This article is basically CentOS 6 10,postfix2. eleven point one one
postfix client based access control
- Client based access control
postfix has built-in various anti spam mechanisms, including the restriction of "client" sending e-mail. The client discrimination mechanism can set a series of discrimination conditions for customer information
smtpd_client_restrictions: controls restrictions on client connections (establishing tcp connections)
smptd_data_restrictions: controls the limits of input data from the input client
smtpd_helo_restrictions: controls the limits of the input helo (helo)
smtpd_recipient_restrictions: control recipient restrictions (rcpt to)
smtpd_sender_restrictions: control sender restrictions (mail from)
The above parameters are used to check the specific stage in the SMTP session, that is, the stage in which the client provides corresponding information. When the client initiates a connection request, postfix can use the SMTP ID defined in the configuration file_ client_ The restrictions parameter is used to determine the access control permission of this client IP, and the corresponding smtpd_helo_restrictions are used to judge the access ability of the client according to the user's Hello information.
If all the contents before the DATA command are accepted, the client can then start transmitting the mail content. The mail content is usually composed of two parts. The first half is the header, which can be used by the header_check filtering. The second half is the email body, which can be filtered by check_body filtering, which implements the "content check" of e-mail.
Lookup table
Access control files,
/etc/postfix/access - Hash format - > / etc/postfix/access db
tye@test.com reject
edison@test.com ok
Check is usually used to customize the conditions for accessing the table_ client_ access,check_helo_access,check_sender_access,check_recipient_access, followed by the access table type and name in type:mapname format. Where check_sender_access and check_recipient_access is used to check the email address provided by the client. Therefore, the complete email address can be used in its access table, such as admin@test.com ; You can also use a domain name, such as test Com can also use only part of the user: admin@
Reject email sent by client 192.168.88.1
#Modify / etc/postfix/access file 192.168.88.1 REJECT #Convert access file to hash format postmap /etc/postfix/access [root@mail ~]# ls /etc/postfix/access* /etc/postfix/access /etc/postfix/access.db #Configure postfix to use this file to check the client #Edit / etc / postfix / main CF file, add the following parameters smtpd_client_restrictions = check_client_access hash:/etc/postfix/access #hash means with DB file, followed by the file name does not need to add db #Restart postfix or reload the configuration file service postfix restart #Use 192.168.88.1 this machine to test sending mail [C:\~]$ telnet 192.168.88.135 25 Connecting to 192.168.88.135:25... Connection established. To escape to local shell, press 'Ctrl+Alt+]'. 220 Welcome to our mail.tye.com ESMTP,Warning:Version not Available! helo mail.tye.com 250 mail.tye.com mail from :root 501 5.5.4 Syntax: MAIL FROM:<address> mail from: root 250 2.1.0 Ok rcpt to: hadoop **554 5.7.1 <unknown[192.168.88.1]>: Client host rejected: Access denied** #Test with this machine and everything is normal [root@mail ~]# telnet localhost 25 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 Welcome to our mail.tye.com ESMTP,Warning:Version not Available! helo mail.tye.com 250 mail.tye.com mail from: root 250 2.1.0 Ok rcpt to: hadoop 250 2.1.5 Ok data 354 End data with <CR><LF>.<CR><LF> 123 1 , . 250 2.0.0 Ok: queued as D8457BF30C quit 221 2.0.0 Bye Connection closed by foreign host.
Reject sender domain as Whitehorse Send email to everyone on COM
#Modify the / etc/postfix/access file as follows to control the sender's domain whitehouse.com REJECT #Convert to hash format file [root@mail ~]# postmap /etc/postfix/access #In / etc / postfix / main CF add the following lines to the configuration smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/access [root@mail ~]# telnet localhost 25 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 Welcome to our mail.tye.com ESMTP,Warning:Version not Available! helo mail.tye.com 250 mail.tye.com mail from: sender@whitehouse.com 250 2.1.0 Ok rcpt to: hadoop **554 5.7.1 <sender@whitehouse.com>: Sender address rejected: Access denied**
Refuse to send mail to everyone in the Hadoop domain
#Compile / etc/postfix/recipient. The system owner cannot send mail to hadoop [root@mail ~]# vim /etc/postfix/recipient hadoop@ REJECT #Convert to hash format file [root@mail ~]# postmap /etc/postfix/recipient [root@mail ~]# ls /etc/postfix/recipient* /etc/postfix/recipient /etc/postfix/recipient.db #Modify the postfix configuration file, / etc / postfix / main cf [root@mail ~]# vim /etc/postfix/main.cf smtpd_recipient_restrictions = hash:/etc/postfix/recipient,permit_mynetworks,permit_sasl_authenticated,reject_invalid_hostname,reject_non_fqdn_hostname,reject_unknown_sender_domain,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unauth_pipelining,reject_unauth_destination #Test sending mail [root@mail ~]# telnet localhost 25 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 Welcome to our mail.tye.com ESMTP,Warning:Version not Available! helo mail.tye.com 250 mail.tye.com mail from: tye@tye.com 250 2.1.0 Ok rcpt to:hadoop **554 5.7.1 <hadoop>: Recipient address rejected: Access denied**
- Description of checklist format
The checklist of the hash class uses the following format
pattern action
Note: in the checklist file, blank lines, lines containing only blank characters and lines starting with # will be ignored. Lines starting with blank characters followed by other non blank characters will be considered as the continuation of the previous line and an integral part of a line
1) About pattern
Its pattern usually has two types of addresses: email address and host name / address
The pattern format of email address is as follows:
user@domain Used to match the specified email address
domain.tld is used to match all email addresses with this domain name as the domain name part of the email address
User @ is used to match all email addresses that use this as the user name part of the email address
The pattern of host name / address is as follows
domain.tld is used to match all hosts within a specified domain and its child domains
.domain.tld is used to match all hosts within the subdomain of the specified domain
net.work.addr.ess
net.work.addr
net.work
net is used to match a specific IP address or all hosts in the network
network/mask CIDR format, matching all hosts in the specified network
2) About action
Accept class actions
OK accepts the email address or host name / address whose pattern matches
An action consisting entirely of numbers implicitly indicates OK
Action of reject class (part):
4NN text
5NN text
The 4NN class means to try again later; 5NN indicates a serious error and will stop retrying email sending: 421 and 521 have special meaning for postfix. Do not customize these two codes
REJECT optional text... Reject: text is optional
Deny optional text... Reject: text is optional