O/H mouss έγραψε:
D. Karapiperis a écrit :
Hi All
I have a question regarding postfix restrictions.
Is there a way for Postfix to enforce some kind of policy so that all
the outgoing (allowed) mails be " @business.com" and all the others be
rejected.
Of course this policy should be enforced only to the outgoing emails
not in the incoming.
- if mail comes from mynetworks, require that the sender address is
*...@example.com. you can do this with a restriction class based on
check_client_access.
Thanks for the reply
I did this
mynetworks = cidr:/etc/postfix/inside_network
smtpd_restriction_classes=
from_inside_network
from_inside_network =
check_client_access cidr:/etc/postfix/inside_network
smtpd_recipient_restrictions =
check_sender_access hash:/etc/postfix/sending-domains,
reject_unauth_destination
/etc/postfix/inside_network
192.168.2.0/24 OK
127.0.0.0/8 OK
/etc/postfix/sending-domains
business.gr from_inside_network
So I did a logical AND -> all clients form my network have the relay
privilege and moreover they can send e-mails only from business.gr
(hopefully)
This configuration is:
- ugly because you mix unrelated tasks. blocking relay and enforcing
outbound sender domain are two different tasks. The keywords here are:
clarity, self-documenation, maintenance, etc. some day, you may want to
allow your boss to post with his jackinthebox address, and you will edit
the "sending-domains" table. some day, you may want to allow some other
sender domains. That day, you will lose your hair trying to put ORs
inside your ANDs. De Morgan laws are hard to put in simple key-value maps.
- unsafe because if you or someone else edits sending-domains, you could
become an open relay. oh yes, bad things do happen.
- pointless. it brings nothing compared to what I suggested.
Unless you really know what you are doing and why (and even then, you
should think 3.1415... times [yeah, you'll have to do it until the last
digit of PI ;-p]),
- avoid using check_*_access before reject_unauth_destination
- use smtpd_recipient_restrictions for relay control and spam fighting
- use other restrictions to implement local policy (enforce outbound
sender domain as you want to do, make some addresses "local only", ...
etc).
PS. There is no point to reinvent built-in functionality (your
from_inside_network is exactly permit_mynetworks).
I need to test it on a production server.
Thanks for the reply.
I did the from_inside_network thing to do the logical AND regarding the
sending domain. Is there any way to do this woth permit_mynetworks?
Is there any way to permit local users (from the inside network) to send
emails using the business domain in a clear and nice way in postfix?
thanks
Dimitris
