O/H mouss έγραψε:
D. Karapiperis a écrit :
O/H Wietse Venema έγραψε:
Since he asked for a "nice" way to specify this in Postfix, a "nice"
implementation of this would look like this:
/etc/postfix/main.cf:
smtpd_sender_restrictions = permit_mydomain, reject_mynetworks
Where the details are hidden by restriction classes:
/etc/postfix/main.cf:
restriction_classes = permit_mydomain, reject_mynetworks
permit_mydomain = check_sender_access hash:/etc/postfix/sender_access
reject_mynetworks = check_client_access
cidr:/etc/postfix/client_access.cidr
hash:/etc/postfix/sender_access
example.com permit
/etc/postfix/client_access.cidr
192.168.0.0/24 reject must send mail as u...@example.com
Note that moving this into smtpd_recipient_restrictions would
make this an open relay, as anyone can claim to have a sender
address in your domain.
Wietse
Many thanks for your replies, u really help a lot.
I cannot understand why if we move the statement on the
smtpd_recipient_restricitons will end up on open relay.
Again check_sender_access will examine the MAIL FROM right?
and the client access the IP, right?
permit_mydomain returns a "permit", so the message is accepted and no
further checks are done. in particular, reject_unauth_destination is
skipped.
in short, if a spammer forges sends as j...@example.com, the message is
accepted even if it goes to an external domain. and this is open relay
Open relay will not take place if the checks are included on
smtpd_sender_restrictions?
