[pfx] Re: Configuration Request: Restrict Outgoing Emails to Allowed Domains, Allow All Incoming, and Bypass Restrictions for Privileged Users

Wed, 07 May 2025 03:52:37 -0700 

On Wed, May 07, 2025 at 02:56:11PM +0530, Srinivasa Gowd S wrote:

> The following entries are present in the "check_sender_access" table. 
> We have configured it so that  "srb...@sutisoft3.in" and
> "tsupp...@sutisoft3.in" are treated as privileged users.  All users can send
> emails to domains @sutisoft.com, @sutisoft.ca and @sutisoft.net.
> -------------
> #/etc/postfix# cat check_sender_access
> 
> srb...@sutisoft3.in         OK
> tsupp...@sutisoft3.in       OK
> @sutisoft.com               OK
> @sutisoft.ca                OK
> @sutisoft.net               OK

But these are sender address checks, so the last three entries also
allow any *sender* address in those three domains to send mail to
anyone.

> This configuration is not working and the user "b...@sutisoft3.in" are
> sending emails to @gmail.com. 

Well, this address is not matched in the table at all, so it just
falls through to "permit_mynetworks", which allows the delivery.

> From: Viktor Dukhovni via Postfix-users <postfix-users@postfix.org> 
> Sent: 07 May 2025 13:29
> To: postfix-users@postfix.org
> Subject: [pfx] Re: Configuration Request: Restrict Outgoing Emails to
> Allowed Domains, Allow All Incoming, and Bypass Restrictions for Privileged
> Users
> 
> On Wed, May 07, 2025 at 12:57:29PM +0530, Srinivasa Gowd S via Postfix-users
> wrote:
> 
> > 1.  Allow incoming emails from all external domains to all internal
> >       users.
> > 2.  Restrict outgoing emails for all users so they can only send to
> >       a list of allowed domains.
> > 3.  Allow specific privileged users to bypass this restriction and
> root@mail:/etc/postfix# cat check_sender_access
> 
> >       send emails to any external domain.
> > 
> > smtpd_recipient_restrictions = 
> >     check_recipient_access hash:/etc/postfix/recipient_access  
> >     check_sender_access hash:/etc/postfix/check_sender_access  
> >     permit_mynetworks 
> >     permit_sasl_authenticated  

You probably want to remove the above two permits.

> >     reject_unauth_destination 
> >     check_policy_service unix:private/policyd-spf
> >     permit
> 

-- 
    Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to