# Postfix mail relay+content filtering+sender restrict[solved]

## nekromancer

Hi,

I am trying to set up a mail filtering environment on my network, but I am stuck at 1 point on it. So I requesting the help of postfix gurus here for their infinite wisdom  :Smile: 

 Also anyone is free to re-use this setup as even I found it quite hard see a nice example online. The basic idea is that I have 1 open SMTP relay to which anyone can connect to it and send emails. That relay connects to another linux system using STARTTLS and using a username/password to be authenticated via SASL. That content filter systems runs postfix, its supposed to verify that the username is the same as the "from" line in the email. Send the mail to an external content filter, when the content filter is done it gets re-injected into postfix and it sends the mail to the mail server (TLS + user/pass). The mail server receives the mail and does another username / sender check before delivering.

Those username/sender checks are being ignored when email is sent via the relay. They work if I connect directly to the mail server and send a fake email.

The setup:

IP = 192.168.1.215

Purpose = No auth, open SMTP relay

Connects to = 192.168.1.214

Connect Mode = STARTTLS with username + password

IP = 192.168.1.214

Purpose = Pass mail through content filter then relay to mail server

Connects to = 192.168.1.213

Connect mode = STARTTLS with username + password

IP = 192.168.1.213

Purpose = Main mail server

Performs recipient checks (if username is equal to from address)

The problem:

Once the email reach the main mail server the recipient checks are completely ignored, thus allowing fake emails to be delivered.

192.168.1.215 (Open Relay No Auth)

/etc/postfix/main.cf

```

append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings

#delay_warning_time = 4h

readme_directory = no

# TLS parameters

smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt

smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem

smtpd_tls_key_file = /etc/ssl/private/smtpd.key

smtpd_loglevel = 1

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

smtpd_tls_auth_only = no

smtpd_tls_security_level = may

smtp_tls_security_level = may

smtp_tls_note_starttls_offer = yes

smtpd_sasl_local_domain =

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

broken_sasl_auth_clients = yes

smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination

smtp_sasl_password_maps = hash:/etc/postfix/saslpasswd

smtp_always_send_ehlo = yes

tls_random_source = dev:/dev/urandom

# Server parameters

myhostname = smtp-relay-1

mydomain = mail.net

myorigin = $myhostname

inet_interfaces = all

mydestination = $myhostname, $myhostname.$mydomain, $myhostname, filter.mail.net, $mydomain

mynetworks_style = subnet

smtpd_banner = $myhostname EMSTP $mail_name

local_destination_concurrency_limit = 2

default_destination_concurrency_limit = 10

unknown_local_recipient_reject_code = 550

biff = no

alias_maps = hash:/etc/aliases

alias_database = hash:/etc/aliases

mailbox_size_limit = 0

recipient_delimiter = +

local_recipient_maps =

transport_maps = hash:/etc/postfix/transport

relayhost =

```

192.168.1.214 (Content Filter)

/etc/postfix/main.cf

```

append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings

#delay_warning_time = 4h

readme_directory = no

# TLS parameters

smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt

smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem

smtpd_tls_key_file = /etc/ssl/private/smptd.key

smtpd_loglevel = 1

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

smtpd_tls_auth_only = yes

smtpd_tls_security_level = encrypt

smtp_tls_security_level = encrypt

smtp_tls_note_starttls_offer = yes

smtpd_sasl_local_domain =

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

broken_sasl_auth_clients = yes

smtpd_recipient_restrictions =

        permit_mynetworks,

        permit_sasl_authenticated,

        reject_unauth_destination,

        reject_sender_login_mismatch,

        reject_authenticated_sender_login_mismatch,

        reject_unauthenticated_sender_login_mismatch,

        reject_invalid_hostname,

        reject_non_fqdn_sender,

        reject_non_fqdn_recipient,

        reject_unknown_sender_domain,

        reject_unknown_address,

        reject_unauth_destination

smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch

smtpd_sender_login_maps = hash:/etc/postfix/controlled_envelope_senders

smtpd_sasl_authenticated_header = yes

smtp_sasl_password_maps = hash:/etc/postfix/saslpasswd

smtp_always_send_ehlo = yes

tls_random_source = dev:/dev/urandom

# Server parameters

myhostname = mailfilter

mydomain = mail.net

myorigin = $myhostname

inet_interfaces = all

mydestination = $myhostname, $myhostname.$mydomain, $myhostname, filter.mail.net, mars.mail.net $mydomain

mynetworks_style = subnet

smtpd_banner = $myhostname EMSTP $mail_name

local_destination_concurrency_limit = 2

default_destination_concurrency_limit = 10

unknown_local_recipient_reject_code = 550

biff = no

alias_maps = hash:/etc/aliases

alias_database = hash:/etc/aliases

mailbox_size_limit = 0

recipient_delimiter = +

#local_recipient_maps =

# Content Filter

content_filter = scan:[127.0.0.1]:10025

transport_maps = hash:/etc/postfix/transport

relayhost =

