ALL-Tips
http://www.postfix.org/RESTRICTION_CLASS_README.html
IP rang Banglalink & GP
116.58.200.0/21
203.223.92.0/22
119.30.32.0/20
123.108.240.0/22
202.56.4.0/22
-------
How to restrict user from using different forged sender email in postfix?Enforcing a match between FROM address and sasl usernamePostfix - restrict authenticated senders to their own e-mail address in MAIL FROM.Postfix : How to reject sender addresses that don't exist only for local domainsxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx# cd /etc/postfix
touch local_domains touch restricted-mail-groupstouch allowed-users touch restricted_senders postmap local_domains postmap restricted-mail-groupspostmap allowed-userspostmap restricted_senders###-----Group Email restricted
###----SENDING OUT RESTRICTIONS
smtpd_restriction_classes = insiders_only, local_only
insiders_only = check_sender_access hash:/etc/postfix/allowed-users, reject
local_only = check_recipient_access hash:/etc/postfix/local_domains, reject
### SMTPD SENDER RESTRICTIONS
smtpd_sender_restrictions =
check_sender_access hash:/etc/postfix/restricted_senders,
permit_mynetworks,
permit_sasl_authenticated,
##### SMTPD RECIPIENT RESTRICTIONS
smtpd_recipient_restrictions =
check_recipient_access hash:/etc/postfix/restricted-mail-groups,
check_sender_access hash:/etc/postfix/restricted_senders,
permit_mynetworks,
permit_sasl_authenticated,
----------- Group mail restriction ---------------------------
# vi /etc/postfix/allowed-users
###----Allow Group Sent users----#####
u1@worldcm.net OKu2@worldcm.net OKu10@worldcm.net OKabc@worldcm.net OKxyz@worldcm.net OK# vi /etc/postfix/restricted-mail-groups
####--- Allow group Mail IDs-----#####
office@worldcm.net insiders_onlyhr@worldcm.net insiders_onlyadmin@worldcm.net insiders_onlyalluser@worldcm.net insiders_only---------------- only send Local mail ------------------------------------------
# vi /etc/postfix/local_domains
## Local Domain##
worldcm.net OK
# vi /etc/postfix/restricted_senders
### Local Domain User##
f1@worldcm.net local_onlyf10@worldcm.net local_onlyasd@worldcm.net local_only---------------- ######################################
Block a certain email adress from sending email anywhere other to its own domain postfixConfigure main.cf Configuration: Open the Postfix main configuration file /etc/postfix/main.cf in a text editor and add the following lines at the end:
transport_maps = hash:/etc/postfix/transportsender_dependent_default_transport_maps = hash:/etc/postfix/sender_dependent_transportsmtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access
Create transport, sender_dependent_transport, and sender_access Files: Create the three files by running:
sudo touch /etc/postfix/transportsudo touch /etc/postfix/sender_dependent_transportsudo touch /etc/postfix/sender_access
Edit transport File: Open the transport file in a text editor and add the following line to specify a default transport for all domains:
* smtp:
Edit sender_dependent_transport File: Open the sender_dependent_transport file in a text editor and add the following line to specify that the restricted address should use the default transport:
blocked@example.com :
Edit sender_access File: Open the sender_access file in a text editor and add the following line to reject outgoing mail from the restricted address:
blocked@example.com REJECT # You are not allowed to send email outside your domain
Generate Hash Files: Generate the hash files for transport, sender_dependent_transport, and sender_access by running:
postmap /etc/postfix/transport postmap /etc/postfix/sender_dependent_transport postmap /etc/postfix/sender_access
systemctl restart postfix
Restricting specific users from sending email to external domains in Postfix centos
To restrict specific users from sending emails to external domains in Postfix on CentOS, you can achieve this by using sender-dependent transport maps. This method allows you to control the delivery of emails based on the sender's address. Here's how you can set it up:
Configure main.cf Configuration: Open the Postfix main configuration file /etc/postfix/main.cf in a text editor and add the following lines at the end:
Create transport and sender_dependent_transport Files: Create the two files by running:
Edit transport File: Open the transport file in a text editor and add the following line to specify a default transport for all external domains:
Edit sender_dependent_transport File: Open the sender_dependent_transport file in a text editor and add lines to specify specific users and their allowed transport. For example:
Leave the colon (:) at the end of each line to indicate that no transport should be applied.
