On Sat, Jan 25, 2025 at 11:27:13PM +1100, duluxoz via Postfix-users wrote:
> So, the internal email domain is used by both servers sending in email
> alerts/reports (to the sys-ops) and by users for internal organisation
> communication. Those users that require external email access also have an
> email account in an externally-facing domain, and usually use the
> appropriate domain when sending email. Occasionally, an internal domain
> email gets accidentally sent out on the Internet, and of course, replies to
> that mis-sent email bounce. So we'd like to stop that from happening (hence
> my Q).
>
> Also occasionally, an internal email user sets up a forwarding to an
> externally-facing domain (still within the organisation/lan - usually their
> externally-facing organisation email), plus sometimes internal emails are
> CC'd to organisation-specific externally facing domains. So while filtering
> on submission sounds like it might be the way to go, we have to ensure that
> emails to/from user_x@example.internal can still reach use...@example.com,
> etc, but not user_z@somewhere_on_the_internet.com
OK, so submission is not the stage you want to control. What do you
want to do about the internal domain appearing in message headers:
"From:", "To:", "Cc:", "Reply-To:", ...
The access(5) promitives can reject mesages where the envelope sender
is internal, but don't do anything to headers.
You can use "canonical_maps" to rewritie these to the public domain, if
there's a sensible correspodence between a given internal address and
some associated public address. When there isn't, things get more
complicated... Also how much of this policy can be moved to an internal
mailhub, to which mail flows first, before going to the edge gateway.
If you don't have an internal mailhub, I recommend having one, it
creates a useful point of control where some things are easier than
doing trying to do everything at the edge, which may also be dealing
with external inbound mail, and may have a different view of DNS, ...
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
