On Fri, Sep 13, 2024 at 10:29:21AM -0500, Dan Lists via Postfix-users wrote:
> I have a small email relay server that is used to allow IOT devices to send
> email. Some of those devices do not do authentication. I'd like to
> restrict the sender domain based on the IP.
How many distinct sender domains are in scope? If it is just a small
handful, you can restriction classes:
main.cf:
smtpd_restriction_classes =
require_sender_domain_a,
require_sender_domain_b,
require_sender_domain_c
smtpd_client_restrictions =
check_client_access cidr:{
{192.0.2.1/32 require_sender_domain_a}
{192.0.2.2/32 require_sender_domain_b}
{192.0.2.3/32 require_sender_domain_c}
...
}
# Be meticulous with the PCRE syntax, ensuring the trailing '$'
# anchor, leading '@' domain prefix, and escaping literal '.'
# with '\'. You can use "regexp" rather than "pcre" if that's
# more convenient. The syntax below is common to both.
#
require_sender_domain_a =
check_sender_access pcre:{
{if !/@a\.example$/}
{/^/ REJECT for some reason}
{endif}
}
require_sender_domain_b =
check_sender_access pcre:{
{if !/@b\.example$/}
{/^/ REJECT for some reason}
{endif}
}
require_sender_domain_c =
check_sender_access pcre:{
{if !/@c\.example$/}
{/^/ REJECT for some reason}
{endif}
}
> /@domain.tld/ 1.2.3.4,5.6.7.8 # Only list IPs can send email as
> @domain.tld.
You probably have more IPs than sender domains, and the latter are
typically less volatile than the IPs, so with restriction classes, it
makes more sense to map IPs to allowed domains, than domains to allowed
IPs.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
