Re: Restriction Upon IP

Jacky Chan Sun, 18 Jan 2009 19:45:39 -0800

Noel Jones-2 wrote:
> 
> Jacky Chan wrote:
>> Dears,
>> 
>> I have serveral digital senders (scanning machine) on site, which relay
>> my
>> Postfix 2.5 as default email gateway. From my requirment, they can only
>> send
>> mail to INTRANET, I need to restrict those machines from sending mails to
>> Internet.
>> 
>> Currently, I setup a user based restriction but with no SMTP
>> authentication.
>> The details is: (example)
>> 
>> /etc/postfic/restricted_senders
>> /....@abc\.com/           local_only
>> /a...@abc.com/             OK
>> 
>> /etc/postfix/main.cf
>> smtpd_recipient_restrictions =
>>         check_sender_access regexp:/etc/postfix/restricted_senders,
> 
> **DANGER** an OK in the above map makes your server a 
> sender-based open relay.  This is bad.
> 
>> permit_mynetworks, reject_unauth_destination
>> smtpd_restriction_classes = local_only
>> local_only = check_recipient_access hash:/etc/postfix/local_domains,
>> reject
>> 
>> /etc/postfix/local_only
>> subdomain1.abc.com            OK
>> subdomain2.abc.com            OK
>> 
>> From the above setting, I can successfully restrict those machines from
>> sending outside. But I would like to carify that is it the only way to
>> identify the sender is by SMTP authentication, because not all the
>> machine
>> support SMTP client authentication. I am thinking, whether I can setup a
>> restriction based on IP rather than sender because SMTP sender is not
>> alwasy
>> trusted.
>> 
>> Thank you very much.
>> 
> 
> 
> Yes, it's easy to restrict relay access based on IP.
> 
> The easiest way to do that is by excluding them from mynetworks
> http://www.postfix.org/postconf.5.html#mynetworks
> 
> # main.cf
> mynetworks =
>    !192.168.1.55
>    !192.168.1.56
>    192.168.1.0/24
> smtpd_recipient_restrictions =
>    permit_mynetworks
>    permit_sasl_authenticated
>    reject_unauth_destination
> 
> 
> -- 
> Noel Jones
> 
> 

Thanks Noel. If we take the above example configuration in #main.cf for
mynetworks, 192.168.1.0/24 would be able to relay, back to my starting
point, can we restrict the client from 192.168.1.0/24 from sending mail
to the Internet and thus make it Intranet only?

Thanks in advanced.

Best regards,
Jacky Chan
 
-- 
View this message in context: 
http://www.nabble.com/Restriction-Upon-IP-tp21491286p21536492.html
Sent from the Postfix mailing list archive at Nabble.com.
Re: Restriction Upon IP

Reply via email to
