On 5/30/2013 6:39 AM, Feel Zhou wrote: > Hello, My friend > > This is Tom, I'm sending my greeting from China > I Use postfix for few month, My customer send mail via my mail > server, So, some IP is in mynetworks setting. for example, > my_customer_server_ip is permit send mail via my server But there is > something serious with my postfix server > > The correct log is just like that > May 30 08:09:01 [my_customer_server_ip] [my_customer_client_ip] > <user@mycustomer.domain> -> <some...@example.com > <mailto:some...@example.com>>, > > The wrong log is just like that,(hotmail.com <http://hotmail.com>, > yahoo.com <http://yahoo.com> is the example) > May 29 18:05:35 , [my_customer_server_ip] [other_ip] > <any...@hotmail.com <mailto:any...@hotmail.com>> -> > <some...@example.com <mailto:some...@example.com>>, > May 29 16:05:37 , [my_customer_server_ip] [other_ip] > <any...@yahoo.com <mailto:any...@yahoo.com>> -> <some...@example.com > <mailto:some...@example.com>>, > > any...@hotmail.com <mailto:any...@hotmail.com>, any...@yahoo.com > <mailto:any...@yahoo.com>, etc. maybe real address in the internet > mail system, but it's not a real mail account in my customer's mail > system. > > My purpose is permit my_customer_ip send mail via my mail server, > only permit my customer domain address send mail, reject any other > domain send mail via my_customer_ip, how can I setting in my postfix. > > Thanks a lot > Tom >
[please don't top-post, please post plain-text only. thanks.] Yes, restriction classes are the solution. First use a check_client_access map to see if the IP matches one of your clients, chain that to a check_sender_access map that only allows the proper sender domain. General instructions are here: http://www.postfix.org/RESTRICTION_CLASS_README.html adapt the examples to your use. Alternately, you could use a policy service such as postfwd. http://www.postfix.org/SMTPD_POLICY_README.html http://postfwd.org/ In any case, the check must be done in smtpd_sender_restrictions to prevent open relay accidents, and before permit_mynetworks. -- Noel Jones
