Barney Desmond a écrit : > 2009/4/18 LuKreme <krem...@kreme.com>: >> Ah.. no. I see where I misspoke. I don't want smtp connections out from >> the LAN SERVER to servers other than mail.example.com (that is, postfix on >> example.local will only ever, no matter what, connect to mail.example.com). > > Sure, can't you set your firewall to do this? > iptables -A OUTPUT -d x.x.x.x -p tcp --dport smtp -j ACCEPT > iptables -A OUTPUT -p tcp --dport smtp -j REJECT > > This is just policy enforcement though. A correct policy > *implementation* should ensure postfix behaves as you expect. > > 2009/4/18 mouss <mo...@ml.netoyen.net>: >>>> The only thing I'm unsure about there is the "match $inet_interfaces" >>>> - if example.local == $inet_interfaces, will it short circuit the >>>> check for virtual_alias_domains? >>>> >> you need to reread that piece of documentation. there is no short circuit. > > Okay, I've read that piece a couple of times, perhaps you (or someone) > can clarify the meaning of statements like this: > > "Mail to local destinations that match $inet_interfaces or > $proxy_interfaces, $mydestination, $virtual_alias_domains, or > $virtual_mailbox_domains" > > I believe this is meant to be parsed as (($inet_interfaces or > $proxy_interfaces) or $mydestination or $virtual_alias_domains or > $virtual_mailbox_domains). I'm fine with that now, but can you explain > or give an example of a destination that would match inet_interfaces > or proxy_interfaces? Mail with a recipient like usern...@1.2.3.4 ?
with the brackets: usern...@[1.2.3.4]. (usern...@1.2.3.4 is invalid) but anyway, this has nothing to do with a "shortcut". by default, - mail coming from mynetworks is always accepted - mail coming out of other networks is subject to relay control: it is only accepted if sent to a relay domain or to a domain handled by postfix. but here "accepted" means it passes the default smtpd_recipient_restrictions. this doesn't mean it will pass other checks. in particular, recipients will be validated unless this is disabled (which is not recommended).