Generate Hash Files: Generate the hash files for transport and sender_dependent_transport by running:
Restart Postfix: After making these changes, restart the Postfix service to apply the new configurations:
sudo systemctl restart postfix
How do users not send mail specific Domain in postfix centos mail server
Edit main.cf Configuration: Open the Postfix main configuration file /etc/postfix/main.cf in a text editor and add or modify the following line:
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access
# touch /etc/postfix/sender_access
# vi /etc/postfix/sender_access
blocked-domain.com REJECT No outgoing mail to this domain
postmap /etc/postfix/sender_acce
systemctl restart postfix
ffHow do specific users only received mail but do not send mail postfix centos mail server
# vi /etc/postfix/header_checks
/^From:.*user1@example\.com/ REJECT Sorry, sending email is not allowed for user1@example.com/^From:.*user2@example\.com/ REJECT Sorry, sending email is not allowed for user2@example.com
Configure Sender Restrictions: Edit the Postfix main configuration file /etc/postfix/main.cf and add the following lines to enable header checks and specify the path to the header checks file:
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/header_checksheader_checks = regexp:/etc/postfix/header_checks
# postmap /etc/postfix/header_checks# systemctl restart postfix
sudo
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Relay Host - multiple Domain
# [root@mail postfix]# vi /etc/postfix/relay_by_sender
@worldcm.net smtp:smtp.spamguard.cloud:587
# vi main.cf [Add this line end]
sender_dependent_default_transport_maps = hash:/etc/postfix/relay_by_sender
Remove announcement details
By default Postfix appends a little announcement to outgoing messages saying that this email is powered by Postfix. It's best to give hackers as little information as possible about your server, so you should remove the banner by finding the line for smtpd_banner in the configuration file and setting it to:
smtpd_banner = $myhostname ESMTP
100 emails par hours limite per user postfix
To limit users to sending 100 emails per hour in Postfix, you can use the postfwd policy server. Here's how to set up rate limiting to achieve this on CentOS 7:
1. Install postfwd:
If you haven't already installed the postfwd package, you can do so by using the EPEL repository:
yum install epel-releaseyum install postfwd
2. Configure postfwd:
Create a configuration file for postfwd, typically located at /etc/postfix/postfwd.cf. Add the following configuration to rate limit emails for each user: every USRS
-----------------------------------
id=rate_limit_per_user action=rate(limit=100/hour) protocol=SMTP helo=/./ sender=/(.*)$/ $1--------------------------id=rate_limit_per_user action=rate(limit=10/hour) protocol=SMTP helo=/./ sender=/^([^@]+)@example\.com$/ $1
----------------------
limits the number of emails sent from every USRS address to 10 emails per minute postfix centos 7 id=rate_limit_per_user action=rate(limit=10/minute, burst=5) protocol=SMTP helo=/./ sender=/^([^@]+)@example\.com$/ $1
----- 10 emails per Hours ------------id=rate_limit_per_user action=rate(sender/10/3600/REJECT Rate limit exceeded. Please try again later.) protocol=SMTP helo=/./ sender=/^([^@]+)@example\.com$/ $1 d=rate_limit_per_user action=rate(limit=10/minute, burst=5) protocol=SMTP helo=/./ sender=/^([^@]+)@example\.com$/ $1 id=rate_limit_per_user action=rate(limit=10/minute, burst=5) protocol=SMTP helo=/./ sender=/^([^@]+)@example\.com$/ $---------------------------id: A unique identifier for the rule.action: Specifies the rate limiting action. It limits users to sending 100 emails per hour.protocol: Specifies the protocol (SMTP in this case).helo: Allows any HELO/EHLO value.sender: This regular expression captures the sender's email address and applies the rate limiting rule to each user.
3. Configure Postfix to use postfwd:
(/etc/postfix/main.cf) and add or modify the smtpd_recipient_restrictions parameter to include the check_policy_service directive:
smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10040
4. Start postfwd:
systemctl start postfwdsystemctl enable postfwd
5. Test the rate limiting:
Now, when users send emails through your Postfix server, postfwd will enforce the rate limiting rules you defined. Users exceeding the limit will have their email delivery rate limited to 100 emails per hour.
LLspecific_user rule sets a rate limit of 10 emails per hour for a specific mail ID
# yum install postfwd
/etc/postfwd/postfwd.cf, and add the following rule to limit a specific email ID to 10 emails per hour: specific_user
id=rate_limit_specific_user action=rate(sender/10/3600/REJECT Rate limit exceeded. Please try again later.) protocol=SMTP helo=/./ sender=/^specific_user@example\.com$/
Integrate postfwd with Postfix: Edit the Postfix main configuration file (/etc/postfix/main.cf) to include postfwd as a policy service:
smtpd_recipient_restrictions = ... check_policy_service inet:127.0.0.1:10040 ...
