Re: Restriction Classes

[Kevin P. Knox]

On Tuesday 11 November 2008 11:29, Noel Jones wrote:
> Kevin P. Knox wrote:
> > If you all would be so kind, I need a "pointer" in the general direction.
> >  I think I'm on the right track, but here's the situation.
> >
> > I have a Postfix server that performs SMTP relay services ONLY.  It
> > relays for about six domain names.  Final delivery of these six domains
> > is handled by three SMTP servers behind our firewall.  I want to prevent
> > Internet based SMTP servers from forging messages to my users from
> > addresses set to be one our domains.  In otherwords, the ONLY sending
> > server that should EVER send messages from mydomain.com is 1.2.3.4 (or
> > perhaps 1.2.3.0/24).  I want to prevent any other host from sending a
> > message having an envelope sender other than 1.2.3.0/24.  However, I NEED
> > for 1.2.3.4 to be able to send messages from all other envelope senders. 
> > This particular internal host in question is a IBM Mainframe and I'm
> > afraid I'm not terribly knowledgeable on its SMTP server at the moment.
>
> No need for restriction classes if the requirement is:
>   {allow any sender from the specified client}
>   {reject your domains as sender from any other client}.
>
> # main.cf
> smtpd_sender_restrictions =
>    check_client_access cidr:/etc/postfix/ibmclient
>    check_sender_access hash:/etc/postfix/rejectmydomains
>
> #ibmclient
> 1.2.3.4  OK
>
> # rejectmydomains
> example1.com  REJECT unauthorized use of sender domain
> example2.com  REJECT unauthorized use of sender domain
> example3.com  REJECT unauthorized use of sender domain
>
>
>  From your description I'm making the assumption that the set
> of clients allowed to relay ($mynetworks) is different from
> the set of clients allowed to use these domains as sender.
> That's somewhat unusual.  If my assumption is wrong, just add
> the IBM IP to $mynetworks and use permit_mynetworks rather
> than the cidr table above. (Either way will work, but using
> permit_mynetworks is easier.)


My Postfix server is running 2.2.10, so I don't "think" I can use CIDRs, but 
can possibly list the internal servers as 32 bit addresses?

Thanks!

... Kev