Noel Jones-2 wrote:
>
> Jacky Chan wrote:
>> Dears,
>>
>> I have serveral digital senders (scanning machine) on site, which relay
>> my
>> Postfix 2.5 as default email gateway. From my requirment, they can only
>> send
>> mail to INTRANET, I need to restrict those machines from sending mails to
>> Internet.
>>
>> Currently, I setup a user based restriction but with no SMTP
>> authentication.
>> The details is: (example)
>>
>> /etc/postfic/restricted_senders
>> /....@abc\.com/ local_only
>> /a...@abc.com/ OK
>>
>> /etc/postfix/main.cf
>> smtpd_recipient_restrictions =
>> check_sender_access regexp:/etc/postfix/restricted_senders,
>
> **DANGER** an OK in the above map makes your server a
> sender-based open relay. This is bad.
>
>> permit_mynetworks, reject_unauth_destination
>> smtpd_restriction_classes = local_only
>> local_only = check_recipient_access hash:/etc/postfix/local_domains,
>> reject
>>
>> /etc/postfix/local_only
>> subdomain1.abc.com OK
>> subdomain2.abc.com OK
>>
>> From the above setting, I can successfully restrict those machines from
>> sending outside. But I would like to carify that is it the only way to
>> identify the sender is by SMTP authentication, because not all the
>> machine
>> support SMTP client authentication. I am thinking, whether I can setup a
>> restriction based on IP rather than sender because SMTP sender is not
>> alwasy
>> trusted.
>>
>> Thank you very much.
>>
>
>
> Yes, it's easy to restrict relay access based on IP.
>
> The easiest way to do that is by excluding them from mynetworks
> http://www.postfix.org/postconf.5.html#mynetworks
>
> # main.cf
> mynetworks =
> !192.168.1.55
> !192.168.1.56
> 192.168.1.0/24
> smtpd_recipient_restrictions =
> permit_mynetworks
> permit_sasl_authenticated
> reject_unauth_destination
>
>
> --
> Noel Jones
>
>
Thanks Noel. If we take the above example configuration in #main.cf for
mynetworks, 192.168.1.0/24 would be able to relay, back to my starting
point, can we restrict the client from 192.168.1.0/24 from sending mail
to the Internet and thus make it Intranet only?
Thanks in advanced.
Best regards,
Jacky Chan
--
View this message in context:
http://www.nabble.com/Restriction-Upon-IP-tp21491286p21536492.html
Sent from the Postfix mailing list archive at Nabble.com.