[SOLVED] Restrict trusted nodes to domain

Lehmann · Apr 7, 2021

Hello

is it possible to restrict outgoing mail from a mail server to one or more domains?

Ex:
mail01.int.example.com
May send mails as example.com and example.net

mail02.int.customer.de
May send mails as customer.de

pmg.example.com receives all mails and blocks mails from other domains from the respective mail server.

Is such a configuration realizable?

Stoiko Ivanov · Apr 9, 2021

Not in the GUI.

Lehmann said:
Is such a configuration realizable?

You can maybe modify the postfix config to suit your needs - without trying it - maybe the following post can serve as a starting point:
https://serverfault.com/questions/676783/postfix-limit-mail-for-domain-from-ip-range

changes to the postfix config need to happen via the templateing system:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_template_engine

I hope this helps!

Lehmann · Apr 27, 2021

For all those who are looking for a solution to the same problem.

I have built a solution with postfwd3 with which I can release multiple domains for one or more IP's via the associated config file. Here are all necessary files and adjustments shown.

Example Config file:
/etc/postfwd/postfwd.cf

Code:

id=example_001
        client_address=172.18.1.1/32
        client_address=172.18.1.2/32
        sender_domain=example.de
        sender_domain=example.com
        action=dunno

id=default
        action=reject Your mail server is not authorized to send mails for this domain

Associated service file:
/etc/systemd/system/postfwd3.service

Code:

[Unit]
Description=Postfix firewall daemon

[Service]
Type=forking
ExecStart=/usr/local/bin/postfwd3 --summary=3600 --cache=600 \
    --cache-rbl-timeout=3600 --cleanup-requests=1200 --cleanup-rbls=1800 \
    --cleanup-rates=1200 --daemon --file=/etc/postfwd/postfwd.cf \
    --interface=127.0.0.1 --port=10045 --umask=112 \
    --pidfile=/var/run/postfwd.pid --logname=postfwd --user=postfwd \
    --group=postfwd

ExecStop=/usr/local/bin/postfwd3 --file=/etc/postfwd/postfwd.cf \
    --pidfile=/var/run/postfwd.pid --kill

ExecReload=/usr/local/bin/postfwd3 --file=/etc/postfwd/postfwd.cf \
    --pidfile=/var/run/postfwd.pid --reload

[Install]
WantedBy=multi-user.target

The necessary adjustment to the master.cf is to set the check_policy_service for smtpd_sender_restrictions for the internal postfix port.
This change must be made via the PMG Template System.
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_template_engine

master.cf.in internal port before

Code:

...
[% pmg.mail.int_port %]       inet  n -       -       -       [% pmg.mail.max_smtpd_out %]      smtpd
[% IF pmg.mail.before_queue_filtering -%]
  -o smtpd_proxy_filter=127.0.0.1:10023
  -o smtpd_proxy_options=speed_adjust
  -o smtpd_client_connection_count_limit=[% pmg.mail.conn_count_limit div 5 %]
[%- ELSE -%]
  -o content_filter=scan:127.0.0.1:10023
[%- END %]
  -o smtpd_recipient_restrictions=permit_mynetworks,reject_unauth_destination
  -o smtpd_helo_restrictions=
  -o smtpd_client_restrictions=
  -o smtpd_sender_restrictions=
...

master.cf.in internal port after

Code:

...
[% pmg.mail.int_port %]       inet  n -       -       -       [% pmg.mail.max_smtpd_out %]      smtpd
[% IF pmg.mail.before_queue_filtering -%]
  -o smtpd_proxy_filter=127.0.0.1:10023
  -o smtpd_proxy_options=speed_adjust
  -o smtpd_client_connection_count_limit=[% pmg.mail.conn_count_limit div 5 %]
[%- ELSE -%]
  -o content_filter=scan:127.0.0.1:10023
[%- END %]
  -o smtpd_recipient_restrictions=permit_mynetworks,reject_unauth_destination
  -o smtpd_helo_restrictions=
  -o smtpd_client_restrictions=
  -o smtpd_sender_restrictions=check_policy_service,inet:127.0.0.1:10045
...

Search

Search

[SOLVED] Restrict trusted nodes to domain

Lehmann

Member

Stoiko Ivanov

Proxmox Staff Member

Lehmann

Member