Postfix main.cf (mynetworks)

[Walhalla]

Hi,
only one point I really would like to change in main.cf (several others too) is mynetworks. You add:

1. the whole network of the servers IP -> 1.2.3.4/24

2. all the machines in transports -> 1.2.3.5, 1.2.3.6, ....

I really dont want to have ALL THE MACHINES of this network in mynetworks. Further it is senseless to add IPs from the network again (included in .../24).

20 domains in the transport table with the same host result in 20 identical entries in mynetworks. Imagining that one has 10.000 domains .... it becomes an "interesting" main.cf .... full of the same IP in mynetwork?!

Is there any way to modify the main.cf and the changes will survive the next modification by the web?

Thanks & regards

Walhalla

 

[tom]

See my other posts and I also suggest you take a look on or new API.

 

[Walhalla]

Yes, but do you think that this behaviour is correct? Adding the enire network as mynetwork?

@ API: I only found this in the manual ->

13.3. pmgsh - API Shell
Interactive session:

pmgsh

Directly call API functions:
pmgsh (get|set|create|help) <path> [OPTIONS]

and pmgsh help ->

help [path] [--verbose]
cd [path]
ls [path]

get /version

Are there some more informations / HowTos availlable regarding this API?

Thanks Walhalla

 

[kensan]

Sorry to resurect an old thread. I happen to agree with the OP (walhalla). being the same subnet does't mean carte blanche to send mail (the default for the internal port : permit_mynetworks,reject_unauth_destination gives any host on the same subnet the ability to send mail anywhere for any domain)
from /usr/share/perl5/PVE/RESTHandler.pm
1161 my $mynetworks = [ '127.0.0.0/8', '[::1]/128' ];
1162
1163 if (my $int_net_cidr = PMG::Utils::find_local_network_for_ip($int_ip, 1)) {
1164 if ($int_net_cidr =~ m/^($IPV6RE)\/(\d+)$/) {
1165 push @$mynetworks, "[$1]/$2";
1166 } else {
1167 push @$mynetworks, $int_net_cidr;
1168 }
1169 }

that seams responsible for adding the network to postfix.mynetworks .
I dont see a way to neutralize it except remove postfix.mynetworks from the template or commenting out the code above in the source file.
I'd say dont do that and let the admin add whatever they want explicitly to /etc/pmg/mynetworks.

 

[janssensm]

Sorry for my first necro-post on the forum, but I couldn't help myself .
Triggered by the last post (probably a dormant member, or worse a left one, but always welcome to become active again) I almost came to the same conclusion.
But there is a more elegant solution via the mail filter rules, without touching templates or the source scripts.

Just create 1 rule blocking 1 or more IP Networks (who object) (f.e. several internal lans)
Create another rule accepting specific IP Addresses (who object) with a higher priority than the block rule.

And if you want to get some logging for the clients when they are being blocked, you can set Before Queue Filtering to Yes in Mail proxy Options.

 

[fgams]

I use a single host subnet (/32).

for example: 192.168.1.30/32

 

[d84555]

Sorry for digging an old thread . May be some one correct me if I'm doing any wrong or it will help those who are searching for the same solution.
I just wanted to share what I did and it is working for me.

I've edit the template file [/var/lib/pmg/templates/main.cf.in] and done the following changes,

"mynetworks = [% postfix.mynetworks %]" to "mynetworks = /etc/pmg/mynetworks"

it seems like /etc/pmg/mynetworks file contains only that IPs that are added in Network Tab under Mail Proxy.

This config have remove the whole same subnet and just allow IPs that are added Network Tab.
Ref: https://www.postfix.org/postconf.5.html#mynetworks

 

[Alejandro-Chirva]

...
I've edit the template file [/var/lib/pmg/templates/main.cf.in] and done the following changes,

"mynetworks = [% postfix.mynetworks %]" to "mynetworks = /etc/pmg/mynetworks"

it seems like /etc/pmg/mynetworks file contains only that IPs that are added in Network Tab under Mail Proxy.
...

This is an excellent idea, but as described in official docs - you should copy the template you wish to change to /etc/pmg/templates/, then apply your changes.