich nen knopf im...
Georg Käfer
gkaefer at backbone.co.at
Fr Mai 15 12:03:20 CEST 2009
Liebe Liste,
ich habe mit eurer Hilfe es schon fast ans Ziel geschafft.
Gewisse domains werden bei mir von extern nur angenommen, wenn Sie von einer vorgeschalteten mailfirewall kommen.
Was noch nicht funktioniert, ist wenn nun user der mailfirewall gesicherten domains den mailserver als postein/ausgangssserver eingetragen haben und unter sich mails zustellen. Dann kommt auch die von mir gewählte 550er Fehlermeldung man möge doch den MX (=mailfirewall) verwenden.
An nicht "mailfirewall-gesicherte" domains wie auch an externe domains funktioniert alles klaglos.
Ich habe es erfolglos probiert, permit_sasl_authenticated in die "check_if_mailfirewall_is_sender =" zu konfigurieren. Das funktioniert nicht.
d.h. wie kann ich die restriction class erweitern, damit externe mails für "mailfirewall-gesicherte"-domains/user nur von meinem mailserver angenommen werden, wenn sie von der mailfirewall kommen (der Teil funktioniert)
und mails VON authorisierten User aller lokaler domains/user AN mailfirewall-gesicherter"-domains/user angenommen werden.
/etc/postfix/main.cf:
smtpd_recipient_restrictions =
check_recipient_access hash:/etc/postfix/recipient_access
smtpd_restriction_classes =
check_if_mailfirewall_is_sender
check_if_mailfirewall_is_sender =
check_client_access hash:/etc/postfix/mailfirewall-ip,
check_recipient_access pcre:/etc/postfix/nice_mailfirewall_reject.pcre,
reject
/etc/postfix/mailfirewall-ip:
xx.xx.xx.xx OK (Anm. IP der mailfirewall)
192.168.128.20 OK
127.0.0.1 OK
localhost OK
/etc/postfix/recipient_access:
manual.at check_if_mailfirewall_is_sender
und die entsprechende Fehlermeldung:
nano nice_mailfirewall_reject.pcre
/(.+)/ 554 5.7.1 Use MX record instead for delivering to $1
postmap /etc/postfix/recipient_access
postmap /etc/postfix/mailfirewall-ip
/etc/postfix/postfix reload
Fehlermeldung lautet dann:
554 5.7.1 <gkaefer2 at manual.at>: recipient address rejected: Use MX record insted for delivering to gkaefer2 at manual.at
/var/log/messages:
May 15 12:05:46 mail2 postfix/smtpd[31245]: connect from atsbgfwbb.backbone.co.at[81.31.128.126]
May 15 12:05:46 mail2 postfix/policyd-weight[30076]: decided action=DUNNO mail for postmaster at manual.at; <instance=7a0d.4a0d3e7a.8354d.0> <client=81.31.128.126> <helo=gkaeferpc> <from=gkaefer2 at manual.at> <to=postmaster at manual.at>; delay: 0s
May 15 12:05:46 mail2 postgrey[23736]: 2009/05/15-12:05:46 CONNECT TCP Peer: "192.168.128.20:59869" Local: "192.168.128.20:10030"
May 15 12:05:46 mail2 postgrey[23736]: action=pass, reason=triplet found, client_name=atsbgfwbb.backbone.co.at, client_address=81.31.128.126, sender=gkaefer2 at manual.at, recipient=postmaster at manual.at
May 15 12:05:46 mail2 postgrey[23736]: cleaning up old logs...
May 15 12:05:46 mail2 postfix/smtpd[31245]: NOQUEUE: reject: RCPT from atsbgfwbb.backbone.co.at[81.31.128.126]: 554 5.7.1 <postmaster at manual.at>: Recipient address rejected: Use MX record instead for delivering to postmaster at manual.at; from=<gkaefer2 at manual.at> to=<postmaster at manual.at> proto=ESMTP helo=<gkaeferPC>
May 15 12:05:51 mail2 postfix/smtpd[31245]: disconnect from atsbgfwbb.backbone.co.at[81.31.128.126]
postconf -n
alias_maps = hash:/var/lib/mailman/data/aliases
anvil_rate_time_unit = 60s
anvil_status_update_time = 600s
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
default_process_limit = 200
home_mailbox = .maildir/
html_directory = /usr/share/doc/postfix-2.5.5/html
inet_interfaces = all
mail_owner = postfix
mailbox_size_limit = 512000000
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 51200000
myhostname = mail2.xx.xx.xx
mynetworks = 192.168.128.0/24, 127.0.0.0/8
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
owner_request_special = no
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.5.5/readme
recipient_delimiter = +
remote_header_rewrite_domain = domain.invalid
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd_client_connection_count_limit = 10
smtpd_client_connection_rate_limit = 50
smtpd_client_event_limit_exceptions = $mynetworks, xx.xx.xx.xx (ANm.IP der mailfirewall)
smtpd_client_message_rate_limit = 50
smtpd_client_recipient_rate_limit = 10
smtpd_client_restrictions = permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, permit
smtpd_recipient_restrictions = permit_mynetworks, reject_non_fqdn_recipient, permit_sasl_authenticated, check_policy_service inet:192.168.128.20:12525, check_policy_service inet:192.168.128.20:10030, reject_unauth_destination, check_recipient_access hash:/etc/postfix/recipient_access, permit
smtpd_reject_unlisted_sender = yes
smtpd_restriction_classes = check_if_mailfirewall_is_sender
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_non_fqdn_sender, permit
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/ssl/dovecot/mail2.backbone.co.at.pem
smtpd_tls_key_file = /etc/ssl/dovecot/mail2.backbone.co.at.key
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf, hash:/var/lib/mailman/data/virtual-mailman
virtual_mailbox_base = /var/mail
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domain_maps.cf
virtual_mailbox_limit = 512000000
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_transport = dovecot
Danke vorab!
Liebe Gruesse
Georg Käfer
Mehr Informationen über die Mailingliste postfix-users