On Thu, Jan 27, 2011 at 02:11:02PM +0800, sunhux G wrote:
> I'm setting up a postfix mailserver. Only a handful (of about 6 domains ,
> ie x...@dsta.gov.sg , x...@starnet.gov.sg, x...@ncssmsonbehalf.com.sg ,
> x...@accenture.com ) are allowed to email to my postfix server.
When you say that only certain sender domains are allowed, do you mean
that only the authorized sending systems associated with those domains
are allowed to send you email, or is the "risk" of accepting forged
sender addresses in the allowed domains tolerable.
> a) do I permit SMTP (Tcp 25) only to the above few domains) or do
> I permit to all public Internet & use whitelisting to permit only
> those few domains to send to me ?
This makes no sense, Port 25 is a TCP-layer entity, and an email address
domain is an SMTP entity. When TCP connections are filtered there is
no SMTP sender address context.
> b) how do I determine the source IP address of those domains besides
> calling up those organizations to find out? Is there some kind of
> lookup services to find out their addresses so that I can provide
> these source addresses for our firewall administrator to permit
> SMTP ?
Welcome to email authentication. If you want to firewall your server,
you need to coordinate the list of allowed SMTP client IPs with the
administrators of the domains in question.
Otherwise, you can use DKIM, SPF, TLS client certs, ... by mutual
arrangement with the same administrators.
--
Viktor.
