2009/4/18 LuKreme <krem...@kreme.com>: > Well, that's not quite it. The issue is not simply that I don't want SMTP > connections out of this LAN to servers other than the mail.example.com > server (that is dealt with with relayhost, iirc)
Firewall policy :) > but that no outbound mail > should be accepted unless it's in the map for delivery at mail.example.com. > That is, mail originating inside the LAN to arbitrary-domain.tld would > always be rejected. Remove the LAN from $mynetworks (if it's there), thus forcing everyone to be unprivileged. As long as example.local isn't in $mydestination, it should be forced to rely on $virtual_alias_domains, which you specify per-recipient mappings for. > Mail from outside that is addressed to 'u...@example.local' should be > rejected, but mail addressed to 'u...@subdomain.example.com' ... well, that > one is not crucial at all, so let's ignore that for now. Have postfix listen on the "internal" interface only. That *should* do the job. The default for recipient restrictions (http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions) gives me: Accepts: * Mail from clients whose IP address matches $mynetworks * Mail to remote destinations that match $relay_domains * Mail to local destinations that match $inet_interfaces or $proxy_interfaces, $mydestination, $virtual_alias_domains, or $virtual_mailbox_domains. The only thing I'm unsure about there is the "match $inet_interfaces" - if example.local == $inet_interfaces, will it short circuit the check for virtual_alias_domains?
