Drew Derbyshire a écrit :
> I've got a postfix server running which accepts several domains on it's
> primary smtpd (kew.com, *.wild.kew.com, thinfilmmfg.com,
> *.wild.thinfilmmfg.com, ...), all protected by the usual (and some
> unusual) SPAM filters. Life is good.
>
> I'd like to set up a secondary smtpd on a second IP address with it's
> own MX record which accepts mail for an additional domain
> (*.bff.kew.com) with fewer checks, but does NOT accept mail for the
> other domains listed above. I did a master.cf like this, but it accepts
> the wrong (original) domains defined in main.cf and the virtual domains
> configuration:
>
> primary.kew.com:smtp
> inet n - n - - smtpd
> -o content_filter=huntress:
> -o cleanup_service_name=scrubber
> -o smtpd_tls_cert_file=/usr/local/certs/fantasy-factory.kew.com.pem
> -o smtpd_tls_key_file=/usr/local/certs/fantasy-factory.kew.com.pem
> -o smtpd_tls_security_level=may
> -o smtpd_tls_auth_only=yes
> primary.kew.com:10025
> inet n - n - - smtpd
> -o smtpd_tls_cert_file=/usr/local/certs/fantasy-factory.kew.com.pem
> -o smtpd_tls_key_file=/usr/local/certs/fantasy-factory.kew.com.pem
> -o smtpd_tls_security_level=encrypt
> -o smtpd_tls_auth_only=yes
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_sasl_security_options=noanonymous
> secondary.kew.com:smtp
> inet n - n - - smtpd
> -o content_filter=huntress:
> -o relay_domains=mail.kew.com,.mail.kew.com
> -o virtual_alias_domains=mail.kew.com,.mail.kew.com
> -o smtpd_tls_cert_file=/usr/local/certs/ffactory.kew.com.pem
> -o smtpd_tls_key_file=/usr/local/certs/ffactory.kew.com.pem
> -o smtpd_tls_security_level=may
> -o smtpd_tls_auth_only=yes
> -o smtpd_recipient_restrictions=
>
> Where did I blow it, and more importantly, how do I fix it?
>
you can't have an empty smtpd_recipient_restrictions, as this would mean
all mail is accepted, making you a universal open relay.
Instead of changing the list of domains (See Wietse mail), you can list
all domains (primary and secondary), then use check_recipient_access to
reject on the "wrong MX". For example:
secondary:smtp ...
-o mynetworks=127.0.0.1
-o smtpd_sender_restrictions=${smtpd2_sender_restrictions}
-o smtpd_recipient_restrictions=${smtpd2_recipient_restrictions}
== main.cf:
smtpd2_sender_restrictions =
check_recipient_access hash:/etc/postfix/secondary_domains
reject
smtpd2_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
== secondary_domains
secondary.kew.com OK
and do the opposite on the primary (reject mail to *...@secondary....).
