Re: Relay Exceptions

Wed, 23 Jan 2013 11:20:03 -0800 

On Wed, Jan 23, 2013 at 1:31 PM, Noel Jones <njo...@megan.vbhcs.org> wrote:

> On 1/23/2013 10:21 AM, Tom Tucker wrote:
> >
> > Stan,
> > Thanks for the response.  This does work, however these clients are
> > also able to send to domains outside my environment.  Let me try to
> > clarify my scenario.
> >
> > Client: With PTR record = Full relay (internal & external domains)
> > Client: No PTR record   = Relay for internal domains only
> >
> > Is it possible to configure Postfix to support this type configuration?
> >
> >
>
>
> Apparently you want to use the existence of PTR in your local
> networks to determine if the client can relay.
>
> If the authorized clients with PTR also have a matching A record so
> that postfix logs them eg. "host.example.com", you can use something
> like:
>

Not exactly, clients with a valid PTR should be allowed to relay regardless
of the destination.  Clients without a PTR will be restricted to internal
delivery only.   I guess I should have mentioned earlier.  These Postfix
relays do NOT receive emails from the Internet.  The majority of the mail
traffic they process is from the web environment  to our various external
customers.


You mentioned that...."The above disables all your UCE controls."  You say
this because of the order of the rules, right?

I'm still wrapping my head around this, but this config seems to be
working.  Again, I welcome any comments you might have.

smtpd_recipient_restrictions =
        check_recipient_access hash:/etc/postfix/relay_domains
        reject_unknown_reverse_client_hostname
        reject_unknown_recipient_domain
        reject_non_fqdn_sender
        reject_non_fqdn_helo_hostname
        reject_invalid_helo_hostname
        reject_unknown_helo_hostname
        reject_unlisted_recipient
        check_relay_domains


> # client_relay
> example.com  OK
>
>
> # main.cf
> 1 smtpd_recipient_restrictions =
> 2   check_client_access hash:/etc/postfix/client_relay
> 3   reject_unauth_destination
> 4   permit_mynetworks
>     ... other UCE controls ...
>
>
> Line 2 grants relay access to clients that have FCrDNS in your
> domain "example.com"
>
> Line 3 denies relay access to anyone else
>
> Line 4 allows all clients in $mynetworks to send local mail prior to
> your UCE restrictions.
>
>
>
>
>
>

Reply via email to