Re: Problems with witelist - limit outbound domains - doesnt

[Eric Kimminau]

On 4/5/2012 12:58 AM, Viktor Dukhovni wrote: On Wed, Apr 04, 2012 at 03:57:00PM -0400, Eric Kimminau wrote: My goal is to limit outbound email to only three domains. All other email destined for any other domain should be redirected to a single, valid internal mail box. I take it these are *destination* (recipient) domains, not *origin* (sender) domains. Correct. domain1.com is the local domain, domain2 and domain3 are outside the local network and will pass through mailhost.domain1.com if they leave the local system. It isn't working. Email to addresses outside this domain are still being delivered. Of course not, your configuration is trying to filter sender domains: /etc/postfix/access: domain1.com OK domain2.com OK domain3.com OK . REDIRECT valid@email.address Fortunately, the "." pseudo-domain is not one of the Postfix address lookup keys, so your access list is a noop. I considered adding several lines for TLD, such as com, org, net, etc. But, as you have said this only apparently handles inbound mail, not outbound. My assumption was that mail connecting to the MTA, regardless of source, was considered inbound. # Sender restrictions: smtpd_sender_restrictions = reject_non_fqdn_sender reject_unknown_sender_domain check_recipient_access hash:/etc/postfix/access permit_auth_destination reject # Recipient restrictions: smtpd_recipient_restrictions = reject_unauth_destination check_sender_access hash:/etc/postfix/access This would be a big problem if the table worked as intended. reject_invalid_hostname reject_non_fqdn_sender reject_non_fqdn_hostname reject_unknown_sender_domain reject_unauth_pipelining reject_non_fqdn_recipient reject_unknown_recipient_domain permit_mynetworks reject Since this host accepts mail only from machines in mynetworks, it is simpler to just add the desired domains to relay_domains = domain1.com, ... And set: default_transport = error:5.1.2 Destination unreachable You'll need that anyway, since "reject_unauth_destination" at the top of the recipient restrictions would otherwise deny traffic to these domains. Your configuration shos signs of being slapped together through multiple rounds of unsuccessful experimentation. I strongly suggest you take the time to understand address classes and access controls and deploy something much simpler. Viktor, I sincerely appreciate your response. And while I certainly also appreciate the suggestion, I need a solution implemented by Friday morning. RTFM, while it will teach me to fish, will have me losing out on the proverbial worm. It absolutely was slapped together. My postfix learning curve started about 2 hours before I sent my mail and I have about 8 hours Thursday to attempt to implement a workable solution. I would LOVE to deploy something much simpler. If you believe that I do not need smtpd_sender_restrictions or smtpd_recipient_restrictions on a host that will never be directly reachable from the internet and is only going to be used in pre-production/ development environments, Im all for removing it. If adding to /etc/postfix/main.cf: relay_domains = domain1.com,domain2.com,domain3.com default_transport = error:5.1.2 Destination unreachable Solves my problem, this is beautifully elegant. Im assuming I also do not need to add the following? local_transport   = error:5.1.2 local transport not permitted relay_transport   = error:5.1.2 relay transport not permitted Is there a way to also redirect any attempt to send anything to any domain other than what has been defined in relay_domains to a defined email address? Thank you again! Eric -- Eric Kimminau eak at kimminau dot org