Jacky Chan wrote:
Dears,I have serveral digital senders (scanning machine) on site, which relay my Postfix 2.5 as default email gateway. From my requirment, they can only send mail to INTRANET, I need to restrict those machines from sending mails to Internet. Currently, I setup a user based restriction but with no SMTP authentication. The details is: (example) /etc/postfic/restricted_senders /....@abc\.com/ local_only /a...@abc.com/ OK /etc/postfix/main.cf smtpd_recipient_restrictions = check_sender_access regexp:/etc/postfix/restricted_senders,
**DANGER** an OK in the above map makes your server a sender-based open relay. This is bad.
permit_mynetworks, reject_unauth_destination smtpd_restriction_classes = local_only local_only = check_recipient_access hash:/etc/postfix/local_domains, reject /etc/postfix/local_only subdomain1.abc.com OK subdomain2.abc.com OK From the above setting, I can successfully restrict those machines from sending outside. But I would like to carify that is it the only way to identify the sender is by SMTP authentication, because not all the machine support SMTP client authentication. I am thinking, whether I can setup a restriction based on IP rather than sender because SMTP sender is not alwasy trusted. Thank you very much.
Yes, it's easy to restrict relay access based on IP. The easiest way to do that is by excluding them from mynetworks http://www.postfix.org/postconf.5.html#mynetworks # main.cf mynetworks = !192.168.1.55 !192.168.1.56 192.168.1.0/24 smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination -- Noel Jones
