[BlueOnyx:26522] Re: Postfix: Allow relay access by IP (and hostname)

[Chad Bersche]

Hi Michael!

I missed this email last night, but apparently this morning at 6am when 
the RPMs came in, it started working, automagically.  I know this 
because the backlog of outgoing emails from things that hadn't been 
working then triggered rate alerts from my upstream provider.  In the 
intervening time when emails weren't getting relayed, apparently the 
attempts and retries, etc. had accumulated in the database and there 
were upwards of 100,000 emails that would have been headed outbound.  
That made me look for emails about the fix, and there it was.  I then 
frantically started trying to STOP 100K emails from getting delivered.

I'm assuming, from the implementation and what I found in the mynetworks 
entry, it will take pretty much anything listed in the Relay field from 
the UI and put it directly in.  That would allow the use of a CIDR 
netmask to be part of the entry and then be passed directly into the 
Postfix config in that same manner.  I've not been able to test that 
yet, but now that I've sorted the backlog, I'll start playing more with 
the relaying functionality.

Very much appreciate the fix, and hope others find it useful as well!

Thanks!

   -- Chad


On 9/25/2023 8:59 PM, Michael Stauber wrote:
> Hi Chad,
>
>> Your original recommendation was:
>>
>> "Change your "mynetworks" line in /etc/postfix/main.cf to something like
>> this if you want to allow the whole 192.168.0.0/16 network to be able to
>> relay through it:
>>
>> mynetworks = 127.0.0.0/8 [::1]/128 192.168.0.0/16
>>
>> I did this, but find that, when I execute the postfix restart, them 
>> main.cf gets rewritten, and mynetworks is updated to:
> I just published base-email-* RPMs for BlueOnyx 5210R and 5211R which 
> fix this issue.
>
> When you now restart Postfix, the "mynetworks" line in 
> /etc/postfix/main.cf will be rewritten to include the following:
>
> - Localhost IPv4
> - Localhost IPv6
> - All IP addresses bound to your server
> - All IPs and Hostnames from "Server Management" / "Network Services" /
>   "Email", "Advanced"-tab, field "Relay Email From Hosts/Domains/IP
>   Addresses"
>
> So anything you specify under "Server Management" / "Network Services" 
> / "Email" / "Advanced"-tab, field "Relay Email From Hosts/Domains/IP 
> Addresses" will be allowed to relay through your server without 
> authentication. That turns your Postfix into an open relay for the 
> specified hosts or IPs.
>
> Preferably you should *not* use Hostnames in that field, but only IPs. 
> But if need be, hostnames (of the sending servers) will also work, yet 
> these could be spoofed by someone who knows you allow that hostname to 
> relay.
>