Restricting mails to particular adress w.r.t. sender and size

Hi,

sorry if this a stupid question. I looked into the documentation, but didn't
find anything. I always found it quite difficult to setup mail servers.

In main.cf I have:
virtual_alias_maps = hash:/etc/postfix/virtual

And in /etc/postfix/virtual there is
mailinglist@mydomain.tld user1@domain1.com, user2@domain2.com, ...

How do I setup postfix such that all mails to mailinglist@mydomain.tld that are
not from a fixed set of adresses are rejected? How can I limit the message size
for the mails to this mailing list? These restrictions should be specific to
this mailing list, not for all mails in general.

Thanks,
Joachim

Joachim Reichel wrote:
> Hi,
>
> sorry if this a stupid question. I looked into the documentation, but
> didn't find anything. I always found it quite difficult to setup mail
> servers.
>
> In main.cf I have:
> virtual_alias_maps = hash:/etc/postfix/virtual
>
> And in /etc/postfix/virtual there is
> mailinglist@mydomain.tld user1@domain1.com, user2@domain2.com, ...
>
> How do I setup postfix such that all mails to mailinglist@mydomain.tld
> that are not from a fixed set of adresses are rejected? How can I limit
> the message size for the mails to this mailing list? These restrictions
> should be specific to this mailing list, not for all mails in general.
>
You do not say if you are using a mailing list manager, if you are not
I would recommend it, I think mailman can do most of the things you want
to do, and it works nicely woth postfix.

Joachim Reichel schrieb:
> sorry if this a stupid question. I looked into the documentation, but
> didn't find anything. I always found it quite difficult to setup mail
> servers.
>
> In main.cf I have:
> virtual_alias_maps = hash:/etc/postfix/virtual
>
> And in /etc/postfix/virtual there is
> mailinglist@mydomain.tld user1@domain1.com, user2@domain2.com, ...
>
> How do I setup postfix such that all mails to mailinglist@mydomain.tld
> that are not from a fixed set of adresses are rejected?

You will need to have a table to validate the senders against,
then you can limit your list address (I'd call it distribution
group rather than mailing list, as the latter implies more
elaborate control over its workings than a virtual_alias_map
gives) using a restriction class. Have a look at
http://www.postfix.org/RESTRICTION_CLASS_README.html which
will give you a head start in the right direction.

> How can I limit
> the message size for the mails to this mailing list? These restrictions
> should be specific to this mailing list, not for all mails in general.

Seeing that the real message size can only be determined after the
message data has been submitted, you can't use smtpd_xxx_restrictions
here, as they happen too early (though ESMTP knows about the SIZE
keyword from the client, this is by no means reliable). Thus the way
to go would be either a content filter that knows about size checking,
or, preferrably, a policy daemon (with at least postfix 2.2, as 2.1
still used the size value supplied in the SMTP dialog).

If you're somewhat proficient with Perl, you shouldn't have trouble
building your own policy daemon that compares the actual message size
against a hash value for a recipient address. The docs give a number
of pointers in
http://www.postfix.org/SMTPD_POLICY_README.html

HTH
-Chris

Hi,

>> How do I setup postfix such that all mails to mailinglist@mydomain.tld
>> that are not from a fixed set of adresses are rejected?
[...]
> gives) using a restriction class. Have a look at
> http://www.postfix.org/RESTRICTION_CLASS_README.html which
> will give you a head start in the right direction.

Thanks, it works now.

>> How can I limit the message size for the mails to this mailing list?
>> These restrictions should be specific to this mailing list, not for
>> all mails in general.
>
> Seeing that the real message size can only be determined after the
> message data has been submitted, you can't use smtpd_xxx_restrictions
> here, as they happen too early (though ESMTP knows about the SIZE
> keyword from the client, this is by no means reliable). Thus the way
> to go would be either a content filter that knows about size checking,
> or, preferrably, a policy daemon (with at least postfix 2.2, as 2.1
> still used the size value supplied in the SMTP dialog).
>
> If you're somewhat proficient with Perl, you shouldn't have trouble
> building your own policy daemon that compares the actual message size
> against a hash value for a recipient address. The docs give a number
> of pointers in
> http://www.postfix.org/SMTPD_POLICY_README.html

Ok, I see how to proceed. If someone has a working script for the size limit,
please let me know.

@Martin: No, I don't use mailman (yet), though I might do in the future if the
setup gets more complex.

Thanks,
Joachim

Joachim Reichel schrieb:
>> If you're somewhat proficient with Perl, you shouldn't have trouble
>> building your own policy daemon that compares the actual message size
>> against a hash value for a recipient address. The docs give a number
>> of pointers in
>> http://www.postfix.org/SMTPD_POLICY_README.html
>
> Ok, I see how to proceed. If someone has a working script for the size
> limit, please let me know.