```

/etc/postfix/master.cf

```

# Scan service

#

scan            unix    -       -       n       -       10      smtp

   -o smtp_send_xforward_command=yes

   -o smtp_enforce_tls=no

# Service to re-inject the email

#

127.0.0.1:10026 inet    n       -       n       -       10      smtpd

  -o content_filter=

  -o local_recipient_maps=

  -o relay_recipient_maps=

  -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters

  -o smtpd_helo_restrictions=

  -o smtpd_client_restrictions=

  -o smtpd_sender_restrictions=

  -o smtpd_recipient_restrictions=permit_mynetworks,reject

  -o mynetworks=127.0.0.0/8

  -o smtpd_authorized_xforward_hosts=127.0.0.0/8

```

/etc/postfix/controlled_envelope_senders

```

smtprelay1@smtp-relay1.mail.net smtprelay1@smtp-relay1.mail.net

```

192.168.1.213 (Mail Server)

/etc/postfix/main.cf

```

queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = //usr/lib/postfix

data_directory = /var/lib/postfix

mail_owner = postfix

debug_peer_level = 2

debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $proces$

sendmail_path = /usr/sbin/sendmail

newaliases_path = /usr/bin/newaliases

alias_maps = hash:/etc/mail/aliases

mailq_path = /usr/bin/mailq

setgid_group = postdrop

html_directory = /usr/share/doc/postfix-2.7.2/html

manpage_directory = /usr/share/man

sample_directory = /etc/postfix

readme_directory = /usr/share/doc/postfix-2.7.2/readme

myhostname = mars

mydomain = mail.net

myorigin = $myhostname

inet_interfaces = all

mydestination = $myhostname, $myhostname.$mydomain, filter.mail.net, smtp-relay-1.mail.net, $myhostname

mynetworks_style = subnet

home_mailbox = .maildir/

smtpd_banner = $myhostnme ESMTP $mail_name

local_destination_concurrency_limit = 2

default_destination_concurrency_limit = 10

unknown_local_recipient_reject_code = 550

smtpd_sasl_type = cyrus

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

smtpd_sasl_tls_security_options = noanonymous

broken_sasl_auth_clients = yes

smtpd_sasl_local_domain = $myhostname.$mydomain

smtpd_sasl_path = smtpd

smtpd_recipient_restrictions =

        permit_mynetworks,

        permit_sasl_authenticated,

        reject_unauth_destination,

        reject_sender_login_mismatch,

        reject_authenticated_sender_login_mismatch,

        reject_unauthenticated_sender_login_mismatch,

        reject_invalid_hostname,

        reject_non_fqdn_sender,

        reject_non_fqdn_recipient,

        reject_unknown_sender_domain,

        reject_unknown_address,

        reject_unauth_destination

smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch

smtpd_sender_login_maps = hash:/etc/postfix/controlled_envelope_senders

smtpd_sasl_authenticated_header = yes

smtp_use_tls = yes

smtp_tls_note_starttls_offer = yes

smtpd_use_tls = yes

smtpd_tls_auth_only = no

smtpd_tls_key_file = /etc/ssl/private/smtpd.key

smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt

smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem

smtpd_tls_loglevel = 1

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

smtpd_tls_security_level = may

tls_random_source = dev:/dev/urandom

tls_smtp_use_tls = yes

```

/etc/postfix/controlled_envelope_senders

```

mailfilter@filter.mail.net  mailfilter@filter.mail.net

user1@mars.mail.net user1@mars.mail.net

```

Any help is greatly appreciated.Last edited by nekromancer on Mon Jul 25, 2011 2:15 pm; edited 1 time in total

----------

## audiodef

What about using RBL's? See the Postfix/Cyrus link in my sig and this thread. You can skip through most of it - unless you want to review how you've set up your mail server - and check out the parts about using RBL's.

----------

## nekromancer

Thanks for the reply.

After reading a lot and a lot of sites and docs (including yours) I've finally solved my problems.

----------

