Re: restrict external host

Ville Walveranta Sun, 21 Jun 2009 16:25:48 -0700

Or, if you want to have one "regular" interface and one "restricted"
(to receive email only from the primary relay), you could use the
following:



In master.cf:

#standard port 25
smtp      inet  n       -       n       -       -       smtpd

#restricted interface to receive email only from specified hosts
192.168.1.100:25  inet n -       n       -       -       smtpd
   -o smtpd_client_restrictions=${smtpd_client_restrictions_limited-interface}
   -o 
smtpd_recipient_restrictions=${smtpd_recipient_restrictions_limited-interface}


In main.cf:

smtpd_client_restrictions_limited-interface =
        permit_mynetworks
        permit_sasl_authenticated
        check_client_access
hash:$config_directory/tables/smtpd_client_access_limited-interface
        reject

smtpd_recipient_restrictions_limited-interface =
        reject_non_fqdn_recipient
        reject_unknown_recipient_domain
        check_recipient_access
pcre:$config_directory/tables/smtpd_recipient_access_limited-interface.pcre
 #optional
        permit_mynetworks
        permit_sasl_authenticated
        reject_non_fqdn_hostname
        reject_invalid_hostname
        reject_unlisted_recipient
        reject_unauth_destination


In tables/smtpd_client_access_limited-interface (which must be
postmap'ed to ".db" format):

#allow primary MX relay servers on the limited interface;
10.10.10.10 OK
10.10.10.11 OK
10.10.10.12 OK
10.10.10.13 OK
10.10.10.14 OK


In tables/smtpd_recipient_access_limited-interface.pcre

# Limited interface: accept only mail for domains that are relayed
through the primary MX;
# (this file is not really necessary since the interface is limited to
receive mail only
# from known relay servers, but I include it as an example; it could
be useful if you
# didn't know the relay server IPs but wanted to restrict reception of email on
# particular interface to specific domains only)
/@(domainone\.com|
 domaintwo\.com|
 domainthree\.com|
 fomainfour\.info|
 domainfive\.net|
 domainsix\.org)$/x OK

# reject everything that is not on the above list;
# rejection must be included or else everything is allowed!
/^/ REJECT

---

You could, of course, extrapolate a configuration from the above that
would not have an open interface at all and so all mail reception
would then be limited to the primary MX relay servers.

This was discussed more extensively on the list in last November.
Check out the archives here ->
http://marc.info/?t=122613480800001&r=1&w=2

Ville

Re: restrict external host

Reply via email to