Force a bunch of users to send mail only to a list of domains

jfernandez · May 6, 2019, 1:37pm

NethServer Version: 7.6.1810
Module: mail 2.4.5-1

In [ Email Addresses ] -> [ username@domain.local ] -> [ Edit ] -> [ Local network only ]

You can restrict email sending to local domain. I want to change that (or create another checkbox to do this), and instead limit that user to only sending emails to *.cu mails.

How can I accomplish this ?

giacomo · May 9, 2019, 7:30am

If I understand correctly, you could see http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions.

But you need to dig into postfix configuration and create a template custom.

Maybe @davidep or @stephdl know if this is the right option to try or if there is no way to achieve it.

saitobenkei · May 9, 2019, 7:52am

Try this solution that however involves all accounts

mkdir -p /etc/e-smith/templates-custom/etc/postfix/transport
cd /etc/e-smith/templates-custom/etc/postfix/transport

vi 40restrictions

In 40restrictions write this:

 #
 # Custom
 # 40restrictions
 #
   
 .cu     :
 *       error:You cannot send mail to this address

Then write these commands

expand-template /etc/postfix/transport
postmap /etc/postfix/transport && postfix reload

Every time you change 40restrictions remember to take the commands above again

jfernandez · May 9, 2019, 2:06pm

One question, I only one to restrict this to a bunch of users, wouldn’t this cause everyone to be be restricted ?

How about, using a new property ? If the property is enabled then the user will have the restriction to only send mails to *.cu

saitobenkei · May 9, 2019, 2:11pm

Every email account in your Nethserver will be restricted with that configuration.

If you have to make this restriction only for some users we wait if @davidep and/or @stephdl have some idea because the configuration is very different.

There is some documentation on the internet (quite confusing), I tried to apply it but I could not get it to work.

jfernandez · May 9, 2019, 6:37pm

Do you know where is the template for the [ Local network only ] feature ?

jfernandez · May 9, 2019, 9:08pm

Found it is in /etc/e-smith/templates/etc/postfix/internal_access/10mailboxes now I just need to find a way to change the code so when I enabled the checkbox I get the desired effect

I know is rough but I need this ASAP, is a policy I most comply with

MrE · May 9, 2019, 9:27pm

@jfernandez

Maybe you can setup a second mail server (slaved, joined, don’t know) just for the limited users and not affect the privileged ones.

Regards!

saitobenkei · May 10, 2019, 6:45am

Here should be explained how to do

http://www.postfix.org/RESTRICTION_CLASS_README.html

(section “Restricting what users can send mail to off-site destinations”)

I tried to implement it, but I couldn’t get it to work.
Someone who wants to try it? (@stephdl, @davidep)

saitobenkei · May 10, 2019, 9:11am

This is a rough draft, I have not done extensive tests so you can expect any abnormal behavior.

mkdir -p /etc/e-smith/templates-custom/etc/postfix/main.cf

cd /etc/e-smith/templates/main.cf

cp 00template_vars /etc/e-smith/templates-custom/etc/main.cf

cd /etc/e-smith/templates-custom/etc/main.cf

vi 00template_vars

modify the section

@smtpd_relay_restrictions = (
    'check_client_access cidr:/etc/postfix/access.cidr',
    'permit_mynetworks',
    'permit_sasl_authenticated',
    'reject_unauth_destination',
    'reject_unverified_recipient',
);

in

@smtpd_relay_restrictions = (
    'check_client_access cidr:/etc/postfix/access.cidr',
    'check_sender_access hash:/etc/postfix/restricted_senders',
    'permit_mynetworks',
    'permit_sasl_authenticated',
    'reject_unauth_destination',
    'reject_unverified_recipient',
);

cd etc/e-smith/templates-custom/etc/postfix/main.cf

vi 55restriction_classes

#
# custom
# 55restriction_classes
#

smtpd_restriction_classes = local_only
local_only = pcre:/etc/postfix/local_domains, reject

mkdir -p /etc/e-smith/templates-custom/etc/postfix/restricted_senders

cd /etc/e-smith/templates-custom/etc/postfix/restricted_senders

vi 10restricted_senders

#
# custom
# 10restricted_senders
#
user01@to.be.restricted   local_only
user02@to.be.restricted   local_only

(change the user01@to.be.restricted and user02@to.be.restricted with the real address of the users to be blocked)

mkdir -p /etc/e-smith/templates-custom/etc/postfix/local_domains

cd /etc/e-smith/templates-custom/etc/postfix/local_domains

vi 10local_domains

#
# custom
# 10local_domains
#    
# Insert the TLD as regular expression
# because the format file doesn't accept TLD directly
#
# In case, insert other lines as regular expression too
# 
# http://www.postfix.org/access.5.html

/\.cu$/ OK
/onedomain\.com$/ OK

(You can remove “/onedomain.com$/ OK” line. I put here as reference)

Then launch these commands

expand-template /etc/postfix/main.cf
expand-template /etc/postfix/restricted_senders
expand-template /etc/postfix/local_domains
postmap /etc/postfix/restricted_senders
postmap /etc/postfix/local_domains
postfix reload

In case of changes to the list of restricted users or the list of domains, remember to give all the six above reconfiguration commands again.

jfernandez · May 15, 2019, 1:25pm

I want to thanks @saitobenkei for his help, you really save me with this.
Now, I would like to post here all the things done. It would like to make this solution a new feature for NS7 mail module.

