On 12/10/2015 9:17 PM, Alex wrote: >> In that case, rather than using permit_mynetworks you should use a >> separate check_client_access that permits all the authorized IPs. >> >> Make sure to do this in smtpd_sender_restrictions so that settings >> here don't affect relay rules. > > So where I previously had permit_mynetworks and a check_sender_access > check for my domain in smtpd_sender_restrictions, I should do > something like: > > smtpd_sender_restrictions = > check_sender_ns_access hash:/etc/postfix/blacklist_ns.cf > check_client_access hash:/etc/postfix/spf_client_checks, > reject_unknown_sender_domain
that's backwards... remember the first match wins. First check_client_access to OK authorized IPs, then check_sender_access to reject any other IP that uses your sender address. The check_client_access replaces permit_mynetworks. I should point out that it's likely you'll lose some small but non-zero amount of legit mail -- poorly configured but legit mail lists, online responders such as reservation systems, newspaper "send me an article" services, and stuff like that. It used to be surprisingly common for these services to use the recipient as the envelope sender. It's thankfully less common now, but not zero yet. > that sounds like it has the potential to cause problems with keeping > up with changing IP addresses. Yes, absolutely one more thing to keep up with. The alternative is to use a postfix policy service that enforces SPF, or do it later in SpamAssassin. I think someone on sa-users already showed how to poison-pill your own domain without rejecting all domains SPF_FAIL. >>> Maybe it could be set up as an amavisd $policy_bank to skip filtering? >> >> Yes, you could skip filtering for mail arriving from "trusted" IPs. > > That would also involve keeping up with the list of all IPs in the SPF > record, correct? Yes, of course. I suppose this could be scripted/automated without too much trouble. There's sample perl code lying around to parse SPF records. > > Would I then not be able to use the check_sender_access to reject mail > coming as my domain from unauthorized servers? Pick one way to deal with forged mail. Either reject in postfix or tag in SpamAssassin. You can't do both; neither is inherently better. Use what suits your needs and expectations. -- Noel Jones