systemctl enable postfwd systemctl start postfwd
systemctl restart postfix
-------------------------------
# vi /etc/postfwd/postfwd.cf
id=RATE_LIMIT_USERaction=rate(sender:user@example.com/10/60/REJECT Rate limit exceeded. Please try again later.)action=rate(sender/100/3600/REJECT Rate limit exceeded. Please try again later.)
id=rate_limit_specific_useraction=rate(sender/10/3600/REJECT Rate limit exceeded. Please try again later.)protocol=SMTPhelo=/./sender=/^specific_user@example\.com$/
# vi /etc/postfix/main.cf smtpd_recipient_restrictions = ... check_policy_service inet:127.0.0.1:10040 ...
LL
POSTFIX: Limiting the rate at which a particular user can send email
Configuration in Postfix:
Configure recipient and sender limits directly in Postfix. For example, using smtpd_recipient_limit and smtpd_client_message_rate_limit parameters can help control the number of messages sent.
# main.cf
Create /etc/postfix/rate_limit file with:
user@example.com 100LL
Set to only accept local emails for delivery
change inet_interfaces = all to ```inet_interfaces = localhost``
-------------
### Checks to remove badly formed email
smtpd_helo_required = yesstrict_rfc821_envelopes = yesdisable_vrfy_command = yesunknown_address_reject_code = 554unknown_hostname_reject_code = 554unknown_client_reject_code = 554
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, regexp: /etc/postfix/helo.regexp, permit
/etc/postfix/helo.regexpCreate /etc/postfix/helo.regexp and set contents to:/^subdomain\.host\.com$/ 550 Don't use my own hostname/^xxx\.yyy\.zzz\.xxx$/ 550 Don't use my own IP address/^\[xxx\.yyy\.zzz\.xxx\]$/ 550 Don't use my own IP address/^[0-9.]+$/ 550 Your software is not RFC 2821 compliant/^[0-9]+(\.[0-9]+){3}$/ 550 Your software is not RFC 2821 compliant
smtpd_sender_restrictions = reject_sender_login_mismatch, permit_sasl_authenticated
reject_unauthenticated_sender_login_mismatch,
reject_sender_login_mismatch,
reject_unlisted_sender, permit
You can use the inet_interfaces directive in /etc/postfix/main.cf to control what address Postfix listens on for incoming connections. If you set it to the following it will only listen on the loopback interface, which means that connections can only originate from that machine. # vi main.cf
inet_interfaces = loopback-only
postfix reject incoming mail for certain recipients
smtpd_recipient_restrictions = permit_mynetworks, . . . check_recipient_access hash:/etc/postfix/recipient_access, . . .
In addition to the error code you can use a custom human readable, informational error message:
/etc/postfix/recipient_access: joe@example.com 550 Mailbox doesn't exist. See https://example.com/contact mary@example.com 550 Mary no longer works at Example Ltd. Contact Jason, instead.
As it's a hash: database, always remember to postmap /etc/postfix/recipient_access
------------------------X-------------------------------
Block incoming emails to a specific recipient
virtual aliases map (e.g. /etc/postfix/virtual_alias_maps), add the following line:
abcd@example.com devnull
In /etc/postfix/aliases, add the following line:
devnull: /dev/null
This defines a mailbox named devnull and stores its contents in /dev/null.
Don't forget to update the alias caches and restart Postfix, for example like
postmap /etc/postfix/virtual_alias_maps newaliases systemctl restart postfix
------------------------------------------------------------
Restrict Sender --- Extranal Domain
# vi/etc/postfix/main.cf and add the line below.
smtpd_sender_restrictions =
check_sender_access hash:/etc/postfix/sender_access
Edit sender_access
# vi /etc/postfix/sender_access
janedoe@acme.local REJECT
bugsbunny@acme.com OK
acme.com REJECT
# postmap /etc/postfix/sender_access
Restrict Recipient - internal [my server mail ID]
# vi /etc/postfix/main.cf
smtpd_recipient_restrictions =
check_recipient_access hash:/etc/postfix/recipient_access,
reject_unauth_destinations
# vi /etc/postfix/recipient_access
janedoe@acme.local REJECT
bugsbunny@acme.com OK
acme.com REJECT
# postmap /etc/postfix/recipient_access
------------------------------------------------------------------
How do specific users only receive mail but do not send mail postfix centos mail server
Configure Header Checks: Edit the Postfix header checks configuration file /etc/postfix/header_checks or create it if it doesn't exist. Add lines like the following to reject outgoing messages for specific users
/^From:.*user1@example\.com/ REJECT Sorry, sending email is not allowed for user1@example.com
/^From:.*user2@example\.com/ REJECT Sorry, sending email is not allowed for user2@example.com
Replace user1@example.com and user2@example.com with the email addresses of the users you want to restrict from sending emails.
