kolab_smtp_access_policy - incoming mails are not checked against sender access list

Jan Kowalsky jankow at datenkollektiv.net
Fri Oct 13 13:08:38 CEST 2017


I found out how to fix this - but I don't understand it completely:

If I add a line


smtpd_data_restrictions =
  check_policy_service unix:private/recipient_policy_incoming

analogue to

submission_data_restrictions =
  check_policy_service unix:private/submission_policy

the sender access lists works also from outside.

But I don't understand it completely why the data_restrictions are
necessary - and not the sender_restrictions.

Probably because on sender_restrictions only the sender is known - and
not the recipient. But then this should be the kolab default configuration.

Regards
Jan

Am 13.10.2017 um 12:04 schrieb Jan Kowalsky:
> Hi all,
> 
> I discovered a problem with kolab_smtp_access_policy.
> 
> I configured some email addresses with an sender access list - to permit
> only some email addresses to send to those recipients. While this works
> fine with internal users (submission) external users via smtpd can post
> to those addresses - which isn't intended.
> 
> Anybody has an Idea?
> 
> As I understand the option "--verify-recipient" in the
> smtp_access_policy command in master.cf is responsible.
> 
> If I remove this one in the submission_policy also internal users can
> send emails to the protected post boxes.
> 
> But also if I add this --verify-recipient to sender_policy_incoming it
> has no effect. Maybe it's overwritten by this --allow-unauthenticated?
> 
> Who does understand the kolab_smtp_access_policy?
> 
> sender_policy_incoming unix     -       n       n       -       -
> spawn
>     user=kolab-n argv=/usr/lib/postfix/kolab_smtp_access_policy
> --verify-sender --verify-recipient --allow-unauthenticated
> 
> My Configs:
> 
> 
> In my postfix master.cf I have:
> 
> recipient_policy    unix        -       n       n       -       -
> spawn
>     user=kolab-n argv=/usr/lib/postfix/kolab_smtp_access_policy
> --verify-recipient
> 
> recipient_policy_incoming unix  -       n       n       -       -
> spawn
>     user=kolab-n argv=/usr/lib/postfix/kolab_smtp_access_policy
> --verify-recipient --allow-unauthenticated
> 
> sender_policy       unix        -       n       n       -       -
> spawn
>     user=kolab-n argv=/usr/lib/postfix/kolab_smtp_access_policy
> --verify-sender
> 
> sender_policy_incoming unix     -       n       n       -       -
> spawn
>     user=kolab-n argv=/usr/lib/postfix/kolab_smtp_access_policy
> --verify-sender --allow-unauthenticated
> 
> submission_policy   unix        -       n       n       -       -
> spawn
>     user=kolab-n argv=/usr/lib/postfix/kolab_smtp_access_policy
> --verify-sender --verify-recipient
> 
> 
> and in main.cf
> 
> submission_sender_restrictions =
>   check_policy_service inet:127.0.0.1:10031
>   check_policy_service unix:private/submission_policy
>   permit_sasl_authenticated
>   reject_non_fqdn_sender
>   reject
> 
> submission_recipient_restrictions =
>   check_policy_service unix:private/submission_policy
>   permit_sasl_authenticated
>   reject
> 
> submission_data_restrictions =
>   check_policy_service unix:private/submission_policy
> 
> smtpd_recipient_restrictions =
>   permit_mynetworks
>   permit_sasl_authenticated
>   reject_unknown_recipient_domain
>   reject_invalid_hostname
>   reject_non_fqdn_hostname
>   reject_unauth_pipelining
>   reject_non_fqdn_recipient
>   reject_non_fqdn_sender
>   reject_unknown_sender_domain
>   reject_unauth_destination
>   reject_multi_recipient_bounce
>   reject_sender_login_mismatch
>   check_policy_service unix:private/recipient_policy_incoming
>   check_policy_service inet:127.0.0.1:10031
>   permit
> 
> smtpd_sender_restrictions =
>   permit_mynetworks
>   permit_sasl_authenticated
>   reject_sender_login_mismatch
>   check_policy_service unix:private/sender_policy_incoming
> 
> 
> Thanks a log for any hint.
> Best Regards
> Jan
> _______________________________________________
> users mailing list
> users at lists.kolab.org
> https://lists.kolab.org/mailman/listinfo/users
> 


More information about the users mailing list