D. Karapiperis a écrit : > > > Hi All >> >> I have a question regarding postfix restrictions. >> >> Is there a way for Postfix to enforce some kind of policy so that all >> the outgoing (allowed) mails be " @business.com" and all the others be >> rejected. >> Of course this policy should be enforced only to the outgoing emails >> not in the incoming. >> > > > - if mail comes from mynetworks, require that the sender address is > *...@example.com. you can do this with a restriction class based on > check_client_access. > > > Thanks for the reply > > I did this > > mynetworks = cidr:/etc/postfix/inside_network > > smtpd_restriction_classes= > from_inside_network > > from_inside_network = > check_client_access cidr:/etc/postfix/inside_network > > > smtpd_recipient_restrictions = > check_sender_access hash:/etc/postfix/sending-domains, > reject_unauth_destination > > > > /etc/postfix/inside_network > 192.168.2.0/24 OK > 127.0.0.0/8 OK > > > /etc/postfix/sending-domains > business.gr from_inside_network > > So I did a logical AND -> all clients form my network have the relay > privilege and moreover they can send e-mails only from business.gr > (hopefully)
This configuration is: - ugly because you mix unrelated tasks. blocking relay and enforcing outbound sender domain are two different tasks. The keywords here are: clarity, self-documenation, maintenance, etc. some day, you may want to allow your boss to post with his jackinthebox address, and you will edit the "sending-domains" table. some day, you may want to allow some other sender domains. That day, you will lose your hair trying to put ORs inside your ANDs. De Morgan laws are hard to put in simple key-value maps. - unsafe because if you or someone else edits sending-domains, you could become an open relay. oh yes, bad things do happen. - pointless. it brings nothing compared to what I suggested. Unless you really know what you are doing and why (and even then, you should think 3.1415... times [yeah, you'll have to do it until the last digit of PI ;-p]), - avoid using check_*_access before reject_unauth_destination - use smtpd_recipient_restrictions for relay control and spam fighting - use other restrictions to implement local policy (enforce outbound sender domain as you want to do, make some addresses "local only", ... etc). PS. There is no point to reinvent built-in functionality (your from_inside_network is exactly permit_mynetworks). > I need to test it on a production server. > > >
