Re: basic question: permit SMTP from recipients or whitelist ?

Thu, 27 Jan 2011 12:48:44 -0800 

On 1/27/11 7:11 AM, sunhux G wrote:


I'm setting up a postfix mailserver.  Only a handful (of about 6 domains ,

 ie x...@dsta.gov.sg <mailto:x...@dsta.gov.sg> , x...@starnet.gov.sg 
<http://starnet.gov.sg>, x...@ncssmsonbehalf.com.sg 
<mailto:x...@ncssmsonbehalf.com.sg> ,
x...@accenture.com <mailto:x...@accenture.com> ) are allowed to email to 
my postfix server.



From security & efficiency (so as not to process too many emails)
point of view,

a) do I permit SMTP (Tcp 25) only to the above few domains) or do
    I permit to all public Internet & use whitelisting to permit only
    those few domains to send to me ?


Postfix - and, in fact, networking - doesn't work that way.

If you intend to receive email from other public servers, then yes, you 
need to expose and listen on port TCP 25.



You limit which domains you accept mail for with the appropriate postfix 
main.cf configuration options.



The most appropriate in this instance would be a sender access map, 
configured by adding



    smtpd_sender_restrictions = check_sender_access 
hash:/etc/postfix/allowed_domains, reject


to your main.cf.


the file allowed_domains would contain a list of allowed sender address 
wildcards followed by OK or permit:


    dsta.gov.sg        OK
    starnet.gov.sg    OK

Remember to run postmap on the file whenever you change it.


b) how do I determine the source IP address of those domains besides
    calling up those organizations to find out?  Is there some kind of
    lookup services to find out their addresses so that I can provide
    these source addresses for our firewall administrator to permit
    SMTP ?



It really doesn't work that way.

Email can come from anywhere, via multiple routes that do not have any 
direct relation with the sending domain.



I am assuming here that it is the sending DOMAIN you wish to accept mail 
from, and not specific sending IP addresses.


They are handled quite differently.




I'm using dovecot to provide POP3 functionality as well so I'll need to
know those email clients' source IP addresses that connects to my
postfix server to empty emails from some of my postfix email accounts.


That's really not related to postfix.



Thanks & apologies if these are basic questions





--
J.























					Reply via email to