Configure Sender Restrictions: Edit the Postfix main configuration file /etc/postfix/main.cf and add the following lines to enable header checks and specify the path to the header checks file:
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/header_checks
header_checks = regexp:/etc/postfix/header_checks
Create Hash File for Header Checks: Generate the hash file for the header checks by running the following commands:
sudo postmap /etc/postfix/header_checks
Restart Postfix: After making these changes, restart the Postfix service to apply the new configurations:
sudo systemctl restart postfix
Block outgoing mail to specific address using Postfix
smtpd_recipient_restrictions =
check_recipient_access hash:/etc/postfix/bad_recipients,
permit_mynetworks,
reject_unauth_destination,
permit
And in # vi /etc/postfix/bad_recipients
bad_user1@example.com REJECT We don't like him
bad_user2@example.org REJECT Delivery to this user is prohibited
--------------------------------
Block outgoing mail to specific address using Postfix centos
main.cf
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_accesstouch /etc/postfix/sender_accessblocked@example.com REJECT No outgoing mail to this address
postmap /etc/postfix/sender_access
/etc/postfix/transport:
user@domain.name discard:
domain.name discard:
It should already exist, but ensure there is a transport_maps parameter in your postfix main.cf file, something like
transport_maps = hash:/etc/postfix/transport
Typically you will need to run postmap transport
Configuring Postfix to block outgoing mail to all but one domain
# vi /etc/postfix/main.cf
transport_maps = hash:/etc/postfix/transport
Now we need to add a line specifying which domain to allow sending to (I'm going to allow to bentasker.co.uk). To do so, insert the following lines
# vi /etc/postfix/transport
bentasker.co.uk :
* discard:
This will simply discard messages to any email address not of the domain bentasker.co.uk. If you wanted to reject with an error
you'd use (set the error text to suit your needs)
bentasker.co.uk:
* error: Only allowing one domain
How to discard mails sent from a specific local user to external addresses?
Add following line to /etc/postfix/main.cf
sender_dependent_default_transport_maps = hash:/etc/postfix/sender_transport_maps
Create /etc/postfix/sender_transport_maps as follow
user@local.domain discard
Create postfix map file and restart postfix
cd /etc/postfix postmap sender_transport_maps service postfix restart
Restricting specific users from sending email to external domains in Postfix
~# vim /etc/postfix/main.cf
smtpd_sender_restrictions =
check_sender_access hash:/etc/postfix/restricted_senders,
# vim /etc/postfix/restricted_senders
james@worldcm.net local_only
vanessa@worldcm.net local_only
i. Then create the restriction class "local_only" and add rules. They are executed top to bottom - first match wins:
# BEST
# vim /etc/postfix/main,cf
## Sendind out Restriction
smtpd_restriction_classes = local_only
local_only=
check_recipient_access hash:/etc/postfix/local_domains,
reject
# vim /etc/postfix/local_domains
worldcm.net OK
---------------------- vi main.cf -------------------
###### SENDING OUT RESTRICTIONS
smtpd_restriction_classes = local_only
local_only=
check_recipient_access hash:/etc/postfix/local_domains,
reject
#SMTPD CLIENT RESTRICTIONS
smtpd_client_restrictions =
permit_mynetworks,
# permit_sasl_authenticated,
check_client_access,
hash:/etc/postfix/access,
reject_unauth_pipelining,
permit_inet_interfaces
#SMTPD ETRN RESTRICTIONS
smtpd_etrn_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject
# SMTPD SENDER RESTRICTIONS
smtpd_sender_restrictions =
check_sender_access hash:/etc/postfix/restricted_senders,
permit_mynetworks,
##### SMTPD RECIPIENT RESTRICTIONS ,
smtpd_recipient_restrictions =
check_sender_access hash:/etc/postfix/restricted_senders,
permit_mynetworks,
---------------------------------------------------
restrict local user to send mail to more destinations
1 First step
postconf -e 'smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/restricted_senders' postconf -e 'smtpd_restriction_classes = local_only' postconf -e 'local_only = check_recipient_access hash:/etc/postfix/local_domains, reject'
2. Step 2 Then create the file /etc/postfix/restricted_senders which looks similar to this one:
user@ceae.info local_only lucian@ceae.info local_only
3. Final step Afterwards create /etc/postfix/local_domains which should look similar to this:
ceae.info OK domain.com OK otherdomain.de OK
Allow user to send email without smtp authentication
Create a plain text file: /etc/postfix/accepted_unauth_senders, list all users' email addresses which are allowed to send email without smtp authentication. We use user email address user@example.com for example:
user@example.com OK
It's ok to use IP address instead like below:
For more allowed sender format, please check Postfix manual page: access(5).
