On 2025-01-25 10:30, Viktor Dukhovni via Postfix-users wrote:
>
> This does not do what you think it does, because the classification of
> addresses into address classes happens in the trivial-rewrite service,
> not in smtpd(8). Best to not jump-in and reply with "I would try", if
> you don't actually have an answer.
Noone can have exact answer without all the details, that's why I just
point to some path "I would try". Next step could be:
[...]
-o rewrite_service_name=rewrite_internal
rewrite_internal [...]
-o virtual_mailbox_domains=...
although virtual_mailbox_domains seems to be option for virtual(8), and
trivial-rewrite is supposed to be called from cleanup, so more "tries".
I'm using similar approach with alternative cleanup_service_name for
submission.
The point was: create separate path for smtpd (inbound) and submission
(outbound) first, to distinguish "internal" flows (when mail for all 3
domains is always submitted) from inbound.
>> If that doesn't work - different approach, using only restrictions,
>> e.g.
>>
>> smtpd_recipient_restrictions = permit_mynetworks [...]
>> reject_unauth_destination
>> check_recipient_access hash:/etc/$config_directory/my_domains
>
> This is closer, but the OP's main problem is stopping internal senders
> from reaching the public Internet. For that it would be appropriate
The trivial "generic" solution for this is to have multiple submission
services, assuming the internal and external are different users
(otherwise the internal one sending to Internet could be rewritten to
it's external counterpart, and that was not the question).
> The relevant access(5) primitive is: "check_sender_access", and one may
> be able to set an "action" for some envelope sender domains that is
> "reject_unauth_destination". But without a better problem statement,
> it is unclear whether this is the right approach.
Glad to read this after all.
BTW I recently got into a need for "permit_verified_recipient" (as
opposite to reject_unverified_recipient) to perform RBL lookup only for
recipients I can't verify. I finally failed to do this and I can't
imagine providing accurate answer without knowledge of entire actual
environment.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
