{"id":510,"date":"2013-12-29T07:44:57","date_gmt":"2013-12-29T15:44:57","guid":{"rendered":"http:\/\/blog.ls-al.com\/?p=510"},"modified":"2013-12-30T12:14:06","modified_gmt":"2013-12-30T20:14:06","slug":"postfix-filter-outbound-email","status":"publish","type":"post","link":"https:\/\/blog.ls-al.com\/postfix-filter-outbound-email\/","title":{"rendered":"Postfix Filter Outbound Email"},"content":{"rendered":"

In a previous article<\/a> I wrote about using Sendmail to block outbound email and at the same time allow email to specific domains or specific email addresses.<\/p>\n

As I explained Sendmail could handle blocking and selective relaying to domains effectively but could not easily handle adding specific email addresses to the mix. \u00a0Below is a quick howto on setting up Postfix on Solaris 11 and configuring the blocking as required.<\/p>\n

\r\n# svcadm disable svc:\/network\/smtp:sendmail\r\n\r\n# pkg install developer\/gcc-45\r\n# pkg install library\/gnutls\r\n<\/pre>\n
** Note that the postfix-install script kicks off during gmake install. You will note I used \/usr\/local for install_root since I do not want to taint anything on the regular paths. However that does not work very well. I ended up having to move quite a few folders and files from \/usr\/local\/usr\/local<\/span> to \/usr\/local. I will have to try this again and see if using \/ for install_root is acceptable for keeping things separate and not taint system paths.<\/p>\n
\r\n# wget http:\/\/postfix.bbnx.net\/postfix-release\/official\/postfix-2.10.2.tar.gz\r\n# gzip -d postfix-2.10.2.tar.gz\r\n# tar xf postfix-2.10.2.tar\r\n# pwd\r\n\/usr\/src\/postfix-2.10.2\r\n\r\n# gmake clean\r\n# gmake makefiles MAKE=gmake CCARGS='-DNO_NIS -DUSE_TLS -lssl -lcrypto'\r\n# gmake\r\n# gmake install\r\n...\r\n\/bin\/sh postfix-install\r\n...\r\ninstall_root: [\/] \/usr\/local\/\r\ntempdir: [\/usr\/src\/postfix-2.10.2]\r\nconfig_directory: [\/etc\/postfix]\r\ncommand_directory: [\/usr\/sbin] \/usr\/local\/sbin\r\ndaemon_directory: [\/usr\/libexec\/postfix] \/usr\/local\/libexec\/postfix\r\ndata_directory: [\/var\/lib\/postfix]\r\nhtml_directory: [no]\r\nmail_owner: [postfix]\r\nmailq_path: [\/usr\/bin\/mailq] \/usr\/local\/bin\/mailq\r\nmanpage_directory: [\/usr\/local\/man]\r\nnewaliases_path: [\/usr\/bin\/newaliases] \/usr\/local\/bin\/newaliases\r\nqueue_directory: [\/var\/spool\/postfix]\r\nreadme_directory: [no]\r\nsendmail_path: [\/usr\/lib\/sendmail]\r\nsetgid_group: [postdrop]\r\n...\r\n<\/pre>\n
Setup user, group and configure Postfix:<\/span><\/p>\n
\r\n# groupadd postdrop\r\n# useradd -d \/export\/home\/postfix -s \/usr\/bin\/bash -m postfix\r\n80 blocks\r\n\r\n# mkdir \/etc\/postfix\r\n# pwd\r\n\/etc\/postfix\r\n\r\n# grep -v ^# main.cf | grep ".$"\r\nqueue_directory = \/var\/spool\/postfix\r\ncommand_directory = \/usr\/local\/sbin\r\ndaemon_directory = \/usr\/local\/libexec\/postfix\r\ndata_directory = \/var\/lib\/postfix\r\nmail_owner = postfix\r\nunknown_local_recipient_reject_code = 550\r\nmynetworks = 10.2.0.0\/16, 127.0.0.0\/8\r\ndebug_peer_level = 2\r\ndebugger_command =\r\nPATH=\/bin:\/usr\/bin:\/usr\/local\/bin:\/usr\/X11R6\/bin\r\n ddd $daemon_directory\/$process_name $process_id & sleep 5\r\nsendmail_path = \/usr\/lib\/sendmail\r\nnewaliases_path = \/usr\/local\/bin\/newaliases\r\nmailq_path = \/usr\/local\/bin\/mailq\r\nsetgid_group = postdrop\r\nhtml_directory = no\r\nmanpage_directory = \/usr\/local\/man\r\nsample_directory = \/etc\/postfix\r\nreadme_directory = no\r\ninet_protocols = ipv4\r\nheader_checks = pcre:\/etc\/postfix\/header_checks\r\n\r\n# tail -4 header_checks\r\n\/^To: .*@domain1\\.com\/ FILTER smtp:mail.domain1.com\r\n\/^To: .*@domain2\\.com\/ ACCEPT\r\n\/^To: user@domain3\\.com\/ ACCEPT\r\n\/^To: .*\/ REJECT\r\n<\/pre>\n
