On 11/3/2011 10:47 PM, Chris Richards wrote: > I've got a situation where some clients on my network apparently have > computers that have been compromised because every time they change their > password, spammers on the outside get it and use their email account to > spam. > > I've got the server right now configured to only allow users within my > network to send e-mail, so that particular problem is under control, but > this necessarily means that users OUTSIDE my network cannot relay, even if > they sasl-auth. > > In looking through the documentation and readmes, I've come across the > smtpd_client_restrictions setting, and the check_client_access clause. > > Am I right in guessing that if I do something like the following: > > smtpd_sender_restrictions = permit_mynetworks, > check_sender_access mysql:/etc/postfix/mysql_sender_access.cf, > permit_sasl_authenticated, > reject; > > where check_sender_access returns 'dunno' for 'trusted' clients and 'no' > for 'untrusted' clients, that the result will be to fall through to > permit_sasl_auth for the 'trusted' clients and fail entirely for the > 'untrusted' clients who are OUTSIDE, but still permit normal relay for > clients who are INSIDE? > > Thanks in advance for your help. > > Chris >
You're talking about trusted clients, but your example above shows checking the sender address (ie. u...@example.com). If you want to assign trust using the client IP, use check_client_access rather than check_sender_access. And "no" isn't a valid access table result; "REJECT" would seem appropriate. Also, if this is your internet MX, it will reject all incoming mail. To avoid that problem you can use "permit_auth_destination, reject" instead of a plain "reject" at the end of the restriction list. Other than that, the general idea is sound. Or maybe just terminate abusive accounts. -- Noel Jones
