On 11/24/2014 3:35 PM, Ing. Jorge E. Rojas wrote: > hello guys > > after a tedious an unsuccesfull search in the archive list, a lot > of documents and notes stored with the years in my hdd and old > (paper) notebooks besides a lot of searches in internet i must > surrender to the fact that i can do this without help > > i must prepare a postfix server with some especific requirements, > the 2 with trouble are: > - only the boss and sales people cant send/receive from outside , > the other employees are allowed email only inside the company > - SPF must be checked > > is really easy fullfill any of them separatelly but no matter what i > have done, they don't work the way i need with both of them, this 2 > can easily be implemented very easily with postfwd and > postfix-policyd-spf [perl or python version] > > is possible use two lines with check_policy_service without going > in open-relay condition ? > somebody can help me ? > > this is the last config tested > > > the postfwd.cf (relevant parts) > > id=rule-011 ; sender_domain=this_office.company.tld ; client_address > = !! 192.168.169.0/24 ; action=REJECT Not in my name please > id=rule-020 ; sender_domain= company.tld ; > recipient_domain=this_office.company.tld ; action=OK > id=rule-021 ; recipient_domain=company.tld; > sender_domain=this_office.company.tld ; action=OK > id=rule-031 ; sender== salesmen1@this_office.company.tld; action=OK > id=rule-032 ; recipient==salesmen1@this_office.company.tld; action=OK > .... > #the same for the others salesman and the boss > > id=rule-800 ; sender_domain=this_office.company.tld ; > recipient_domain==!!(.office.company.tld) ; action=REJECT > id=rule-801 ; recipient_domain=this_office.company.tld ; > sender_domain==!!(.office.company.tld) ; action=REJECT > > > i must insert the postfwd check ( check_policy_service > inet:127.0.0.1:10040 ) but where ? > > from main.cf > > mynetwoks = 127.0.0.1/8 > ..... > smtpd_recipient_restrictions = permit_mynetworks, > permit_sasl_authenticated, > reject_non_fqdn_recipient, > reject_unknown_recipient_domain, > reject_unlisted_recipient, > reject_unauth_destination, > check_sender_access hash:/etc/postfix/access, > check_policy_service unix:private/policy-spf > > i'm aware of the existence of other ways for implement the > restriction on sender/recipient and have tried some but fails the > same for what is needed. >
Yes, you can use two check_policy_service statements, but you shouldn't need to. Check the postfwd docs (or ask on the postfwd user list) about chaining policies so you can check both the sender and SPF with one lookup. You'll probably have better results if you put your check_policy_service as the FIRST check in smtpd_sender_restrictions, because it will need to be checked before permit_mynetworks or permit_sasl_authenticated # main.cf smtpd_sender_restrictions = check_policy_service unix:/private/postfwd Alternately, you can use restriction classes to restrict external mail access. An example can be found here: http://www.postfix.org/RESTRICTION_CLASS_README.html -- Noel Jones
