Forged header detection and selective filtering (Solved)

Fri Feb 17 15:23:50 CET 2006

OK, I think I came up with a reasonable solution to my issue with a
little help from the postfix-users list.  Posting my results since so my
initial post to the list may have value to someone in the future:

The key as to add "check_sender_access
hash:/kolab/etc/postfix/access" to smptd_*_restrictions and create the
rules in postfix/access as follows:

in postfix/main.cf 

smtpd_recipient_restrictions =
permit_mynetworks,permit_sasl_authenticated,
reject_unauth_destination, reject_unlisted_recipient,check_sender_access
hash:/kolab/etc/postfix/access, check_policy_service
unix:private/kolabpolicy 

smtpd_sender_restrictions = check_sender_access
hash:/kolab/etc/postfix/access, permit_mynetworks, check_policy_service
unix:private/kolabpolicy

in postfix/access:

fakeuser at domain.com OK # no leading | like I had before.

On Wed, 2006-15-02 at 13:21 -0500, Adam Tworkowski wrote:
> I am trying to allow certain email addresses using my local domain (say
> fakeuser at domain.com) to send mail from remote networks to valid local
> users (i.e.realuser at domain.com).
> 
> Basically I am trying to poke a hole in Kolab's UCE policy on a per
> sender basis through Postfix.
> 
> I am adding the senders address to /kolab/etc/postfix access (which is
> otherwise empty and mapping it with /kolab/sbin/postmap access.
> 
> | fakeuser at domain.com OK
> 
> I am then changing the following line in Postfix's main.cf from:
> 
> smtpd_sender_restrictions = permit_mynetworks, check_policy_service
> unix:private/kolabpolicy
> 
> to:
> 
> smtpd_sender_restrictions = check_sender_access
> hash:/kolab/etc/postfix/access, permit_mynetworks, check_policy_service
> unix:private/kolabpolicy
> 
> When attempting to send mail as the user I get the following (note that
> I am definitely not on a network local to Postfix):
> 
> telnet 192.168.1.10  25
> Trying 192.168.1.10...
> Connected to 192.168.1.10.
> Escape character is '^]'.
> 220 kolab01.domain.com ESMTP Postfix
> ehlo hotmail.com
> 250-kolab01.domain.com
> 250-PIPELINING
> 250-SIZE 20971520
> 250-VRFY
> 250-ETRN
> 250-STARTTLS
> 250 8BITMIME
> MAIL FROM:  fakeuser at domain.com
> 250 Ok
> RCPT TO: realuser at domain.com
> 554 <fakeuser at domain.com>: Sender address rejected: Invalid sender
> 
> Am I going about this the right way?  Is there another filter getting in
> the way?  What am I missing?  
> 
> Also, if an address is not present during the "check_sender_access"
> check am I expecting it to bail, or move on to permit_mynetworks?
> 
> Any help would be much appreciated.  Thanks.
> 
> -Adam
> 
> On Tue, 2006-14-02 at 13:14 -0500, Adam Tworkowski wrote:
> > Hi,
> > 
> > Our Kolab server (correctly) detects forged "from" headers so that if
> > you say you are "user at domain.com" where domain.com is local, and you are
> > sending from somewhere that is not domain.com and your message is
> > refused.  How would I go about allowing certain "users" to by-pass this
> > feature so that user1 at domain.com can be delivered as if local even
> > thought the headers are really forged?  
> > 
> > We have a business requirement to accept mail "from" certain "accounts"
> > that aren't local (affiliate users who we don't necessarily want on our
> > mail system, as well as some forwarders from an external mail system
> > via /etc/aliases.
> > 
> > Thanks in advance.  
-- 
Regards,

Adam Tworkowski, atworkowski at masterfile.com
Systems Administrator, Computer Department
Masterfile Corporation, www.masterfile.com

************************************************************************
This email message is intended only for the named recipient(s) above and
may contain information that is privileged, confidential, subject to
copyright and/or exempt from disclosure under applicable law.  You are
hereby notified that any unauthorized use of this transmission is
strictly prohibited.  If you are not the named recipient(s), please
immediately notify the sender and delete this email message.
************************************************************************