On Mon, Sep 16, 2024 at 09:55:22AM -0500, Dan Lists via Postfix-users wrote:
> > How many distinct sender domains are in scope? If it is just a small
> > handful, you can restriction classes:
> >
> > main.cf:
> > smtpd_restriction_classes =
> > require_sender_domain_a,
> > [...]
> > smtpd_client_restrictions =
> > check_client_access cidr:{
> > {192.0.2.1/32 require_sender_domain_a}
> > ...
> > }
> > [...]
> > require_sender_domain_a =
> > check_sender_access pcre:{
> > {if !/@a\.example$/}
> > {/^/ REJECT for some reason}
> > {endif}
> > }
> > [...]
>
> Thanks, that is some cool voodoo!
See http://www.postfix.org/RESTRICTION_CLASS_README.html
> We have 8 domains currently and about 25 IPs and CIDR blocks. The inline
> tables would make this fairly manageable.
That was the gambit.
> It looks like if an IP isn't in check_client_access but is allowed to
> relay then that IP could send as whoever they like. All IPs that
> relay would have to be in check_client_access.
So it it seems you rather want to restrict access to some domains for
to just the allowed IPs, rather than restrict some IPs to specific
domains.
> Could this be reversed?
Yes, of course, but mind the syntax (the inner "{}" in inline CIDR and
PCRE tables are not optional!) and the requirement to pre-declare custom
restriction classes:
smtpd_restriction_classes =
check_client_access_a,
...
> smtpd_client_restrictions =
> # Each rule is enclosed in {}
> check_sender_access: pcre:{
> {/@a\.example$/ check_client_access_a}
> }
>
> check_client_access_a =
> # Each rule is enclosed in {}
> check_client_access cidr: {
> {192.168.1.0/24 DUNNO}
> {192.168.2.0/24 DUNNO}
> {0.0.0.0/0 REJECT Relay access denied}
> }
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
