Sender Permit

Table of content

  1. Description
    1. Flavors
      1. strict channel
      2. loose channel
      3. strict relaying
      4. loose ip based relaying
      5. loose cert based relaying
  2. Configuration
    1. disable_strict_channel
    2. disable_loose_channel
    3. disable_strict_relaying
    4. disable_loose_ip_relaying
    5. disable_loose_cert_relaying
  3. Usage suggestion
  4. Example
  5. Performance

Description

Allows senders-domain based permissions, based on IP or certificate. The most probable use case is that you want to open your mail server for relaying from allowed mail servers. If you use postfix, this is also possible with postfix classes, and probably faster.

This module has no extensive configuration options. However, the database entries can have five different flavors/formats, which you can disable if you do not require them.

Flavors

strict channel

In this case, the permissions are defined by a sender domain and a recipient domain. Also the sender can only send from a distinct IP and has to provide a certain certificate with a determined subject and fingerprint

Use Case: External sender, which delivers mail via SMTPS to a certain recipient (eg automated report script)

Example:

from_domain: sender.tld
to_domain: recipient.tld
fingerprint: C2:9D:F4:87:71:73:73:D9:18:E7:C2:F3:C1:DA:6E:04
subject: solaris9.porcupine.org
ip: 123.123.123.123

loose channel

The sender (determined by IP) is allowed to send from a certain sender domain to a certain recipient domain. No certificate required.

Use Case: LAN or VPN sender, which delivers mail to a certain recipient (eg automated report script)

Example:

from_domain: sender.tld
to_domain: recipient.tld
fingerprint: *
subject: *
ip: 123.123.123.123

strict relaying

Same as strict channel, but the sender can target any domain

Use Case: Best relaying mode, if the sender has a static IP and delivers mail via SMTPS

Example:

from_domain: sender.tld
to_domain: *
fingerprint: C2:9D:F4:87:71:73:73:D9:18:E7:C2:F3:C1:DA:6E:04
subject: solaris9.porcupine.org
ip: 123.123.123.123

loose ip based relaying

The sender can target any recipient and is identified by his IP only

Use Case: The sender has a static IP and you trust your network. He can relay any mail. Warning: IP forging is possible.. however, if the sender is in the LAN or in a VPN..

Example:

from_domain: sender.tld
to_domain: *
fingerprint: *
subject: *
ip: 123.123.123.123

loose cert based relaying

The sender can target any recipient and is identified by his IP only

Use Case: The sender has a dynamic IP but always provides the same cert and want's to relay mails via your smtp server.

Example:

from_domain: sender.tld
to_domain: *
fingerprint: C2:9D:F4:87:71:73:73:D9:18:E7:C2:F3:C1:DA:6E:04
subject: solaris9.porcupine.org
ip: *

Configuration

disable_strict_channel

Allowed values: Bool
Default: 0

Disable strict channel, set to 1 if you have no strict channel entries.

disable_loose_channel

Allowed values: Bool
Default: 0

Disable loose channel, set to 1 if you have no loose channel entries.

disable_strict_relaying

Allowed values: Bool
Default: 0

Disable strict relaying, set to 1 if you have no strict relaying entries.

disable_loose_ip_relaying

Allowed values: Bool
Default: 0

Disable loose ip relaying, set to 1 if you have no loose ip relaying entries.

disable_loose_cert_relaying

Allowed values: Bool
Default: 0

Disable loose cert relaying, set to 1 if you have no loose cert relaying entries.

Usage suggestion

Use it as early as possible. Depending on the senders you want to allow, after Basic, SPF and Association checks or at the very first position. Probably before any black- or whitelist.

Example

---

timeout: 15
disable: 0

disable_strict_channel: 0
disable_loose_channel: 0
disable_strict_relaying: 0
disable_loose_ip_relaying: 0
disable_loose_cert_relaying: 0

Performance

Depends on the size of your dataset and the speed of your database, but rather fast in general. You can tune it by disabling unused flavors.