For the mean time I decided to modify the functionality of the checkbox in
[ Email Addresses ] -> [ username@domain.local ] -> [ Edit ] -> [ Local network only ]

In order to do this we create a custom template to disable this feature code, like this:

mkdir -p /etc/e-smith/templates-custom/etc/postfix/internal_access/
nano /etc/e-smith/templates-custom/etc/postfix/internal_access/10mailboxes

We insert this code in this file:

#
# 10mailboxes -- internal addresses defined by users database
#
{

}

As @saitobenkei suggested we also modify the some parameters on /etc/postfix/main.cf to restrict access to the defined users (Those that have the [ Local network only ] checkbox enabled), to do that we make a custom template that replaces the original /etc/e-smith/templates/etc/postfix/main.cf/00template_vars by doing this:

mkdir -p /etc/e-smith/templates-custom/etc/postfix/main.cf/
cp /etc/e-smith/templates/main.cf/00template_vars /etc/e-smith/templates-custom/etc/main.cf
nano /etc/e-smith/templates-custom/etc/main.cf/00template_vars

We modify this section, the line with the “Add this here” comment must be inserted.
According to this guide, this file will have the list of users /etc/postfix/restricted_senders:

@smtpd_relay_restrictions = (
    'check_client_access cidr:/etc/postfix/access.cidr',
    'check_sender_access hash:/etc/postfix/restricted_senders', # <- Add this here
    'permit_mynetworks',
    'permit_sasl_authenticated',
    'reject_unauth_destination',
    'reject_unverified_recipient',
);

Also we create a new template file, to define our reject class and file:

mkdir -p /etc/e-smith/templates-custom/etc/postfix/main.cf/
nano /etc/e-smith/templates-custom/etc/postfix/main.cf/55restriction_classes

In 55restriction_classes we define a restriction class, in this case we will reject any email, except for those email domains that comply we regex expressions:

#
# custom
# 55restriction_classes
#

smtpd_restriction_classes = local_only
local_only = pcre:/etc/postfix/local_domains, reject

Next is creating the local domain template file:

mkdir -p /etc/e-smith/templates-custom/etc/postfix/local_domains/
nano /etc/e-smith/templates-custom/etc/postfix/local_domains/10local_domains

As it is explained here, we define the email domains that will be allowed, any other email will be rejected by default. As @saitobenkei explained, we can define other domain like this /onedomain\.com$/ OK

#
# custom
# 10local_domains
#    
# Insert the TLD as regular expression
# because the format file doesn't accept TLD directly
#
# In case, insert other lines as regular expression too
# 
# http://www.postfix.org/access.5.html

/\.cu$/ OK

Finally we define the restricted senders template file:

mkdir -p /etc/e-smith/templates-custom/etc/postfix/restricted_senders/
nano /etc/e-smith/templates-custom/etc/postfix/restricted_senders/10restricted_senders

Here we use this code to get all the users which has enabled the [ Local network only ] checkbox and apply to them the restriction class local_only:

#
# custom
# 10restricted_senders
#

{
    use esmith::AccountsDB;
    $OUT = '';
    foreach (esmith::AccountsDB->open_ro()->get_all_by_prop("type" => "user")) {
        if(($_->prop('MailAccess') || '') eq 'private') {
            $OUT .= sprintf("%-38s local_only\n", $_->key);
        }
    }
}

Now that we finished will all the templates, as @saitobenkei explained, we expand the templates and reload postfix.

expand-template /etc/postfix/main.cf
expand-template /etc/postfix/restricted_senders
expand-template /etc/postfix/local_domains
postmap /etc/postfix/restricted_senders
postmap /etc/postfix/local_domains
postfix reload

That’s all, I want to thank @saitobenkei for his support, I think this could be a great feature for mail module. Is there a place to suggest ideas for this?

saitobenkei · May 15, 2019, 1:46pm

Thank you.

Please, remember that I have not tested this configuration thoroughly so it could affect other features of the mail management.

jfernandez · May 15, 2019, 4:54pm

So far there haven’t been any issues, is working fine. By the way, is it possible to make this a feature, I think is feasible.

One way to do it is:

Create a new property in db.accounts.user for storing the regex expressions for each user
Use a loop in the restriction classes template file to create a restriction class for each user
Change the code in the restricted senders template files so the output use inside the loop gives the defined restriction class for each user, instead of only restriction class (local_only)
Change the UI and the nethserver events in the mail module