Ich habe mal im Archiv gewühlt und aus den Einzelteilen eines
nie produktiv geschalteten policy daemons etwas gestrickt, das
funktionieren sollte. Liegt auf
http://www.chrwinter.de/index.php?aid=24

Die netten Features daran sind, dass es eine BerkeleyDB verwendet
(d.h. "postmap message_sizes" funktioniert), sowohl auf die
volle Adresse als auch auf die Domain sucht und ins Syslog logt.
Auf die schnelle ist natürlich noch ein ganzer Teil hardgecodet,
der eigentlich konfigurierbar sein sollte.

Viele Grüße
-Christian

Christian Winter wrote:
> Joachim Reichel schrieb:
>>> If you're somewhat proficient with Perl, you shouldn't have trouble
>>> building your own policy daemon that compares the actual message size
>>> against a hash value for a recipient address. The docs give a number
>>> of pointers in
>>> http://www.postfix.org/SMTPD_POLICY_README.html
>>
>> Ok, I see how to proceed. If someone has a working script for the size
>> limit, please let me know.
>
> Ich habe mal im Archiv gewühlt und aus den Einzelteilen eines
> nie produktiv geschalteten policy daemons etwas gestrickt, das
> funktionieren sollte. Liegt auf
> http://www.chrwinter.de/index.php?aid=24
>
> Die netten Features daran sind, dass es eine BerkeleyDB verwendet
> (d.h. "postmap message_sizes" funktioniert), sowohl auf die
> volle Adresse als auch auf die Domain sucht und ins Syslog logt.
> Auf die schnelle ist natürlich noch ein ganzer Teil hardgecodet,
> der eigentlich konfigurierbar sein sollte.

Ups, that should have gone out per Mail, sorry for the German
intermezzo :)

It's a link to a quick-n-dirty policy daemon for size checking,
just meant as a starting point and not as a production tool.
Don't hit me if you stumble over the link above and find it
doesn't work ;)

In fact, I just realized it definitely won't work (as expected),
as "$attr->{recipient}" has to be swapped with "$attr->{sender}".
Too much copy'n'paste there.

-Chris, lately a bit uncoordinated

Christian Winter wrote:
> Joachim Reichel schrieb:
>>> If you're somewhat proficient with Perl, you shouldn't have trouble
>>> building your own policy daemon that compares the actual message size
>>> against a hash value for a recipient address. The docs give a number
>>> of pointers in
>>> http://www.postfix.org/SMTPD_POLICY_README.html
>>
>> Ok, I see how to proceed. If someone has a working script for the size
>> limit, please let me know.
>
> Ich habe mal im Archiv gewühlt und aus den Einzelteilen eines
> nie produktiv geschalteten policy daemons etwas gestrickt, das
> funktionieren sollte. Liegt auf
> http://www.chrwinter.de/index.php?aid=24
>
> Die netten Features daran sind, dass es eine BerkeleyDB verwendet
> (d.h. "postmap message_sizes" funktioniert), sowohl auf die
> volle Adresse als auch auf die Domain sucht und ins Syslog logt.
> Auf die schnelle ist natürlich noch ein ganzer Teil hardgecodet,
> der eigentlich konfigurierbar sein sollte.

Ups, that should have gone out per Mail, sorry for the German
intermezzo :)

It's a link to a quick-n-dirty policy daemon for size checking,
just meant as a starting point and not as a production tool.
Don't hit me if you stumble over the link above and find it
doesn't work ;)

-Chris

Hi,

>> Ich habe mal im Archiv gewühlt und aus den Einzelteilen eines
>> nie produktiv geschalteten policy daemons etwas gestrickt, das
>> funktionieren sollte. Liegt auf
>> http://www.chrwinter.de/index.php?aid=24
>>
>> Die netten Features daran sind, dass es eine BerkeleyDB verwendet
>> (d.h. "postmap message_sizes" funktioniert), sowohl auf die
>> volle Adresse als auch auf die Domain sucht und ins Syslog logt.
>> Auf die schnelle ist natürlich noch ein ganzer Teil hardgecodet,
>> der eigentlich konfigurierbar sein sollte.
>
> Ups, that should have gone out per Mail, sorry for the German
> intermezzo :)
>
> It's a link to a quick-n-dirty policy daemon for size checking,
> just meant as a starting point and not as a production tool.
> Don't hit me if you stumble over the link above and find it
> doesn't work ;)

meanwhile I found apolicy (http://www.apolicy.org). Probably I will use that.

Joachim