Setting the mynetworks parameter in main.cf

Question

Setting the mynetworks parameter in main.cf

I may be misunderstanding the mynetworks parameter, and, frankly, http://www.postfix.org/basic.html#mynetworks isn't much help.

So maybe you guys can shed some light on this for me.

Because my server is behind a NAT, I have to set mynetworks in main.cf by hand.

I have two different offices and, thus, two local networks: 192.168.0.XXX and 192.168.1.XXX that are connected to each other via VPN.

Right now, I have mynetworks set to:

mynetworks = 127.0.0.1/32,192.168.0.12/32

However this strikes me as wrong. It only specifies my server as being a part of mynetworks.

Shouldn't I include 192.168.0.0/24 and 192.168.1.0/24 in the list:

mynetworks = 127.0.0.1/32,192.168.0.0/24,192.168.1.0/24

... or I'm I misunderstanding the purpose of the mynetworks parameter?

XServe G5, Mac OS X (10.4.8)

Posted on Jan 7, 2007 9:23 AM

Reply

Answer 1

UptimeJeff

Level 4

3,479 points

Jan 7, 2007 9:35 AM in response to Joel Mcintosh1

Hi Joel

what you include in mynetworks 'often' means the IPs which can relay without authentication (in a typical config permit_mynetworks has been added to smtpd clientrestrictions and smtpd recipientrestrictions) and the full LAN has been added to mynetworks.

For example, if your smtpd clientrestrictions has a permit_mynetworks, then it will allow your LAN addresses to relay (permits and rejects are evaluated in order horizontally) without SMTP Auth. This is usually less desirable, it allows for a rogue app, a wireless user, etc to relay through your server without authenticating.

In a relatively secure installation, it's a good idea NOT to allow LAN addresses to relay without authentication, so not having your full LAN network in mynetworks increases the requirements to relay (a good thing). You can remove permit_mynetworks from your restrictions or leave mynetworks set to just the loopback address - then make sure all of your clients do use smtp-auth.

Jeff

Reply

Answer 2

Jan 7, 2007 9:55 AM in response to UptimeJeff

In a relatively secure installation, it's a good idea
NOT to allow LAN addresses to relay without
authentication, so not having your full LAN network
in mynetworks increases the requirements to relay (a
good thing). You can remove permit_mynetworks from
your restrictions or leave mynetworks set to just the
loopback address - then make sure all of your clients
do use smtp-auth.

Jeff, thank you for the explanation. That makes a lot of sense.

All of my clients do use SASL authentication and permit saslauthenticated is listed first in the restrictions you mentioned.

I'll leave the settings as they are.

Thanks again.

Reply

Answer 3

Jan 14, 2007 6:44 PM in response to Joel Mcintosh1

One last follow-up about this ...

In addition to loopback address, should I include the local IP of the server?

At this stage, the results of postfix -n are below.

mail:/etc/postfix root# postconf -n
always_bcc =
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug peerlevel = 2
delay warningtime = 2h
disable vrfycommand = yes
enable serveroptions = yes
inet_interfaces = all
luser_relay =
mail_owner = postfix
mailbox_transport = cyrus
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maximal queuelifetime = 1d
message sizelimit = 0
mydestination = $myhostname,localhost.$mydomain,$mydomain
mydomain = prufrock.com
mydomain_fallback = localhost
myhostname = mail.prufrock.com
mynetworks = 127.0.0.1/32,192.168.0.12/32
mynetworks_style = host
newaliases_path = /usr/bin/newaliases
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
relayhost =
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd clientrestrictions = permit saslauthenticated, permit_mynetworks, reject rblclient zen.spamhaus.org, permit
smtpd datarestrictions = permit_mynetworks, reject unauthpipelining, permit
smtpd enforcetls = no
smtpd helorequired = yes
smtpd helorestrictions = permit saslauthenticated, permit_mynetworks, check heloaccess hash:/etc/postfix/helo_access, reject non_fqdnhostname, reject invalidhostname, permit
smtpd pw_server_securityoptions = cram-md5,login,plain
smtpd recipientrestrictions = reject invalidhostname, reject non_fqdnsender, reject non_fqdnrecipient, permit saslauthenticated, hash:/etc/postfix/rejects, permit_mynetworks, reject unauthdestination, reject unlistedrecipient, reject rblclient zen.spamhaus.org, permit
smtpd sasl_authenable = yes
smtpd senderrestrictions = permit saslauthenticated, permit_mynetworks, reject non_fqdnsender, permit
smtpd tlsCAfile = /etc/certificates/mail.prufrock.com.chcrt
smtpd tls_certfile = /etc/certificates/mail.prufrock.com.crt
smtpd tls_keyfile = /etc/certificates/mail.prufrock.com.key
smtpd tlsloglevel = 0
smtpd use_pwserver = yes
smtpd usetls = yes
unknown local_recipient_rejectcode = 550

Reply

Answer 4

UptimeJeff

Level 4

3,479 points

Jan 15, 2007 11:28 AM in response to Joel Mcintosh1

Hey Joel,

you don't need it based on your config.

look at what mynetworks is used for, look at your restrictions, it's only used for what you see...

side note
In some installs, permit_mynetworks is removed from some restrictions (smtpd recipientrestrictions)... this would mean that webmail would need smtp-auth or any rogue script on the system would need to auth to relay mail.

You have to look at your restrictions and make sure you have only the permits which you require, all of the reject you prefer and that the order horizontally is correct.

Jeff

Reply