D. Karapiperis a écrit : > O/H Wietse Venema έγραψε: >> Since he asked for a "nice" way to specify this in Postfix, a "nice" >> implementation of this would look like this: >> >> /etc/postfix/main.cf: >> smtpd_sender_restrictions = permit_mydomain, reject_mynetworks >> >> Where the details are hidden by restriction classes: >> >> /etc/postfix/main.cf: >> restriction_classes = permit_mydomain, reject_mynetworks >> permit_mydomain = check_sender_access hash:/etc/postfix/sender_access >> reject_mynetworks = check_client_access >> cidr:/etc/postfix/client_access.cidr >> >> hash:/etc/postfix/sender_access >> example.com permit >> >> /etc/postfix/client_access.cidr >> 192.168.0.0/24 reject must send mail as u...@example.com >> >> Note that moving this into smtpd_recipient_restrictions would >> make this an open relay, as anyone can claim to have a sender >> address in your domain. >> >> Wietse >> > > Many thanks for your replies, u really help a lot. > > I cannot understand why if we move the statement on the > smtpd_recipient_restricitons will end up on open relay. > Again check_sender_access will examine the MAIL FROM right? > and the client access the IP, right? >
permit_mydomain returns a "permit", so the message is accepted and no further checks are done. in particular, reject_unauth_destination is skipped. in short, if a spammer forges sends as j...@example.com, the message is accepted even if it goes to an external domain. and this is open relay
