Re: Restriction Classes

Tue, 11 Nov 2008 09:26:54 -0800 

Kevin P. Knox wrote:

On Tuesday 11 November 2008 11:29, Noel Jones wrote:

Kevin P. Knox wrote:

If you all would be so kind, I need a "pointer" in the general direction.
 I think I'm on the right track, but here's the situation.

I have a Postfix server that performs SMTP relay services ONLY.  It
relays for about six domain names.  Final delivery of these six domains
is handled by three SMTP servers behind our firewall.  I want to prevent
Internet based SMTP servers from forging messages to my users from
addresses set to be one our domains.  In otherwords, the ONLY sending
server that should EVER send messages from mydomain.com is 1.2.3.4 (or
perhaps 1.2.3.0/24).  I want to prevent any other host from sending a
message having an envelope sender other than 1.2.3.0/24.  However, I NEED
for 1.2.3.4 to be able to send messages from all other envelope senders. This particular internal host in question is a IBM Mainframe and I'm 
afraid I'm not terribly knowledgeable on its SMTP server at the moment.

No need for restriction classes if the requirement is:
  {allow any sender from the specified client}
  {reject your domains as sender from any other client}.

# main.cf
smtpd_sender_restrictions =
   check_client_access cidr:/etc/postfix/ibmclient
   check_sender_access hash:/etc/postfix/rejectmydomains

#ibmclient
1.2.3.4  OK

# rejectmydomains
example1.com  REJECT unauthorized use of sender domain
example2.com  REJECT unauthorized use of sender domain
example3.com  REJECT unauthorized use of sender domain


 From your description I'm making the assumption that the set
of clients allowed to relay ($mynetworks) is different from
the set of clients allowed to use these domains as sender.
That's somewhat unusual.  If my assumption is wrong, just add
the IBM IP to $mynetworks and use permit_mynetworks rather
than the cidr table above. (Either way will work, but using
permit_mynetworks is easier.)
My Postfix server is running 2.2.10, so I don't "think" I can use CIDRs, but can possibly list the internal servers as 32 bit addresses? 

Thanks!

... Kev


Postfix 2.2 should support cidr tables.  run:
# postconf -m
to list the available table types.
If you don't have cidr, you can use a hash table listing that single IP (do NOT specify a netmask such as /24 or /32 with hash tables). See "man 5 access" for a description of the search order. 

1.2.3.4  OK

--
Noel Jones

Reply via email to