192.168.1.1 OK 192.168.2 OK 172.16 OK
Create hash db file with postmap command:
# postmap hash:/etc/postfix/accepted_unauth_senders
Modify Postfix config file /etc/postfix/main.cf to use this text file:
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/accepted_unauth_senders, [...OTHER RESTRICTIONS HERE...]
Restart/reload postfix to make it work:
# /etc/init.d/postfix restart
OR
# vi mail.cf
---------
smtpd_recipient_restrictions =
check_client_access hash:/etc/postfix/accepted_unauth_senders,
smtpd_sender_restrictions =
check_client_access hash:/etc/postfix/accepted_unauth_senders
# touch /etc/postfix/accepted_unauth_senders
# vi /etc/postfix/accepted_unauth_senders
user@worldcm.net OK
192.168.1.1 OK 1
92.168.2 OK
results@worldcm.net OK
# postmap hash:/etc/postfix/accepted_unauth_senders
# systemctl restart postfix
Is it possible to block a certain email adress from sending email anywhere other to its own domain
smtpd_recipient_restrictions you add a line to check the sender access: check_sender_access hash:/etc/postfix/sender_access
in the file sender_access you put the email address, and the policy applied (it's better to whitelist, since you say a few users, so specifically allow them to send anywhere, then the others add a larger group.. just the domain for example).
/etc/postfix/sender_access:
user1@yourdomain.com all user2@yourdomain.com all @yourdomain.com local
Then you need to define those classes.
smtpd_restriction_classes = local, all local = check_recipient_access hash:/etc/postfix/local_dom, reject all = check_recipient_access regex:/etc/postfix/all_dom, reject
/etc/postfix/local:
domain1.com OK domain2.com OO
/etc/postfix/all:
^*@* OK
Block outgoing mail to specific address using Postfix
# vi main.cf
smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/bad_recipients, permit_mynetworks, reject_unauth_destination, permit
# vi /etc/postfix/bad_recipients
bad_user1@example.com REJECT We don't like him bad_user2@example.org REJECT Delivery to this user is prohibited
OR
main.cf if it is not already there:
transport_maps = hash:/etc/postfix/transport
Add this line to the file "/etc/postfix/transport"
abc@example.com discard
Postfix block local user from sending
wrote a vim /etc/postfix/sender_access file with the following lines
# cat sender_access joe REJECT joe@mail.example.com REJECT
# ADDRESS PATTERNS # ACTION sender@example.com 550 Blacklisted domain.com REJECT user@ REJECT
And loaded as a hash postmap hash:sender_access, then I added in main.cf the row
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access
postfix: block emails to external addresses
/etc/postfix/main.cf
transport_maps = hash:/etc/postfix/transport
etc/postfix/transport:
example.org :
* error:destination unauthorized
Restricting who can send to an email address
vi /etc/postfix/main.cf:
smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/protected_destinations, permit_mynetworks, reject_unauth_destination
smtpd_restriction_classes = insiders_only
insiders_only = check_sender_access hash:/etc/postfix/insiders, reject /etc/postfix/protected_destinations: protected.list@example.com insiders_only /etc/postfix/insiders: allowed.user@example.com OK another.allowed.user@example.com OK
# vi /etc/postfix/main.cf
### Group Email
smtpd_restriction_classes = insiders_only
insiders_only = check_sender_access hash:/etc/postfix/allowed-users, reject
#SMTPD CLIENT RESTRICTIONS
smtpd_client_restrictions =
permit_mynetworks
check_client_access hash:/etc/postfix/access
reject_unauth_pipelining
permit_inet_interfaces
#SMTPD ETRN RESTRICTIONS
smtpd_etrn_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject
# SMTPD SENDER RESTRICTIONS
smtpd_sender_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_sender_access hash:/etc/postfix/access,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_sender_login_mismatch,
reject_unlisted_sender,
reject_unauth_pipelining,
reject_non_fqdn_hostname,
reject_unauth_destination
##### SMTPD RECIPIENT RESTRICTIONS ,
smtpd_recipient_restrictions =
check_recipient_access hash:/etc/postfix/restricted-mail-groups,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_invalid_hostname,
check_recipient_access hash:/etc/postfix/access,
check_client_access hash:/etc/postfix/access,
check_sender_access hash:/etc/postfix/access,
reject_unauth_pipelining,
reject_non_fqdn_sender,
reject_unknown_recipient_domain,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unlisted_recipient,
reject_multi_recipient_bounce
[root@mail yum.repos.d]# cd /etc/postfix/
[root@mail postfix]# vi restricted-mail-groups # [group mail IDs]
alluser@worldcm.net insiders_only
office@worldcm.net insiders_only
[root@mail postfix]# vi allowed-users # user [ who can sent]
admin@worldcm.net OK
hr@worldcm.net OK
# postmap restricted-mail-groups
# postmap allowed-users
----------------------------------------------------------
# vi /etc/postfix/header_checks
/Your E-mail Account storage capacity is low/ REJECT
Create BCC of incoming and outgoing mails without knowing the users - Postfix
Postfix provides three mechanisms:
always_bcc = address
Deliver a copy of all mail to the specified address.
