On 7/22/2016 2:10 PM, Benny Pedersen wrote: > On 2016-07-22 19:53, Shawn Heisey wrote: > >> relay_domains = $mydestination, hash:/etc/postfix/local_domains > > if local_domains contains domains local, you can reject senders that > forge sender AFTER permit_sasl_auth...
You're mentioning authentication again. As I said once already, this postfix server does NOT authenticate users. It only listens on port 25, not port 587. I might have enabled 465, but I do not remember. All user accounts and mailboxes are on the Exchange server, and users can connect directly to Exchange over encrypted channels. The pair of postfix servers are mail relays and authoritative DNS servers. Our MX record points to a VIP that can float between the two servers. They serve as a spam/virus filter for mail headed to and coming from the Exchange server, and have a second role as a smarthost for internal systems that need to send notification email. The only "authentication" done for the smarthost role is source IP -- permit_mynetworks. I have no interest in postfix validating "From" headers, but if the envelope sender contains one of my domains and the sending server is not in mynetworks, I want postfix to reject it. Is that possible? Thanks, Shawn
