Charles Marcus a écrit :
> On 2/13/2009 3:42 PM, mouss wrote:
>> you can do this
>>
>> smtpd_sender_restrictions =
>> check_recipient_access hash:/etc/postfix/moved-employees,
>
> Ah! I never even considered I could put check_recipient_access under
> smtpd_sender_restrictions... but if I can put check_client_access under
> smtpd_recipient_restrictions, why not? :)
>
> Just to clarify: doing the above keeps me from becoming an open relay if
> I typo something in the map, while keeping it under
> smtpd_recipient_restrictions leaves me vulnerable to such an error, is
> that correct?
>
that's the idea. you may decide to replace the hash with a mysql or a
pcre that returns OK for any domain.
As I said before, this is not a check to fight spammers, but a check you
want to apply to all mail. so put it under smtpd_sender_restrictions (or
*_helo_* or *_client_*). This way, your smtpd restrictions start with
the "usual" risk-free:
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
# anti-spam stuff follows
