Noel Jones wrote:
Vernon A. Fort wrote:
I have a setup which we use an external mail filtering service and
need to limit/restrict external client access. Meaning the MX for
the domain points to the filtering service and they relay checked
email. I need to limit access to just these network blocks but also
allow sasl authenticated as well as the internal network.
I also do not want to blindly trust this service so i would like to
check the IP address as well as ensuring the recipient is for my domain.
can someone point me to an example or man page. I cannot seem to
find anything related to limiting inbound smtp clients/servers.
Vernon
Minimal config:
# main.cf
# do not include filter service IPs in mynetworks
mynetworks = 127.0.0.0/8 ...
smtpd_recipient_restrictions =
permit_sasl_authenticated
permit_mynetworks
reject_unauth_destination
check_client_access cidr:/etc/postfix/filter_service
reject
# filter_service
192.1.0.0/24 OK
... other cidr ranges filter service uses ...
-- Noel Jones
Hey Noel,
What i have now under the smtpd_*_restrictions:
smtpd_sender_restrictions =
smtpd_client_restrictions =
smtpd_etrn_restrictions = reject
smtpd_recipient_restrictions =
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
check_helo_access .....
check_sender_access ...
check_client_access (for white listing client sites - just in
case they get rbl listed)
reject_rbl_client ....
permit
smtpd_data_restrictions =
reject_unauth_pipelining,
permit
What i 'thinking' of is:
smtpd_sender_restrictions =
smtpd_client_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
check_client_access cidr:/etc/postfix/filter_service.cidr,
reject
The filter_service.cidr would look like
1.2.3.4/29 OK
1.2.4.4/29 OK
0.0.0.0/0 REJECT
Would it be redundant to have the permit_sasl and permit_mynetworks
under both the smtpd_client and smtpd_recipient?
Vernon
