Kevin P. Knox wrote:
If you all would be so kind, I need a "pointer" in the general direction. I
think I'm on the right track, but here's the situation.
I have a Postfix server that performs SMTP relay services ONLY. It relays for
about six domain names. Final delivery of these six domains is handled by
three SMTP servers behind our firewall. I want to prevent Internet based
SMTP servers from forging messages to my users from addresses set to be one
our domains. In otherwords, the ONLY sending server that should EVER send
messages from mydomain.com is 1.2.3.4 (or perhaps 1.2.3.0/24). I want to
prevent any other host from sending a message having an envelope sender other
than 1.2.3.0/24. However, I NEED for 1.2.3.4 to be able to send messages
from all other envelope senders. This particular internal host in question
is a IBM Mainframe and I'm afraid I'm not terribly knowledgeable on its SMTP
server at the moment.
No need for restriction classes if the requirement is:
{allow any sender from the specified client}
{reject your domains as sender from any other client}.
# main.cf
smtpd_sender_restrictions =
check_client_access cidr:/etc/postfix/ibmclient
check_sender_access hash:/etc/postfix/rejectmydomains
#ibmclient
1.2.3.4 OK
# rejectmydomains
example1.com REJECT unauthorized use of sender domain
example2.com REJECT unauthorized use of sender domain
example3.com REJECT unauthorized use of sender domain
From your description I'm making the assumption that the set
of clients allowed to relay ($mynetworks) is different from
the set of clients allowed to use these domains as sender.
That's somewhat unusual. If my assumption is wrong, just add
the IBM IP to $mynetworks and use permit_mynetworks rather
than the cidr table above. (Either way will work, but using
permit_mynetworks is easier.)
--
Noel Jones
