postfix open relay for only list of IPs

[Red Squirrel]

I remember I once had a setup like this where there was a file I could simply add an IP or IP range and postfix would allow relay to only those IPs. I can't figure out how to set that up. I've did some research on google but found no straight up answer, all of them were very complex setups that I don't need all I want is a file that I can edit and specify the IPs. I think the file was called access.conf or something like that.

 

[heymrdj]

You need to post your OS.

 

[Netopia]

Perhaps you mean the "mynetworks" setting in postfix's main.cf ... or perhaps the "relay_domains" settings in the same file.


Joe

 

[Netopia]

FROM:
http://www.postfix.org/postconf.5.html#relay_domains

relay_domains (default: $mydestination)
What destination domains (and subdomains thereof) this system will relay mail to. Subdomain matching is controlled with the parent_domain_matches_subdomains parameter. For details about how the relay_domains value is used, see the description of the permit_auth_destination and reject_unauth_destination SMTP recipient restrictions.

Domains that match $relay_domains are delivered with the $relay_transport mail delivery transport. The SMTP server validates recipient addresses with $relay_recipient_maps and rejects non-existent recipients. See also the relay domains address class in the ADDRESS_CLASS_README file.

Note: Postfix will not automatically forward mail for domains that list this system as their primary or backup MX host. See the permit_mx_backup restriction in the postconf(5) manual page.

Specify a list of host or domain names, "/file/name" patterns or "type:table" lookup tables, separated by commas and/or whitespace. Continue long lines by starting the next line with whitespace. A "/file/name" pattern is replaced by its contents; a "type:table" lookup table is matched when a (parent) domain appears as lookup key. Specify "!pattern" to exclude a domain from the list. The form "!/file/name" is supported only in Postfix version 2.4 and later.

 

[Netopia]

Are you just setting up a mail gateway? If so, might I suggest the most excellent site:

http://freespamfilter.org

The Debian setup (and the author) are very good.

Joe

 

[Red Squirrel]

Yeah think its mynetworks since I don't care about domains in this case. But mynetworks only allows to put 1 IP address, theres one that has an actual file, just cant recall what Im supose to name the file. I'm using CentOS5

 

[child of wonder]

In main.cf simply put:

mynetworks = 192.168.0.0/24 127.0.0.0/8

or whatever IPs and subnets you want to list. If it's a big list you can do:

mynetworks = cidr:/etc/postfix/mynetworks

Inside that file you can specify networks:

192.168.0.0/24 OK
172.16.0.0/16 REJECT

Then postmap that file and postfix reload.

 

[Red Squirrel]

Thanks I'll give that a shot

 

[Skunk]

I would not recommend adding an external ip address to mynetworks, unless you can be absolutely sure the sending server is secure.

You are effectively whitelisting every one who uses that server regardless of which domain they are sending mail from. Which in the case of shared servers can be a very bad thing.

This is a great guide for general antispam measures but has a great relaying section.

 

[Red Squirrel]

Yeah the server I'm adding is a server under my full control. I have an application that can send email, so rather then setup another email server I'll just relay the mail through my main server. Once I can figure out SMTP authentication then I will be able to not worry about open relay but I'm not at that point yet. For now I just use my ISP's SMTP servers, like for regular email from home. Though eventually I want to just be able to use my own.

 

[child of wonder]

Originally posted by: Skunk
I would not recommend adding an external ip address to mynetworks, unless you can be absolutely sure the sending server is secure.

You are effectively whitelisting every one who uses that server regardless of which domain they are sending mail from. Which in the case of shared servers can be a very bad thing.

This is a great guide for general antispam measures but has a great relaying section.

Yes.. do NOT put an external IP in mynetworks. Only internal subnets.

 

[Netopia]

Why don't you outline the entire scenario of what you're doing for us? It's possible that there are other ways of doing what you want, but you've asked a very narrow question. What's the bigger picture?

Joe

 

[Red Squirrel]

Basically I have two servers, we'll say server1 and server2. server1 has a VM with server2 in it, they both have external internet addresses. I have a program on server2 that needs to send mail out but the mail server is on server1. So rather then have another smtp server on server2 to send mail I just relay it to server1. So I put server2 in mynetworks.

Also eventually I want to enable anyone with a pop3 account to use my smtp server, but not sure how to do that. Think I need a program to look at the pop3 logs and add the IPs in mynetworks temporarly though I just don't feel thats the best way.

 

[child of wonder]

Use SMTP Auth, not POP3 before SMTP. There are tons of guides out there on how to do it.

 

[Red Squirrel]

Was thinking that too, I'll look into it.