*** \u00a0ACCEPT<\/span> is not really a defined ACTION but for me this works. \u00a0I will have to look into this closer. \u00a0Maybe action should be INFO.<\/p>\n
*** Note that domain1 needed to relay to a specific internal host whereas domain2 is an example of direct forwarding to the Internet.<\/p>\n
Fix the \/usr\/local\/usr\/local<\/span> installation. Should do a re-install and fix this.<\/span><\/p>\n
\r\nmv \/usr\/local\/etc\/postfix\/* \/etc\/postfix\/\r\n\r\nmkdir \/usr\/local\/sbin\r\nmkdir \/usr\/local\/libexec\/\r\nmkdir \/usr\/local\/libexec\/postfix\r\nmkdir \/var\/spool\/postfix\r\n\r\nmv \/usr\/local\/usr\/local\/libexec\/ \/usr\/local\/\r\nmv \/usr\/local\/usr\/local\/libexec\/postfix\/postfix-script \/usr\/local\/libexec\/postfix\/\r\nmv \/usr\/local\/usr\/local\/sbin\/post* \/usr\/local\/sbin\/\r\nmv \/usr\/local\/usr\/local\/libexec\/postfix\/* \/usr\/local\/libexec\/postfix\/\r\n\r\nchgrp postdrop \/usr\/local\/sbin\/postqueue\r\nchgrp postdrop \/usr\/local\/sbin\/postdrop\r\nchmod +x \/usr\/local\/sbin\/postqueue\r\nchmod +x \/usr\/local\/sbin\/postdrop\r\n\r\nchmod +s \/usr\/local\/sbin\/postqueue\r\nchmod +s \/usr\/local\/sbin\/postdrop\r\n<\/pre>\n
Start and test:<\/span><\/p>\n
\r\n# \/usr\/local\/sbin\/postfix start\r\n\r\n# tail -f \/var\/log\/syslog\r\n<\/pre>\n
TODO: Redo and fix installation and add to Solaris SMF.<\/p>\n
Update 12.30.13:<\/span><\/p>\n
More testing showed that this solution does not work well with mailing lists ie multiple recipients in the To: field. \u00a0 After playing with a lot of different options I finally liked the idea of running multi-postfix. \u00a0In short that entails a 1st instance accepting mail on port 25 and then split the message into multiple messages and feed it to the 2nd instance on 127.0.0.1:10026 or whatever addresses and ports you prefer. \u00a0The trick is to use\u00a0default_destination_recipient_limit = 1 option on the frontend instance. \u00a0This seemed like an elegant solution, but for me my header checks were still not working like I want. \u00a0After a lot of fiddling I decided to use a different approach. \u00a0At some point I will document the two postfix instance solution since it might fit a lot of use cases.<\/p>\n
The solution that I finally used was accepting mail on port 25 with python smtplib and then sanitizing the list before injecting back into sendmail on say127.0.0.1:10026. \u00a0The article here: \u00a0<><\/p>\n
 <\/p>\n","protected":false},"excerpt":{"rendered":"
In a previous article I wrote about using Sendmail to block outbound email and at the same time allow email<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[40,14],"tags":[41],"class_list":["post-510","post","type-post","status-publish","format-standard","hentry","category-smtp","category-solaris","tag-postfix"],"_links":{"self":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/posts\/510","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/comments?post=510"}],"version-history":[{"count":0,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/posts\/510\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/media?parent=510"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/categories?post=510"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/tags?post=510"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}