On 8/16/2010 1:54 PM, michael.lar...@wellsfargo.com wrote:
I need to implement a relay on a test network that will
discard all mail destined for corporate email addresses
_/except//_/ the corporate email addresses that are explicitly
allowed. The reason is that my test network is subject to
quotas, and I have to throttle the traffic through the
corporate email servers to keep testing going. Stan has been
graciously helping me offline to try implementing a
whitelist/blacklist system, but we’re still running into
problems with the configuration – most likely because I’m
unable to adequately articulate my needs. Essentially what I’m
after is:
Relay mail from _/specific/_ test network application hosts to
_/specific/_ corporate email addresses (whitelist)
Relay mail from _/one specific/_ test network host to _/any
corporate //email// address/_ (whitelist)
“DISCARD” (rather than reject) all other mail traffic that
hits my relay (blacklist)
...
smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
check_client_access hash:/etc/postfix/whitelist_access
check_sender_access hash:/etc/postfix/whitelist_access
check_recipient_access hash:/etc/postfix/whitelist_access
check_client_access hash:/etc/postfix/blacklist_access
check_sender_access hash:/etc/postfix/blacklist_access
check_recipient_access hash:/etc/postfix/blacklist_access
...
> The problem I’m having is with reject_unauth_destination. If I
> specify the corporate domain name in relay.db, any email
Move reject_unauth_destination to below your white/black
lists. Once you do that, you're on your own to insure you
don't create an open relay, but your access maps give you full
control over who is allowed to relay.
If you need two-factor tests, you can use
smtpd_restriction_classes. The basic idea is explained here:
http://www.postfix.org/RESTRICTION_CLASS_README.html
I want to relay only the “from hosts”/”to email
addresses” specified in the whitelist, and DISCARD everything
else. Is this possible?
Sure... But you'll need to do some work yourself.
Postfix restrictions are a simple first-match-wins. Your
general outline will look like:
smtpd_recipient_restrictions =
... local whitelist ...
... local whitelist ...
static:discard
reject_unauth_destination
Don't use permit_mynetworks (or set mynetworks=127.0.0.1).
Then use as many whitelists as you need to allow the
clients/senders/etc. you want. Use smtpd_restriction_classes
for multiple-factor tests. Using the above outline, anything
not specifically allowed with an OK is discarded; you don't
even need a specific blacklist unless you want to put a
never-relay blacklist before the whitelist.
