Re: Relay for many local systems, but restrict internet forwarding?

Fri, 30 Dec 2011 13:40:41 -0800 

On 2011-12-30 20:33, Lee Roth wrote:
Currently, we have a Postfix V2.4.5 server 


That is quite old; consider upgrading to at least one of the current 2.8 
branches.



with no local accounts receiving email.

We permit internal, local systems to freely use the system as a relay:

 smtpd_client_restrictions = permit_mynetworks, reject
permit_mynetworks


Is this a typo/copy-o, or is this really in your main .cf ?


 mynetworks = 127.0.0.0/8, 295.283.0.0/16, 10.0.0.0/8
  (internal subnet obviously obfuscated)



Obviously not, since those are private IP ranges and hence they do not 
NEED obfuscation.




In our transport_maps file:
 ourdomain.org        :
 .ourdomain.org       :
 *                       smtp:[firewall.ourdomain.org]

----

Ok, now management has asked us to restrict the flow of outbound email 
(i.e. to the internet) to only selected systems, based on their IP 
addresses.



I'm looking for a general suggestion of how I can implement this 
selective permit of only certain systems to have emails forwarded out 
to the internet, with the rest of the systems still able to send email 
internally via the Postfix-based mail gateway machine.



You want to selectively allow certain internal source IPs to be able to 
send mail to the outside world ?



smtpd_recipient_restrictions = check_client_access 
cidr:/etc/postfix/allow_out, reject_unauth_destination, permit


and in /etc/postfix/allow_out:

    permitted.IP              OK
    other.permitted.IP    OK
    permitted.IP/range   OK


The reject_unauth_destination check AFTER the client access check 
yielded no positive OK or REJECT means that any other internal or 
external clients can only send mail to authorized destinations, i.e., 
recipients/domains postfix controls mail for.





BTW, there is a single network connection on the Postfix box - dual 
path isn't feasible at this time.



Is *sender_dependent_relayhost_maps* my proper starting point for 
investigation & experimentation?




Hell no, that's way too complicated.
Why do you have transport_maps at all here ?

if (.)ourdomain.org is in mydestination or virtual_mailbox_domains, it 
will never be sent over smtp to begin with.


--
J.























					Reply via email to