Hello everyone,
First of all, thank you for reading this! I have the following two
goals:
To a) only allow relaying mail when SASL authenticated, and b) to only
accept local (virtual) domains in the "MAIL FROM" address when relaying.
What I currently have works well for "a)" but I can't manage "b)".
Here's my current set of smtpd restrictions:
smtpd_sender_restrictions =
reject_unauth_pipelining
permit_sasl_authenticated
reject_unknown_sender_domain
reject_unlisted_sender
permit
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_invalid_hostname
reject_non_fqdn_sender
reject_non_fqdn_recipient
reject_unknown_sender_domain
reject_unknown_recipient_domain
reject_unverified_recipient
reject_unauth_destination
check_policy_service inet:127.0.0.1:12525
reject_rbl_client zen.spamhaus.org
reject_rbl_client cbl.abuseat.org
reject_rbl_client bl.spamcop.net
permit
With this authenticated users can basically do whatever they want. The
goal is to now restrict them to sending from local domains (but allow them
to use any "name@").
I've tried adding "check_sender_access" in the "sender_restrictions" and
list only the IP Addresses used by the allowed domains in there with "OK".
But this seems to be a blacklist only and what I would need is to reject
everything else, like "* REJECT" but that doesn't work. Also I'd still need
to allow receiving mail with a sender not in this list.
Breaking it down (without all the spam and domain checks) I'd need rules
to:
- Allow any sender with local recipient
- Allow any destination with local sender (only when authenticated)
It sounds simple, yet I have the impression that these two requirements
are not compatible with the rules available. I'd need to be able to have a
different set of rules for authenticated users.
Any hint as to what could be done to achieve this would be greatly
appreciated.
Thanks,
- Matt
