Pe 28.05.2013 20:21, Viktor Dukhovni a scris:
> On Tue, May 28, 2013 at 07:09:43PM +0200, Chris wrote:
>
>>> The check_sender_access restriction below triggers the lookup to catch the
>>> sender:
>>>
>>> smtpd_recipient_restrictions =
>>> ...
>>> check_sender_access hash:/etc/postfix/internal_senders
>>> permit_mynetworks
>>> reject_unauth_destination
>>> ...
> Sender checks before "reject_unauth_destination" in recipient
> restrictions are risky. Too easy to become an open relay. Better
> to use sender restrictions.
>
> smtpd_sender_restrictions =
> permit_auth_destination,
> check_sender_access hash:/etc/postfix/internal_senders
>
> The internal_senders will be listed with a "REJECT" action. Another
> variant is a white-list:
>
> smtpd_sender_restrictions =
> check_sender_access hash:/etc/postfix/external_senders,
> reject_unauth_destination
>
> Here you list senders allowed to send out with an "OK" action.
>
Hi list, thanks everyone for your answer!
The first alternative solution by Viktor seems the best at the first
glance, because it makes sure the sender is authenticated. The second is
not an option for me, because I don't want to define by hand a
white-list of around 50 users (it can grow to 200 in a few months), and
other people besides me can define new accounts.
My "smtpd_sender_restrictions" looks like this:
smtpd_sender_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_sender_login_mismatch
so where will I put the rule? Is "permit_auth_destination" also required
before the "check_sender_access"?
How will I define the table "internal_senders" exactly? Like:
f...@mydomain.com REJECT
Also, if I do that, will the 2 addresses be able to send to all internal
domains or only to the same domain they're in (I'm trying to accomplish
the second one actually)?
Thank you!
