Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

Postfix Documentation
Previous Page Home Next Page

Protecting internal email distribution lists

We want to implement an internal email distribution list. Something like [email protected], which aliases to all employees. My first thought was to use the aliases map, but that would lead to "all" being accessible from the "outside", and this is not desired... :-)

Postfix can implement per-address access controls. What follows is based on the SMTP client IP address, and therefore is subject to IP spoofing. 

/etc/postfix/
main.cf:
    
smtpd_recipient_restrictions =
        
check_recipient_access hash:/etc/postfix/access
        ...the usual stuff...

/etc/postfix/access:
    [email protected]   
permit_mynetworks,reject
    [email protected] 
permit_mynetworks,reject

Specify dbm instead of hash if your system uses dbm files instead of db files. To find out what map types Postfix supports, use the command postconf -m.

Now, that would be sufficient when your machine receives all Internet mail directly from the Internet. That's unlikely if your network is a bit larger than an office. For example, your backup MX hosts would "launder" the client IP address of mail from the outside so it would appear to come from a trusted machine.

In the general case you need two lookup tables: one table that lists destinations that need to be protected, and one table that lists domains that are allowed to send to the protected destinations.

What follows is based on the sender SMTP envelope address, and therefore is subject to SMTP sender spoofing. 

/etc/postfix/
main.cf:
    
smtpd_recipient_restrictions =
        
check_recipient_access hash:/etc/postfix/protected_destinations
        ...the usual stuff...

    
smtpd_restriction_classes = insiders_only
    insiders_only = 
check_sender_access hash:/etc/postfix/insiders, reject

/etc/postfix/protected_destinations:
    [email protected]   insiders_only
    [email protected] insiders_only

/etc/postfix/insiders:
    my.domain       OK  matches my.domain and subdomains
    another.domain  OK  matches another.domain and subdomains

Getting past this scheme is relatively easy, because all one has to do is to spoof the SMTP sender address.

If the internal list is a low-volume one, perhaps it makes more sense to make it moderated.

Postfix Documentation
Previous Page Home Next Page