On Fri, Sep 13, 2024 at 10:22 PM Viktor Dukhovni via Postfix-users <
postfix-users@postfix.org> wrote:
> On Fri, Sep 13, 2024 at 10:29:21AM -0500, Dan Lists via Postfix-users
> wrote:
>
> > I have a small email relay server that is used to allow IOT devices to
> send
> > email. Some of those devices do not do authentication. I'd like to
> > restrict the sender domain based on the IP.
>
> How many distinct sender domains are in scope? If it is just a small
> handful, you can restriction classes:
>
> main.cf:
> smtpd_restriction_classes =
> require_sender_domain_a,
> require_sender_domain_b,
> require_sender_domain_c
>
> smtpd_client_restrictions =
> check_client_access cidr:{
> {192.0.2.1/32 require_sender_domain_a}
> {192.0.2.2/32 require_sender_domain_b}
> {192.0.2.3/32 require_sender_domain_c}
> ...
> }
>
> # Be meticulous with the PCRE syntax, ensuring the trailing '$'
> # anchor, leading '@' domain prefix, and escaping literal '.'
> # with '\'. You can use "regexp" rather than "pcre" if that's
> # more convenient. The syntax below is common to both.
> #
> require_sender_domain_a =
> check_sender_access pcre:{
> {if !/@a\.example$/}
> {/^/ REJECT for some reason}
> {endif}
> }
> require_sender_domain_b =
> check_sender_access pcre:{
> {if !/@b\.example$/}
> {/^/ REJECT for some reason}
> {endif}
> }
> require_sender_domain_c =
> check_sender_access pcre:{
> {if !/@c\.example$/}
> {/^/ REJECT for some reason}
> {endif}
> }
>
> > /@domain.tld/ 1.2.3.4,5.6.7.8 # Only list IPs can send email as
> > @domain.tld.
>
> You probably have more IPs than sender domains, and the latter are
> typically less volatile than the IPs, so with restriction classes, it
> makes more sense to map IPs to allowed domains, than domains to allowed
> IPs.
>
> --
> Viktor.
>
Thanks, that is some cool voodoo!
We have 8 domains currently and about 25 IPs and CIDR blocks. The inline
tables would make this fairly manageable.
It looks like if an IP isn't in check_client_access but is allowed to relay
then that IP could send as whoever they like. All IPs that relay would
have to be in check_client_access.
Could this be reversed?
smtpd_client_restrictions =
check_sender_access: pcre:{
/@a\.example$/ check_client_access_a
}
check_client_access_a =
check_client_access cidr: {
192.168.1.0/24 DUNNO
192.168.2.0/24 DUNNO
0.0.0.0/0 REJECT Relay access denied
}
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
