Block certain internal mail users from sending mails outside the organization

Discussion in 'General' started by Ian Galang, Mar 8, 2019.

  1. Ian Galang

    Ian Galang New Member

    Hi I need help. I found a link to block specific internal users from sending out to gmail yahoo etc.
    But I'm kinda at a loss (actually scared of breaking a working box) on how to actually implement this on our Centos+ISPConfig3 setup because I'm a newbie at linux.
    Below is my main.cf. From what I understand, i hafto create two files namely restricted_senders and local_domains. Then will have to add/replace lines to the main.cf as stated on the article. What I am hesitant to touch are the mysql and regexp entries on my live main.cf. A little spoon feeding is probably needed here. sorry guys

    Code:
    The example assumes DB/DBM files, but this could also be done with LDAP or SQL.
    
    /etc/postfix/main.cf:
        smtpd_recipient_restrictions =
            ...
            check_sender_access hash:/etc/postfix/restricted_senders
            ...other stuff...
    
        smtpd_restriction_classes = local_only
        local_only =
            check_recipient_access hash:/etc/postfix/local_domains, reject
    
    /etc/postfix/restricted_senders:
        foo@domain      local_only
        bar@domain      local_only
    
    /etc/postfix/local_domains:
        this.domain     OK      matches this.domain and subdomains
        that.domain     OK      matches that.domain and subdomains
    Specify dbm instead of hash if your system uses dbm files instead of db files. To find out what map types Postfix supports, use the command postconf -m.
    
    Note: this scheme does not authenticate the user, and therefore it can be bypassed in several ways:
    
    By sending mail via a less restrictive mail relay host.
    
    By sending mail as someone else who does have permission to send mail to off-site destinations.
    Code:
    readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
    virtual_alias_domains =
    virtual_alias_maps = hash:/etc/mailman/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, prox
    y:mysql:/etc/postfix/mysql-virtual_email2email.cf
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
    virtual_mailbox_base = /var/vmail
    virtual_uid_maps = mysql:/etc/postfix/mysql-virtual_uids.cf
    virtual_gid_maps = mysql:/etc/postfix/mysql-virtual_gids.cf
    sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf
    smtpd_sasl_auth_enable = yes
    broken_sasl_auth_clients = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_restriction_classes = greylisting
    greylisting = check_policy_service inet:127.0.0.1:10023
    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_
    client zen.spamhaus.org, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf
    smtpd_use_tls = yes
    smtpd_tls_security_level = may
    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    smtpd_tls_key_file = /etc/postfix/smtpd.key
    transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
    relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
    relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
    smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
    smtpd_helo_required = yes
    smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, reject_invalid_hostname, reject_non_fqdn_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo
    smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/tag_as_originating.re , permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, check_sender_access regexp:/etc/postfix/tag_as_foreign.re
    smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
    smtpd_client_message_rate_limit = 100
    maildrop_destination_concurrency_limit = 1
    maildrop_destination_recipient_limit = 1
    virtual_transport = dovecot
    header_checks = regexp:/etc/postfix/header_checks
    mime_header_checks = regexp:/etc/postfix/mime_header_checks
    nested_header_checks = regexp:/etc/postfix/nested_header_checks
    body_checks = regexp:/etc/postfix/body_checks
    smtp_tls_security_level = may
    smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
    smtpd_tls_protocols = !SSLv2,!SSLv3
    smtp_tls_protocols = !SSLv2,!SSLv3
    smtpd_tls_exclude_ciphers = RC4, aNULL
    smtp_tls_exclude_ciphers = RC4, aNULL
    myhostname = mail.theritzhoteldavao.com
    mynetworks = 127.0.0.0/8 120.72.28.220 [::1]/128
    dovecot_destination_recipient_limit = 1
    smtpd_sasl_type = dovecot
    smtpd_sasl_path = private/auth
    content_filter = amavis:[127.0.0.1]:10024
    receive_override_options = no_address_mappings
    mailbox_size_limit = 0
    message_size_limit = 0
    maximal_queue_lifetime = 1d
    
     
  2. Ian Galang

    Ian Galang New Member

    anyone?
     
  3. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Just backup config files before changing them, and make notes of what you change, and you can always get back to the working state if needed.

    In that configuration, yes you would create 2 files - once you have that working you could convert the second file (local_domains) to a direct mysql query to look up local domains, which will save you updating it if they change often.

    When you make changes to smtpd_recipient_restrictions (and various other settings in main.cf) you can edit /etc/postfix/main.cf directly to test and get things working, but you need to take an additional step to make those changes upgrade-safe, so they don't get overwritten by your next ISPConfig upgrade. You can search the forums here for "main.cf conf-custom" for more info, but eg. on debian/ubuntu, you would copy install/tpl/debian_postfix.conf.master from the ISPConfig install package to /usr/local/ispconfig/server/conf-custom/install/ and make the same changes to smtpd_recipient_restrictions there as you made to your /etc/postfix/main.cf.
     

Share This Page