This solution is exactly what I needed! Thanks everyone for your help!
-----Original Message----- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of michael.lar...@wellsfargo.com Sent: Tuesday, August 17, 2010 1:49 PM To: postfix-users@postfix.org Subject: RE: Configuring internal mail relay Sorry I'm so late to the game, Noel - I forgot I implemented a rule to move these to a separate folder. <blush> Thanks to Brian for the heads-up to look. I'll play with this and see how it goes, post a response in a bit. Thanks! -----Original Message----- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Noel Jones Sent: Monday, August 16, 2010 4:47 PM To: postfix-users@postfix.org Subject: Re: Configuring internal mail relay On 8/16/2010 1:54 PM, michael.lar...@wellsfargo.com wrote: > I need to implement a relay on a test network that will > discard all mail destined for corporate email addresses > _/except//_/ the corporate email addresses that are explicitly > allowed. The reason is that my test network is subject to > quotas, and I have to throttle the traffic through the > corporate email servers to keep testing going. Stan has been > graciously helping me offline to try implementing a > whitelist/blacklist system, but we're still running into > problems with the configuration - most likely because I'm > unable to adequately articulate my needs. Essentially what I'm > after is: > Relay mail from _/specific/_ test network application hosts to > _/specific/_ corporate email addresses (whitelist) > Relay mail from _/one specific/_ test network host to _/any > corporate //email// address/_ (whitelist) > "DISCARD" (rather than reject) all other mail traffic that > hits my relay (blacklist) ... > smtpd_recipient_restrictions = > permit_mynetworks > reject_unauth_destination > check_client_access hash:/etc/postfix/whitelist_access > check_sender_access hash:/etc/postfix/whitelist_access > check_recipient_access hash:/etc/postfix/whitelist_access > check_client_access hash:/etc/postfix/blacklist_access > check_sender_access hash:/etc/postfix/blacklist_access > check_recipient_access hash:/etc/postfix/blacklist_access ... > The problem I'm having is with reject_unauth_destination. If I > specify the corporate domain name in relay.db, any email Move reject_unauth_destination to below your white/black lists. Once you do that, you're on your own to insure you don't create an open relay, but your access maps give you full control over who is allowed to relay. If you need two-factor tests, you can use smtpd_restriction_classes. The basic idea is explained here: http://www.postfix.org/RESTRICTION_CLASS_README.html > I want to relay only the "from hosts"/"to email > addresses" specified in the whitelist, and DISCARD everything > else. Is this possible? Sure... But you'll need to do some work yourself. Postfix restrictions are a simple first-match-wins. Your general outline will look like: smtpd_recipient_restrictions = ... local whitelist ... ... local whitelist ... static:discard reject_unauth_destination Don't use permit_mynetworks (or set mynetworks=127.0.0.1). Then use as many whitelists as you need to allow the clients/senders/etc. you want. Use smtpd_restriction_classes for multiple-factor tests. Using the above outline, anything not specifically allowed with an OK is discarded; you don't even need a specific blacklist unless you want to put a never-relay blacklist before the whitelist.
