[pfx] Re: Restrict Sender Domain for Relay

Mon, 16 Sep 2024 09:12:12 -0700 

Viktor Dukhovni via Postfix-users:
> On Mon, Sep 16, 2024 at 09:55:22AM -0500, Dan Lists via Postfix-users wrote:
> 
> > > How many distinct sender domains are in scope?  If it is just a small
> > > handful, you can restriction classes:
> > >
> > >     main.cf:
> > >         smtpd_restriction_classes =
> > >             require_sender_domain_a,
> > > [...]
> > >         smtpd_client_restrictions =
> > >             check_client_access cidr:{
> > >                     {192.0.2.1/32   require_sender_domain_a}
> > >                     ...
> > >                 }
> > > [...]
> > >         require_sender_domain_a =
> > >             check_sender_access pcre:{
> > >                     {if !/@a\.example$/}
> > >                     {/^/ REJECT for some reason}
> > >                     {endif}
> > >                 }
> > > [...]
> > 
> > Thanks, that is some cool voodoo!
> 
> See http://www.postfix.org/RESTRICTION_CLASS_README.html
> 
> > We have 8 domains currently and about 25 IPs and CIDR blocks.   The inline
> > tables would make this fairly manageable.
> 
> That was the gambit.
> 
> > It looks like if an IP isn't in check_client_access but is allowed to
> > relay then that IP could send as whoever they like.  All IPs that
> > relay would have to be in check_client_access.
> 
> So it it seems you rather want to restrict access to some domains for
> to just the allowed IPs, rather than restrict some IPs to specific
> domains.
> 
> > Could this be reversed?
> 
> Yes, of course, but mind the syntax (the inner "{}" in inline CIDR and
> PCRE tables are not optional!) and the requirement to pre-declare custom
> restriction classes:
> 
>     smtpd_restriction_classes =
>         check_client_access_a,
>         ...
> 
> >         smtpd_client_restrictions =
> >            # Each rule is enclosed in {}
> >            check_sender_access: pcre:{
> >               {/@a\.example$/  check_client_access_a}
> >            }
> > 
> >       check_client_access_a =
> >            # Each rule is enclosed in {}
> >            check_client_access cidr: {
> >               {192.168.1.0/24     DUNNO}
> >               {192.168.2.0/24     DUNNO}
> >               {0.0.0.0/0          REJECT Relay access denied}
> >           }

Nits: no space after 'cidr:', no ':' after check_sender_access,
and 'example$' needs to 'example$$'.

One goal of Postfix was to make it easier to configure than Sendmail.
Use nested tables as above only for configurations that you expect
to manage yourself into eternity.

        Wietse
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to