sender_bcc_maps = type:table
Search the specified "type:table" lookup table with the envelope sender address for an automatic BCC address.
recipient_bcc_maps = type:table
Search the specified "type:table" lookup table with the envelope recipient address for an automatic BCC address.
These features are implemented in postfix 2.1 and later versions.
always_bcc
Add the following entry in /etc/postfix/main.cf to forward all mails in the server to administrator@example.com.
always_bcc = administrator@example.com
sender_bcc_maps and recipient_bcc_maps
You can setup these functions as follows.
[root@postfix ~]# touch /etc/postfix/sender_bcc
[root@postfix ~]# touch /etc/postfix/recipient_bcc
[root@postfix ~]# postmap sender_bcc
[root@postfix ~]# postmap recipient_bcc
Then, open /etc/postfix/main.cf and add the following lines in it.
sender_bcc_maps = hash:/etc/postfix/sender_bcc
recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
verify the following files are generated once the above steps are finished.
/etc/postfix/recipient_bcc.db
/etc/postfix/sender_bcc.db
You can add entries as like follows in sender_bcc and recipient_bcc. This will forward mails from user@domain.com to other@example.com.
[root@postfix ~]# cat /etc/postfix/sender_bcc
user@domain.com other@example.com
[root@postfix ~]# cat /etc/postfix/recipient_bcc
user@domain.com other@example.com
Finally reload postfix,
[root@postfix ~]# postfix reload
###################################################################################################################
REALY SERVER:-SMTP
myhostname = mail2.mitalifashions.net
mydomain = mail2.mitalifashions.net
myorigin = $mydomain
#relayhost = mail.mitalifashions.net
mydestination = $myhostname, localhost.$mydomain, $mydomain, mail.mitalifashions.net, mail2.mitalifashions.net, 202.161.179.68/32
mynetworks = 192.168.13.0/24, 127.0.0.0/8, 202.161.179.64/27, 203.82.195.0/24, 202.161.179.69/32, 203.202.240.226/32, 202.161.191.108/32, 203.112.73.0/24, 203.82.195.75/32, 202.40.181.0/24, 202.161.191.104/32, 117.18.224.0/21, 202.161.179.68/32, 202.84.36.202/32
inet_interfaces = all
############################################################################
Mail Block
Postfix blacklist or reject an email address
Q. I’ve Postfix based CentOS Linux server. I need to blacklist email ID: user@abadboy.com . How do I blacklist email address with postfix? I also have spamassassin software installed.
A. By default, the Postfix SMTP server accepts any sender address. However you can block / blacklist sender email address easily with Postfix. It has SMTP server access table.
Open /etc/postfix/sender_access file
# cd /etc/postfix
# vi sender_access
Append sender email id as follows:
user@abadboy.com REJECT
Save and close the file. Use postmap command to create a database:
# postmap hash:sender_access
Now open main.cf and add code as follows:
smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/sender_access
Save and close the file. Restart / reload postfix MTA:
# /etc/init.d/postfix restart
You can also use spamassassin to blacklist email address. Just add to your own spamassassin configuration or to /etc/mail/spamassassin/local.cf file:
# vi /etc/mail/spamassassin/local.cf
Append blacklist as follows:
blacklist_from user@abadboy.com
Save and close the file. Restart spamassassin:
# /etc/init.d/spamassassin restart
spamassassin will marke mail as SPAM instead of rejecting the same.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXX-----------XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX--------------------
There are a handful of sites that continuously send SPAM to my server and seem to avoid getting listed on the blacklist servers. I'm trying to set up POSTFIX to refuse connections from these sever's IP addresses. Here is how I set up smtpd_client_restrictions in main.cf:
smtpd_client_restrictions =
check_client_access hash:/Library/Server/Mail/Config/postfix/client_checks
permit_mynetworks
permit_sasl_authenticated
reject_rbl_client bl.spamcop.net
reject_rbl_client zen.spamhaus.org
permit
The content of /Library/Server/Mail/Config/postfix/client_checks:
94.242.161.0/24 REJECT Your IP range is spammer
141.255.161.0/24 REJECT Your IP range is spammer
192.95.54.0/24 REJECT Your IP range is spammer
198.50.229.0/24 REJECT Your IP range is spammer
198.50.171.0/24 REJECT Your IP range is spammer
For some reason POSTFIX isn't blocking SMTP connections from these IP addresses.
