-----Original Message-----
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org]
On Behalf Of Victor Duchovni
Sent: Thursday, December 30, 2010 10:37 AM
To: Larsen, Michael W.
Cc: postfix-users@postfix.org
Subject: Re: Relay restrictions
On Thu, Dec 30, 2010 at 09:15:30AM -0600, michael.lar...@wellsfargo.com wrote:
> With Noel's explanation I think I got it figured out, but before I try it I'd
> appreciate other brains validating what I've created as a sanity check.
> Here's what I have:
>
> <snip from main.cf>
> ###
> smtpd_recipient_restrictions =
> # Check what hosts are allowed to relay. Anything not
> # listed in the access table is discarded.
>
> check_client_access hash:/etc/postfix/client_access
Viktor said:
"This is not how it works, anything not listed is tested against
the rules below."
Actually, the comments were just me being confused. The original intent was to
allow relay of all mail from/to the hosts listed in the access table, and all
other hosts be evaluated against the subsequent rules.
> # See what addresses are allowed to relay as senders.
> # Check them against allowed recipients in recipient_access
> # under smtpd_restriction_classes.
> check_sender_access hash:/etc/postfix/sender_access
Viktor said:
"This makes you an open relay for forged sender addresses."
Yes, Noel made me aware of that risk when answering the original query, I just
don't know what to do about it and maintain the basic functionality of what I'm
trying to achieve (see below).
> check_client_access static:discard
Viktor said:
"After the open-relay, mail from unlisted clients is discarded, why not
reject first?"
Because we don't want reject messages going back to the application. We just
want unwanted mail to disappear.
> reject_unauth_destination
Viktor said:
"DO NOT apply ANY sender checks until you've first applied
reject_unauth_destination"
This goes back to one of the original problems I was trying to solve:
"The problem I'm having is with reject_unauth_destination. If I
specify the corporate domain name in relay.db, any email address
with that domain name relays, which is exactly the opposite of
what I want. _Without_ the corporate domain name in relay.db,
everything is rejected before whitelist/blacklist are checked.
I want to relay only the "from hosts"/"to email addresses" specified
in the whitelist, and DISCARD everything else. Is this possible?"
Noel replied with:
"Move reject_unauth_destination to below your white/black lists.
Once you do that, you're on your own to insure you don't create
an open relay, but your access maps give you full control over
who is allowed to relay."
--
Viktor.
