Hi, On Mon, Dec 28, 2015 at 12:17 AM, Bill Cole <postfixlists-070...@billmail.scconsult.com> wrote: > On 27 Dec 2015, at 22:48, Alex wrote: > >> Hopefully the smtpd_sender_restrictions I posted above is correct, but >> I will also have to either add the IPs to mynetworks or duplicate the >> check_sender_access map in smtpd_recipient_restrictions to avoid being >> rejected in the RBLs there, correct? > > If you are not willing to put the IPs in mynetworks, I would still urge you > to NOT use check_sender_access to whitelist sources that you can identify > purely by IP or reliably resolvable domain name (i.e. "client" identities). > It's trivial to forge a sender address and you should avoid extending trust > based on such a weak identification. On the other hand, it is a complex > trick to hijack an IP address for a TCP-based protocol like SMTP or > hijack/spoof DNS for a client hostname that Postfix would deem valid. So a > check_client_access map dedicated solely to protecting those servers from > DNSBLs would be a better choice in smtpd_recipient_restrictions.
I didn't previously explain that there is one host that I know for sure doesn't resolve. It wasn't so much that I didn't want to add the IPs to mynetworks. I also really wanted to learn how it sender maps worked. I thought of the mynetworks solution as an "all access pass", but now I understand why it's more secure than the sender maps. >> smtpd_recipient_restrictions = > > [...] >> >> check_sender_access hash:/etc/postfix/sender_access, >> reject_unauth_destination, > > In any case, those two should never be in that order if the > check_sender_access map has any OK actions. Thanks so much for your help. Alex