Is there some other command that I need to specify for smtpd_client_restrictions to get processed?
Is the syntax of my client check incorrect?
-----------------------------------------------------------
How to block postfix connection to a specific ip address
Figured out what the problem was in getting PostFix to use the check_client_access file for SMTP connections to reject. Seems that PostFIx doesn't understand CIDR notation in the file so these entries are just ignored and no entry is made in the SMTP Log which makes it even harder to figure out what is going on. Changing the contents of the file from:
94.242.161.0/24 REJECT Your IP range is spammer
141.255.161.0/24 REJECT Your IP range is spammer
192.95.54.0/24 REJECT Your IP range is spammer
198.50.229.0/24 REJECT Your IP range is spammer
198.50.171.0/24 REJECT Your IP range is spammer
to only listing the leading octets of the IP address works. Now the REJECT message appears in the SMTP log and the connection from these IP address ranges are dropped on connection and the irritating spam that is missed by the blacklist servers in gone. Nice!!!
# Restricts which clients this system accepts SMTP connections from.
94.242 REJECT Your IP range is spammer
141.255 REJECT Your IP range is spammer
192.95.54 REJECT Your IP range is spammer
198.50.229 REJECT Your IP range is spammer
23.89.158 REJECT Your IP range is spammer
216.55.165 REJECT Your IP range is spammer
XXX--------------------------XXXXXXXXXXXXXXXXXXXXXXXXXX------------------------XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
To accomplish the task in Postfix, blocking only SMTP connections from those
IP addresses:
edit: /etc/postfix/main.cf
smtpd_[client/recipient]_restrictions =
...
check_client_access hash:/etc/postfix/blacklist
...
# [client/recipient] selection depends on whether you use the "everything
under smtpd_recipient_restrictions" style main.cf layout.
create: /etc/postfix/blacklist
...
1.2.3.4 REJECT
4.3.2.1 REJECT
3.2.1.4 REJECT
...
/$ postmap /etc/postfix/blacklist
/$ postfix reload
Simply eh?
Or to deny all port access from those IPs, if using Linux, use Netfilter:
/$ iptables -I INPUT -s 1.2.3.4 -j DROP
/$ iptables -I INPUT -s 4.3.2.1 -j DROP
/$ iptables -I INPUT -s 3.2.1.4 -j DROP
iptables inputs are non persistent across reboots. Without knowing what
OS/distro you're using, I'll give generic instructions on running this at
system startup instead of rc.* instructions.
As root, create something like /usr/bin/load_iptables.sh and make sure the
execute bit is set.
#! /bin/sh
iptables -I INPUT -s 1.2.3.4 -j DROP
iptables -I INPUT -s 4.3.2.1 -j DROP
iptables -I INPUT -s 3.2.1.4 -j DROP
As root create this crontab entry usually with "crontab -e"
@reboot /usr/bin/load_iptables.sh
Now all packets from those IPs will be dropped. Hope this helps.
------XXXXXXXXXXXXXX---------------------------XXXXXXXXXXXXXXXXXXXXX------------XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Blacklist & Whitelist with Postfix
In this little howto, I will describe, howto configure whitelist and / or blacklist to your postfix installation.
There are two different parameters we can set in postfix, which acts differently.
check_client_access
Blocks by client IP, Client IP Range or Hostname
check_sender_access
Block by sender e-mail address (In the FROM field)
#block by client IP, IP range, hostname
check_client_access hash:/etc/postfix/client_checks
#block by sender e-mail address. (In the FROM field)
check_sender_access hash:/etc/postfix/sender_checks
It is important that check_client_access and check_sender_access are defined as some of the first in smtpd_recipient_restrictions.
We do this, so the e-mail is not caught by some of the other filters we have set.
Here is an sample output of the main.cf file.
/etc/postfix/main.cf smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/client_checks, check_sender_access hash:/etc/postfix/sender_checks, etc.... etc....
We will define the whitelist or blacklist with and OK or REJECT, followed by an optional answer text.
