Force a bunch of users to send mail only to a list of domains

mail

(Juan Carlos Fernandez) #1

NethServer Version: 7.6.1810
Module: mail 2.4.5-1

In [ Email Addresses ] -> [ username@domain.local ] -> [ Edit ] -> [ Local network only ]

You can restrict email sending to local domain. I want to change that (or create another checkbox to do this), and instead limit that user to only sending emails to *.cu mails.

How can I accomplish this ?


(Giacomo Sanchietti) #2

If I understand correctly, you could see http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions.

But you need to dig into postfix configuration and create a template custom.

Maybe @davidep or @stephdl know if this is the right option to try or if there is no way to achieve it.


(Saito Benkei) #3

Try this solution that however involves all accounts

mkdir -p /etc/e-smith/templates-custom/etc/postfix/transport
cd /etc/e-smith/templates-custom/etc/postfix/transport

vi 40restrictions


In 40restrictions write this:

 #
 # Custom
 # 40restrictions
 #
   
 .cu     :
 *       error:You cannot send mail to this address


Then write these commands

expand-template /etc/postfix/transport
postmap /etc/postfix/transport && postfix reload

Every time you change 40restrictions remember to take the commands above again


(Juan Carlos Fernandez) #4

One question, I only one to restrict this to a bunch of users, wouldn’t this cause everyone to be be restricted ?

How about, using a new property ? If the property is enabled then the user will have the restriction to only send mails to *.cu


(Saito Benkei) #5

Every email account in your Nethserver will be restricted with that configuration.

If you have to make this restriction only for some users we wait if @davidep and/or @stephdl have some idea because the configuration is very different.

There is some documentation on the internet (quite confusing), I tried to apply it but I could not get it to work.


(Juan Carlos Fernandez) #6

Do you know where is the template for the [ Local network only ] feature ?


(Juan Carlos Fernandez) #7

Found it is in /etc/e-smith/templates/etc/postfix/internal_access/10mailboxes now I just need to find a way to change the code so when I enabled the checkbox I get the desired effect

I know is rough but I need this ASAP, is a policy I most comply with


(Enrique D) #8

@jfernandez

Maybe you can setup a second mail server (slaved, joined, don’t know) just for the limited users and not affect the privileged ones.

Regards!


(Saito Benkei) #9

Here should be explained how to do

http://www.postfix.org/RESTRICTION_CLASS_README.html

(section “Restricting what users can send mail to off-site destinations”)

I tried to implement it, but I couldn’t get it to work.
Someone who wants to try it? (@stephdl, @davidep)


(Saito Benkei) #10

This is a rough draft, I have not done extensive tests so you can expect any abnormal behavior.

mkdir -p /etc/e-smith/templates-custom/etc/postfix/main.cf

cd /etc/e-smith/templates/main.cf

cp 00template_vars /etc/e-smith/templates-custom/etc/main.cf

cd /etc/e-smith/templates-custom/etc/main.cf

vi 00template_vars

modify the section

@smtpd_relay_restrictions = (
    'check_client_access cidr:/etc/postfix/access.cidr',
    'permit_mynetworks',
    'permit_sasl_authenticated',
    'reject_unauth_destination',
    'reject_unverified_recipient',
);

in

@smtpd_relay_restrictions = (
    'check_client_access cidr:/etc/postfix/access.cidr',
    'check_sender_access hash:/etc/postfix/restricted_senders',
    'permit_mynetworks',
    'permit_sasl_authenticated',
    'reject_unauth_destination',
    'reject_unverified_recipient',
);


cd etc/e-smith/templates-custom/etc/postfix/main.cf


vi 55restriction_classes

#
# custom
# 55restriction_classes
#

smtpd_restriction_classes = local_only
local_only = pcre:/etc/postfix/local_domains, reject


mkdir -p /etc/e-smith/templates-custom/etc/postfix/restricted_senders

cd /etc/e-smith/templates-custom/etc/postfix/restricted_senders


vi 10restricted_senders

#
# custom
# 10restricted_senders
#
user01@to.be.restricted   local_only
user02@to.be.restricted   local_only

(change the user01@to.be.restricted and user02@to.be.restricted with the real address of the users to be blocked)


mkdir -p /etc/e-smith/templates-custom/etc/postfix/local_domains

cd /etc/e-smith/templates-custom/etc/postfix/local_domains


vi 10local_domains

#
# custom
# 10local_domains
#    
# Insert the TLD as regular expression
# because the format file doesn't accept TLD directly
#
# In case, insert other lines as regular expression too
# 
# http://www.postfix.org/access.5.html

/\.cu$/ OK
/onedomain\.com$/ OK

(You can remove “/onedomain.com$/ OK” line. I put here as reference)


Then launch these commands

expand-template /etc/postfix/main.cf
expand-template /etc/postfix/restricted_senders
expand-template /etc/postfix/local_domains
postmap /etc/postfix/restricted_senders
postmap /etc/postfix/local_domains
postfix reload

In case of changes to the list of restricted users or the list of domains, remember to give all the six above reconfiguration commands again.


