On Fri, Oct 25, 2013 at 04:07:11PM -0400, Charles Marcus wrote:
> But should this check go directly on the submission service, ie:
>
> submission inet n - n - - smtpd
> -o syslog_name=postfix-587 -o smtpd_tls_security_level=encrypt
> -o smtpd_tls_auth_only=yes
> -o
> smtpd_client_restrictions=check_client_access,${cidr}/blocked_clients.cidr,permit_sasl_authenticated,reject
>
> (Is that right? Use a comma instead of a space between
> check_client_access and the map?)
You've been on this list long enough to know that verbatim restriction
definitions don't belong in master.cf:
master.cf:
submission inet n ... smtpd
-o smtpd_client_restrictions=$submission_client_restrictions
main.cf:
submission_client_restrictions =
check_client_access ${cidr}/submission_clients.cidr,
permit_sasl_authenticated,
permit_mynetworks
reject
> or in the relay_restrictions, ie:
>
> [ smtpd_relay_restrictions = ]
> check_client_access ${cidr}/blocked_clients.cidr,
> permit_sasl_authenticated, permit_mynetworks,
> reject_unauth_destination
This would block all mail from the clients in question, not just
submission. Also you don't even want Linked machines that hijack
submission on port 25 sending mail that is not relay mail (inbound
to your organization). So you really need to not use port 25 for
submission.
--
Viktor.
