Re: Upon IP address, restrict sending destination.

Mon, 19 Jan 2009 07:51:18 -0800 

Jacky Chan wrote:


Magnus Bäck wrote:

On Monday, January 19, 2009 at 05:11 CET,
     Jacky Chan <jac...@wkg1.umac.mo> wrote:


As subject. Does the following configuration meet the subject?
192.168.1.55 and 192.168.1.56 can only send mail to subdomain1.abc.com,
subdomain2.abc.com
And others IP in 192.168.1.0/24 can send mail to subdomain1.abc.com,
subdomain2.abc.com and outsiders, is that achieved by the following
configuration?

No. Noel has already posted a working configuration where you list the
non-relaying IP addresses in mynetworks. This will allw 192.168.1.5[56]
to send to all domains managed by you, but perhaps this is enough?


#/etc/postfix/main.cf
mynetworks = hash:/etc/postfix/access

Must be: cidr:/etc/postfix/access


smtpd_client_restrictions = check_client_access hash:/etc/postfix/access
smtpd_recipient_restrictions = permit_mynetworks,
reject_unauth_destination

smtpd_restriction_classes = local_only
local_only = check_recipient_access hash:/etc/postfix/local_domains,
reject

# /etc/postfix/access
192.168.1.55       REJECT
192.168.1.56       REJECT
192.168.1.0/24    OK

# /etc/postfix/local_only
subdomain1.abc.com            OK
subdomain2.abc.com            OK

No, this is backwards (and there's a filename mismatch -- local_domains
vs. local_only). See the example at [1] but replace check_sender_access
with check_client_access.

Also, you probably don't want to return OK for 192.168.1.0/24. That
means that all restrictions listed after your check_client_access
restriction will be bypassed, and this is probably not what you want.

[1] http://www.postfix.org/RESTRICTION_CLASS_README.html#external

--
Magnus Bäck
mag...@dsek.lth.se




Hi, Magnus. Thank you very much for your advise and I changed the
configuration as below.
Would you mind to have a look and please point out what I missed.
I highlighted the modification in BOLD.

#/etc/postfix/main.cf
mynetworks = cidr:/etc/postfix/access

smtpd_client_restrictions = check_client_access cidr:/etc/postfix/access
smtpd_recipient_restrictions = check_client_access
cidr:/etc/postfix/access,permit_mynetworks, reject_unauth_destination
smtpd_restriction_classes = local_only
local_only = check_recipient_access hash:/etc/postfix/local_domains, reject

# /etc/postfix/access
192.168.1.55       REJECT
192.168.1.56       REJECT
192.168.1.0/24    RELAY

# /etc/postfix/local_domains
subdomain1.abc.com            OK
subdomain2.abc.com            OK



No, this won't work either.  Use the example already provided.


You're making this too hard.  Simply set mynetworks correctly 
and you're done.




--
Noel Jones























					Reply via email to