Andre Hübner wrote: > setup works but there is still security-problem that a client ip which > is allowed for etrn is requesting mails for other domain. > is there a combination of restrictions to make it safe or is an own > policy-service better solution?
As of ETRN works this is not to be considered a security issue. If your client issues an ETRN command for another domain it does nothing but triggering delivery attempts of mails in your queue for the named destination. Example: A - Attacker C - Customer S - Server Sending ETRN for whatever domain... +---+ ETRN domain-C.tld +---+ | A | ---------------------> | S | +---+ +---+ ...tells you Postfix server to try to deliver what is in it's queue based on lookup / transport settings: +---+ Attempt to deliverld +---+ | S | ---------------------> | C | +---+ mail for domain-C.tld +---+ So, nothing to fear here. All harmness your clients could do is stressing your Postfix queue. > atrn/odmr > In contrast to expactation atrn/odmr works pretty different. Is there a > official Readme how to deal with this the best way? > All i found are really old discussions with no clear answers. ATRN/ODMR is afaik not provided by Postfix, you could give a quick look at http://plonk.de/sw/odmr/ - however I never tried it. Regards, Thomas Gelf