OK is allowed
REJECT is block
/etc/postfix/client_checks # Restricts which clients this system accepts SMTP connections from. example.com REJECT No spammers .example.com REJECT No spammers, from your subdomain 123.456.789.123 REJECT Your IP is spammer 123.456.789.0/24 REJECT Your IP range is spammer 321.987.654.321 OK example1.com OK /etc/postfix/sender_checks # Restricts sender addresses this system accepts in MAIL FROM commands. example.com REJECT env. from addr any@example.com rejected .example.com REJECT env. from addr any@sub.example.com rejected user@example.com REJECT We don't want your email example2.com OK
When a change have been made to any of the files, remember to run postmap, for postfix lookup tables updates, and reload postfix.
#postmap /etc/postfix/client_checks #postmap /etc/postfix/sender_checks #/etc/init.d/postfix reload
That was it, quite simple.
-----------------------------------------------------------
Block outgoing mail to specific address using Postfix
As described in access(5), just add a check_recipient_access map to your smtpd_recipient_restrictions;
if you wish to block these recipients for your own users too, make sure to place it before permit_mynetworks and/or permit_sasl_authenticated.
# Main.cf
smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/bad_recipients, permit_mynetworks, reject_unauth_destination, permitAnd in /etc/postfix/bad_recipients:
bad_user1@example.com REJECT We don't like him
bad_user2@example.org REJECT Delivery to this user is prohibited
Is it possible to block a certain email adress from sending email anywhere other to its own domain
accepted
It's entirely possible with postfix Restriction Classes, you can group users in a table, and then apply certain access patterns (can only send to certain domains, can't send at all, etc).
A simple example would be under smtpd_recipient_restrictions you add a line to check the sender access: check_sender_access hash:/etc/postfix/sender_access
in the file sender_access you put the email address, and the policy applied (it's better to whitelist, since you say a few users, so specifically allow them to send anywhere, then the others add a larger group.. just the domain for example).
/etc/postfix/sender_access
user1@yourdomain.com all
user2@yourdomain.com all
@yourdomain.com local
Then you need to define those classes.
smtpd_restriction_classes = local, all
local = check_recipient_access hash:/etc/postfix/local_dom, reject
all = check_recipient_access regex:/etc/postfix/all_dom, reject
/etc/postfix/local:
domain1.com OK
domain2.com OK
/etc/postfix/all
^*@* OK
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXxxxxxxxxxxxxXXXXXXXXXXXXXXXXXXXXXXXXXxXXXXXXXXXXXXXXXXXXXXXXX
Create/edit three files:
nano /etc/postfix/body_checks
############
# reject if includes 'example.com' in mail body
/^(|[^>].*)example.com/ REJECT
############
nano /etc/postfix/header_checks
############
/^Subject:/ WARN
/^From:.*<#.*@.*>/ REJECT
/^Return-Path:.*<#.*@.*>/ REJECT
############
and final file have example data (I will create an example user for testing purposes):
[root@mail ~]# vi /etc/postfix/header_checks
# add at the head
# reject if email address is empty
/^From:.*<#.*@.*>/ REJECT
/^Return-Path:.*<#.*@.*>/ REJECT
[root@mail ~]# vi /etc/postfix/body_checks
# reject if includes 'example.com' in mail body
/^(|[^>].*)example.com/ REJECT
------------------------------------------------------
Tuning the number of Postfix processes
/etc/postfix/master.cf: # ==================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ==================================================================== . . . smtp inet n - - - 10 smtpd
-----main.cf---------------------------------------------------------
smtpd_recipient_limit = 300
default_process_limit = 300
default_destination_concurrency_limit = 200
---------------------------------------------------------------------------------------------
Comments from Brad Knowles
default_destination_concurrency_limit=50 default_destination_recipient_limit=50 default_process_limit=200 smtp_mx_session_limit=100 smtpd_client_connection_count_limit=100 smtp_destination_concurrency_limit=100 maximal_backoff_time = 1000s minimal_backoff_time = 300s
Add this stuff to block bad SMTP requests
# vi /etc/postfix/main.cf
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, regexp: /etc/postfix/helo.regexp, permit
/etc/postfix/helo.regexp
Create /etc/postfix/helo.regexp and set contents to:
/^subdomain\.host\.com$/ 550 Don't use my own hostname
/^xxx\.yyy\.zzz\.xxx$/ 550 Don't use my own IP address
/^\[xxx\.yyy\.zzz\.xxx\]$/ 550 Don't use my own IP address
/^[0-9.]+$/ 550 Your software is not RFC 2821 compliant
/^[0-9]+(\.[0-9]+){3}$/ 550 Your software is not RFC 2821 compliant
-------------