THANKS!
Works EXCELLENTLY. Did fine-tune it a little bit, but then it works
excellently now.
smtpd_relay_restrictions = check_sender_access hash:/etc/postfix/access,
reject_unauth_destination
smtpd_recipient_restrictions = reject_unknown_sender_domain,
reject_unknown_recipient_domain, reject_unauth_pipelining,
check_sender_access hash:/etc/postfix/access, reject_unauth_destination
smtpd_sender_restrictions = reject_unknown_sender_domain,
check_sender_access hash:/etc/postfix/access
mynetworks = 127.0.0.0/8 192.168.0.0/16
/etc/postfix/access:
sebbe.eu permit_mynetworks, reject
This causes the "sebbe.eu" sender domain to be only available to
"mynetworks" regardless of in relaying or delivery context. (since "reject"
will also reject permitted destinations)
And on top of that, this also makes it impossible for a sender on
"mynetworks" to relay using a sender adress not ending in @sebbe.eu.
Also, this makes it impossible for a sender outside of "mynetworks" to relay
using a spoofed FROM adress.
EXACTLY as I wanted!
(On top of that: I never use SASL/SMTP authentication for obvious security
reasons - a leaked password can be used for spamming. Easier to just
restrict it to "users behind the firewall" and then theres no authentication
to hack)
-----Ursprungligt meddelande-----
From: Viktor Dukhovni
Sent: Wednesday, May 07, 2014 4:34 PM
To: [email protected]
Subject: Re: SV: Re: Configure postfix to reject forged mail?
On Wed, May 07, 2014 at 10:28:46AM -0400, Wietse Venema wrote:
Sebastian Nielsen:
> I want to reject senders, that are relaying, using a domain not
> on a approved list. eg all sender domains that aren?t @sebbe.eu
> but are relaying, should be rejected.
Postfix restrictions are not a Turing-complete access control
language. For complex policies use a policy plug-in such as
postfwd. http://www.postfwd.org/
But in this case there is a simpler solution:
main.cf:
indexed = ${default_database_type}:${config_directory}/
smtpd_sender_restrictions =
check_sender_access ${indexed}relay-sender-check,
reject_unauth_destination
relay-sender-check:
sebbe.eu permit_mynetworks, permit_sasl_authenticated
--
Viktor.
