On 27 Dec 2015, at 22:48, Alex wrote:
Hopefully the smtpd_sender_restrictions I posted above is correct, but
I will also have to either add the IPs to mynetworks or duplicate the
check_sender_access map in smtpd_recipient_restrictions to avoid being
rejected in the RBLs there, correct?
If you are not willing to put the IPs in mynetworks, I would still urge
you to NOT use check_sender_access to whitelist sources that you can
identify purely by IP or reliably resolvable domain name (i.e. "client"
identities). It's trivial to forge a sender address and you should avoid
extending trust based on such a weak identification. On the other hand,
it is a complex trick to hijack an IP address for a TCP-based protocol
like SMTP or hijack/spoof DNS for a client hostname that Postfix would
deem valid. So a check_client_access map dedicated solely to protecting
those servers from DNSBLs would be a better choice in
smtpd_recipient_restrictions.
smtpd_recipient_restrictions =
[...]
check_sender_access hash:/etc/postfix/sender_access,
reject_unauth_destination,
In any case, those two should never be in that order if the
check_sender_access map has any OK actions.
