127.0.0.1 default value in white list

[stefaweb]

Hello!

It will be nice to create default 127.0.0.1 in whitelist database at first install.

[Skywalker-11]

The 127.0.0.1 rule may be useful for main create.sql

Just for reference: It is also possible to create a local postfix process which doesn't run through mailscanner and that is beeing used for releasing mails only.

11550       inet  n       -       y       -       -       smtpd
    -o receive_override_options=no_header_body_checks
    -o syslog_name=postfix-mwrelease

[stefaweb]

Thanks for tip.

I've to start to play with postfix now.

[Skywalker-11]

Small description for the snipped That snipped has to be added to master.cf. 11550 is a random port you are free to choose whatever you want (just set it in conf.php accordingly ) syslog_name=... is optional but helps to differentiate normal traffic and release traffic in the logs

[stefaweb]

@Skywalker-11

I'll try later your tip to solve the 127.0.0.1 story . Currently, I'm more on "basic" with Postfix.

What is the best method with postfix to read this kind of file to manage ingoing/outgoing autorisation for postfix/mailwatch gateway ?

I have this kind of file that I was using with Exim. These files was generated by a script.

/etc/exim4/hubbed_hosts (list of domain and corresponding pop/imap server to send flux)

domain.tld: mail.domain.tld
domain2.tld: mail.domain.tld
domain3.tld: mail.domain.tld
domain4.tld: mail.domain3.tld

/etc/exim4/relay_domains (authorized domain to be relayed)

domain.tld
domain2.tld
domain3.tld
domain4.tld

I'm pretty lost with all the different commands from postfix.

In fact, I have to write a new script to build all theses (data from mobodoa + manual entry to manage specific flux direction). If the "format" is not the same with postfix, I will manage this in the new script.

Thanks for your help.

[Skywalker-11]

Domains that you are relaying should be defined by relay_domains = hash:/etc/postfix/relay_domains (http://www.postfix.org/postconf.5.html#relay_domains) That file looks like this:

example.com OK
somotherexample.com OK

After each change for files you include with hash: or similar you should run postmap <file> to generate a corresponding .db file

The servers they are relayed to can be defined by transport_maps = hash:/etc/postfix/transport (http://www.postfix.org/postconf.5.html#transport_maps and http://www.postfix.org/transport.5.html)

example.com :[whatevermx.bla]
somotherexample.com :[anothermx.example.com]:11550

[Skywalker-11]

Some other things you may want to take a look at

mynetworks = ...   #trusted hostsystems eg. internal mx, webmailer ...
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination # allow mails when authenticated or from trusted hosts or target in relay_domains

smtpd_restriction_classes = local_or_authenticated    #custom group of rules (can be referenced eg. in access file)
local_or_authenticated = reject_authenticated_sender_login_mismatch permit_mynetworks  reject_known_sender_login_mismatch #custom rule that rejects mails where sender doesn't match to login(matches on smtpd_sender_login_maps) and allows trusted hosts and rejects mails where a sender is known but not logged in. You may want to apply this to your own domains

smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/access # restrictions that should be applied on senders 
smtpd_sender_login_maps = ldap:/etc/postfix/ldap_relay_recipient_maps.cf # map that defines login cred+matching mail addresses it is allowed to use
smtpd_relay_restrictions = reject_authenticated_sender_login_mismatch permit_mynetworks  permit_sasl_authenticated defer_unauth_destination check_policy_service unix:private/policyd-spf # also check spf (not necessary reject if you want to log with MS, but get for analysis by spamassassin)

The /etc/postfix/access file than can contain mappings from domains to checks eg.:

example.com local_or_authenticated
somotherexample.com local_or_authenticated

[stefaweb]

Thanks for all of this. I've to try now. ;)

[stefaweb]

HI @Skywalker-11

I've implement all the postfix stuff for relay. I've just one question as the doc is not clear.

When we run postmap <file>, do we must reload postfix after?

Concerning the dedicated postfix 127.0.0.1 rule. When we activate this, do we see the mail in the status.php GUI page?

[Skywalker-11]

When we run postmap , do we must reload postfix after?

Just tested and at least for transport_maps no postfix restart is needed.

Concerning the dedicated postfix 127.0.0.1 rule. When we activate this, do we see the mail in the status.php GUI page?

No, as it completely bypasses MailScanner (disables header_checks) unless you use the relay script maybe. But I haven't used that one.

[stefaweb]

Thanks, I prefer to see the mail in the GUI.