On 06/04/2011 05:06 AM, mouss wrote:
Using check_*_access before reject_unauth_destination is discouraged. it
may (accidentally) lead to open relay should "someone" add an entry that
returns OK.
better use:
smtpd_recipient_restrictions =
permit_sasl_authenticated
permit_myneyworks
reject_unauth_destination
check_sender_access hash:/etc/postfix/access_sender
== access_sender:
techsoft3d.com REJECT
.techsoft3d.com REJECT
That makes sense now that I see an example. Lists of options like the
documentation tend to just confuse me.
Note to OP: this rejects mail with a sender in your domain unless it
comes from mynetworks or is authenticated (SASL).
a better setup is to separate inbound mail service (MX) and submission
service (MSA), for example by using port 587 for submission. then you
wouldn't need to create exception ("reject unless").
he could start with
http://www.postfix.org/SMTPD_ACCESS_README.html
http://www.postfix.org/RESTRICTION_CLASS_README.html
If i understand this right. for the mx side I could put
smtpd_recipient_restrictions =
permit_sasl_authenticated
or should it be
smtpd_sender_restrictions =
check_sender_access hash:/etc/postfix/access_sender
== access_sender:
techsoft3d.com REJECT
.techsoft3d.com REJECT
and on the internal side it would accept all with no restrictions?
the way the documentation is worded it confuses me which one would apply here.
does smtpd_sender... = out going mail or the from: box?
thanks
Kendrick
