[pfx] Re: Configuration Request: Restrict Outgoing Emails to Allowed Domains, Allow All Incoming, and Bypass Restrictions for Privileged Users

[Srinivasa Gowd S via Postfix-users]

Hello,

Thank you, Viktor, for your reply on this.

The following entries are present in the "check_sender_access" table. 
We have configured it so that  "srb...@sutisoft3.in" and
"tsupp...@sutisoft3.in" are treated as privileged users.  All users can send
emails to domains @sutisoft.com, @sutisoft.ca and @sutisoft.net.
-------------
#/etc/postfix# cat check_sender_access

srb...@sutisoft3.in         OK
tsupp...@sutisoft3.in        OK
@sutisoft.com                   OK
@sutisoft.ca                    Ok
@sutisoft.net                   Ok
---------------------

This configuration is not working and the user "b...@sutisoft3.in" are
sending emails to @gmail.com. 

Thanks,
Srinivasa Gowd.

-----Original Message-----
From: Viktor Dukhovni via Postfix-users <postfix-users@postfix.org> 
Sent: 07 May 2025 13:29
To: postfix-users@postfix.org
Subject: [pfx] Re: Configuration Request: Restrict Outgoing Emails to
Allowed Domains, Allow All Incoming, and Bypass Restrictions for Privileged
Users

On Wed, May 07, 2025 at 12:57:29PM +0530, Srinivasa Gowd S via Postfix-users
wrote:

> 1.    Allow incoming emails from all external domains to all internal
>       users.
> 2.    Restrict outgoing emails for all users so they can only send to
>       a list of allowed domains.
> 3.    Allow specific privileged users to bypass this restriction and
root@mail:/etc/postfix# cat check_sender_access

>       send emails to any external domain.
> 
> smtpd_recipient_restrictions = 
>     check_recipient_access hash:/etc/postfix/recipient_access  
>     check_sender_access hash:/etc/postfix/check_sender_access  
>     permit_mynetworks 
>     permit_sasl_authenticated  
>     reject_unauth_destination 
>     check_policy_service unix:private/policyd-spf
>     permit

Well, what sort of entries do you have in the "check_sender_access"
table?

> smtpd_relay_restrictions = 
>     permit_mynetworks 
>     permit_sasl_authenticated 
>     defer_unauth_destination 
>     reject_unauth_destination

You may as well drop "defer_unauth_destination" here, because
"reject_unauth_destination" should be sufficient/safe.

> 
> However, this configuration is not working as expected, and 
> unprivileged users are still able to send to unauthorized domains.

Presumably their sender addresses are not adequately restricted by the
tables in question.

-- 
    Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send
an email to postfix-users-le...@postfix.org

_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org