(Juan Carlos Fernandez) #11

I want to thanks @saitobenkei for his help, you really save me with this.
Now, I would like to post here all the things done. It would like to make this solution a new feature for NS7 mail module.

For the mean time I decided to modify the functionality of the checkbox in
[ Email Addresses ] -> [ username@domain.local ] -> [ Edit ] -> [ Local network only ]

In order to do this we create a custom template to disable this feature code, like this:

mkdir -p /etc/e-smith/templates-custom/etc/postfix/internal_access/
nano /etc/e-smith/templates-custom/etc/postfix/internal_access/10mailboxes

We insert this code in this file:

#
# 10mailboxes -- internal addresses defined by users database
#
{

}

As @saitobenkei suggested we also modify the some parameters on /etc/postfix/main.cf to restrict access to the defined users (Those that have the [ Local network only ] checkbox enabled), to do that we make a custom template that replaces the original /etc/e-smith/templates/etc/postfix/main.cf/00template_vars by doing this:

mkdir -p /etc/e-smith/templates-custom/etc/postfix/main.cf/
cp /etc/e-smith/templates/main.cf/00template_vars /etc/e-smith/templates-custom/etc/main.cf
nano /etc/e-smith/templates-custom/etc/main.cf/00template_vars

We modify this section, the line with the “Add this here” comment must be inserted.
According to this guide, this file will have the list of users /etc/postfix/restricted_senders:

@smtpd_relay_restrictions = (
    'check_client_access cidr:/etc/postfix/access.cidr',
    'check_sender_access hash:/etc/postfix/restricted_senders', # <- Add this here
    'permit_mynetworks',
    'permit_sasl_authenticated',
    'reject_unauth_destination',
    'reject_unverified_recipient',
);

Also we create a new template file, to define our reject class and file:

mkdir -p /etc/e-smith/templates-custom/etc/postfix/main.cf/
nano /etc/e-smith/templates-custom/etc/postfix/main.cf/55restriction_classes

In 55restriction_classes we define a restriction class, in this case we will reject any email, except for those email domains that comply we regex expressions:

#
# custom
# 55restriction_classes
#

smtpd_restriction_classes = local_only
local_only = pcre:/etc/postfix/local_domains, reject

Next is creating the local domain template file:

mkdir -p /etc/e-smith/templates-custom/etc/postfix/local_domains/
nano /etc/e-smith/templates-custom/etc/postfix/local_domains/10local_domains

As it is explained here, we define the email domains that will be allowed, any other email will be rejected by default. As @saitobenkei explained, we can define other domain like this /onedomain\.com$/ OK

#
# custom
# 10local_domains
#    
# Insert the TLD as regular expression
# because the format file doesn't accept TLD directly
#
# In case, insert other lines as regular expression too
# 
# http://www.postfix.org/access.5.html

/\.cu$/ OK

Finally we define the restricted senders template file:

mkdir -p /etc/e-smith/templates-custom/etc/postfix/restricted_senders/
nano /etc/e-smith/templates-custom/etc/postfix/restricted_senders/10restricted_senders

Here we use this code to get all the users which has enabled the [ Local network only ] checkbox and apply to them the restriction class local_only:

#
# custom
# 10restricted_senders
#

{
    use esmith::AccountsDB;
    $OUT = '';
    foreach (esmith::AccountsDB->open_ro()->get_all_by_prop("type" => "user")) {
        if(($_->prop('MailAccess') || '') eq 'private') {
            $OUT .= sprintf("%-38s local_only\n", $_->key);
        }
    }
}

Now that we finished will all the templates, as @saitobenkei explained, we expand the templates and reload postfix.

expand-template /etc/postfix/main.cf
expand-template /etc/postfix/restricted_senders
expand-template /etc/postfix/local_domains
postmap /etc/postfix/restricted_senders
postmap /etc/postfix/local_domains
postfix reload

That’s all, I want to thank @saitobenkei for his support, I think this could be a great feature for mail module. Is there a place to suggest ideas for this?


(Saito Benkei) #12

Thank you.

Please, remember that I have not tested this configuration thoroughly so it could affect other features of the mail management.


(Juan Carlos Fernandez) #13

So far there haven’t been any issues, is working fine. By the way, is it possible to make this a feature, I think is feasible.

One way to do it is:

  • Create a new property in db.accounts.user for storing the regex expressions for each user
  • Use a loop in the restriction classes template file to create a restriction class for each user
  • Change the code in the restricted senders template files so the output use inside the loop gives the defined restriction class for each user, instead of only restriction class (local_only)
  • Change the UI and the nethserver events in the mail module