And you are a bit wrong with IP adress lookup. Yes, check_sender_access do not itself lookup IPs.
But the rules I listed, will effectively "expand" to the rule:
smtpd_relay_restrictions = permit_mynetworks, reject, reject_unauth_destination
for any mail having a FROM ending in <YOUR_DOMAIN> or the IP literal of your mailserver, effectively preventing anyone from using your domain as MAIL FROM, regardless of internal or external mail, if the client is not inside "mynetworks", so the IP lookup are made by the rule lookup engine.
If the FROM is "incorrect", then the relay rule "expands" to: smtpd_relay_restrictions = reject_unauth_destinationeffectively preventing *anyone* relaying, but allowing anyone to send mail that is destined for the mail server itself.
Eg, only valid FROM is allowed to relay, in *addition* to have a acceptable client IP. So how are the rules "fragile"? Either the relay is only accepted inside "mynetworks" or it is never accepted, eg theres no possibility for the server to become a open relay since theres nothing in check_sender_access that would PERMIT the mail before reject_unauth_destination unless
the client is inside mynetworks.-----Ursprungligt meddelande----- From: Viktor Dukhovni
Sent: Monday, March 09, 2015 6:40 PM To: postfix-users@postfix.orgSubject: Re: smtpd_relay_restrictions in Postfix 2.11.3 on openSUSE 13.2 causes mail to local domain to be rejected
On Mon, Mar 09, 2015 at 05:56:20PM +0100, Sebastian Nielsen wrote:
I would instead suggest setting the relay access to:check_sender_access hash:/etc/postfix/relay_auth, reject_unauth_destinationwhere /etc/postfix/relay_auth is: <YOUR_DOMAIN> permit_mynetworks, reject [<EXTERNAL_IP_OF_SMTP_SERVER>] permit_mynetworks, reject
Those are NOT relay control rules, they are anti-spoofing rules at best. They do not belong in relay restrictions. Sender based rules are too fragile in relay controls. And of course nothing in Postfix will do IP address lookups with check_sender_access. Any such rules (written with more care) can instead go in smtpd_sender_restrictions. smtpd_sender_restrictions = check_sender_access <some-table-for-your-domains> <rules for other senders> Keep the relay restrictions *simple*, just avoid being an open relay. Other policy controls go elsewhere. --Viktor.
smime.p7s
Description: S/MIME Cryptographic Signature
