Bug #2814
Relay denied to SMTP clients both in local networks and submission_whitelist
Status: | CLOSED | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 100% | |
Category: | nethserver-mail-server | |||
Target version: | v6.5 | |||
Security class: | Resolution: | |||
Affected version: | v6.5-final | NEEDINFO: | No |
Description
- Add a subnet
S
in "Local networks" page - Add client
C
inS
tosubmission_whitelist
C
cannot relay messages on port 25
Packages:
postfix-2.10.3-1.el6.x86_64 nethserver-mail-common-1.3.3-1.ns6.noarch nethserver-mail-server-1.7.0-1.ns6.noarch
Associated revisions
main.cf: smtpd_relay_restrictions set to empty value. Refs #2814
main.cf: enforce submission_whitelist on client, helo and sender restrictions. Refs #2814
postfix/main.cf: adapted legacy policy to submission_whitelist changes in mail-common. Refs #2814
main.cf: new postfix/AccessPolicies prop. Refs #2814
The AccessPolicies prop is a comma separated list of policy
identifiers. An access policy is expected to change the access
restrictions enforced by smtpd and/or submission processes.
An access policy implementation is a function added to the
%access_policies global hash in main.cf template.
Functions are invoked by 10access_policy fragment. See
01access_policy_smtpauth for instance.
Moreover this change:
- Obsoletes postfix/SubmissionPolicyType prop applying a migration
fragment.
- Imported policies from nethserver-mail-server into
01access_policy_*.
- Activates smtpauth policy on migration-import event
postfix/main.cf: obsoleted submission policy in mail-common. Refs #2814
mynetworks template: grant access from trusted networks if explicitly requested. Refs #2814
Template "submission_whitelist" obsoleted by "access" table. Refs #2814
The old submission_whitelist template-custom fragments are still
included into access, to retain backward compatibility.
Changed mynetworks table format to cidr: Refs #2814
network-create, delete events: force reload to read mynetworks table. Refs #2814
amavisd.conf: read /etc/postfix/mynetworks.cidr. Refs #2814
Fixes trusted networks definition for amavisd.
History
#1 Updated by Davide Principi about 7 years ago
Since postfix-2.10 smtpd_relay_restrictions changed behaviour.
With Postfix versions before 2.10, the rules for relay permission and spam blocking were combined under smtpd_recipient_restrictions, resulting in error-prone configuration. As of Postfix 2.10, relay permission rules are preferably implemented with smtpd_relay_restrictions, so that a permissive spam blocking policy under smtpd_recipient_restrictions will no longer result in a permissive mail relay policy.
Our config has smtpd_relay_restrictions
at default value from Postfix, and probably does not fit.
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/submission_whitelist, reject_non_fqdn_recipient, check_recipient_access hash:/etc/postfix/internal_access, permit_sasl_authenticated, reject_unauth_destination, reject_unverified_recipient
#2 Updated by Davide Principi about 7 years ago
Moreover nethserver-mail-server
actions/templates are not bound to network-*
events!
#3 Updated by Davide Principi almost 7 years ago
- Status changed from NEW to TRIAGED
- % Done changed from 0 to 20
#4 Updated by Davide Principi almost 7 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Davide Principi
- % Done changed from 20 to 30
In branch b2750
#5 Updated by Davide Principi almost 7 years ago
- Description updated (diff)
#6 Updated by Davide Principi almost 7 years ago
- Status changed from ON_DEV to MODIFIED
- Assignee deleted (
Davide Principi) - % Done changed from 30 to 60
Packager note
The submission_whitelist
template is now obsoleted by access
. Changed nethserver-mail-common, and nethserver-mail-server wiki pages accordingly.
Install nethserver-mail-dev
package to execute test cases.
Test case 1 - access by template-custom
- Upgrade to modified version
- Check mail relay is denied to foreign domain
outside.tld
:smtptest --ehlo vboxnet1.tld --from primo.utente@vboxnet1.tld --to davide@outside.tld --addr 192.168.88.2 --port 25
- Add client IP to access table:
mkdir -p /etc/e-smith/templates-custom/etc/postfix/access echo "192.168.88.2 OK" >> /etc/e-smith/templates-custom/etc/postfix/access/20testcase
- Check mail relay is now allowed (repeat previous command).
Test case 2 - access by trusted network
- Upgrade to modified version
- Check mail relay is denied to foreign domain
outside.tld
:smtptest --ehlo vboxnet1.tld --from primo.utente@vboxnet1.tld --to davide@outside.tld --addr 192.168.99.2 --port 25
- Enable
trustednetworks
access policy:config setprop postfix AccessPolicies trustednetworks signal-event nethserver-mail-common-save
- From server-manager, add 192.168.99.0/24 to "Trusted networks"
- Check mail relay is now allowed (repeat previous command).
Reset AccessPolicy
AccessPolicies
to empty string and repeat signal-event
to cleanup.
Test case 3
Repeat case 1 and 2 changing port --port 587
in smtptest
command.
#7 Updated by Davide Principi almost 7 years ago
- Status changed from MODIFIED to ON_QA
- % Done changed from 60 to 70
In nethserver-testing:
nethserver-mail-common-1.3.3-1.19git5aeec2c.ns6.noarch.rpm
nethserver-mail-server-1.7.0-1.9git836d38e.ns6.noarch.rpm
nethserver-mail-filter-1.1.6-5.0git2ea5d3e8.ns6.noarch.rpm
#8 Updated by Giacomo Sanchietti almost 7 years ago
- Assignee set to Giacomo Sanchietti
#9 Updated by Giacomo Sanchietti almost 7 years ago
- Status changed from ON_QA to VERIFIED
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 70 to 90
- Without access template, relay is denied
- After template modification, relay is allowed:
mkdir -p /etc/e-smith/templates-custom/etc/postfix/access echo "192.168.1.22 OK" >> /etc/e-smith/templates-custom/etc/postfix/access/20clients signal-event nethserver-mail-common-save signal-event nethserver-mail-server-save
- Without policy, relay is denied
- After setting the policy, relay is allowed
config setprop postfix AccessPolicies trustednetworks signal-event nethserver-mail-server-save
- Same as test case 1 and 2
- whitelist with old template (
/etc/postfix/submission_whitelist
) - access policy
smtpauth
:config setprop postfix AccessPolicies smtpauth signal-event nethserver-mail-server-save
NOTE
Please add documentation to Administrator and Developer manual before release.
#10 Updated by Giacomo Sanchietti almost 7 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
- nethserver-mail-server-1.8.0-1.ns6.noarch.rpm
- nethserver-mail-common-1.4.0-1.ns6.noarch.rpm
- nethserver-mail-filter-1.2.0-1.ns6.noarch.rpm