On Mon, Aug 28, 2017 at 05:53:11PM +0300, Deniss wrote:
> > If the destination domain is yours and the senders are remote
> > untrusted clients, then indeed "default_transport" won't do
> > unless you're a backup MX host (in that case it is possible
> > to allow relaying for the domain via "check_recipient_access",
> > and the default transport will find the right primary MX host).
>
> I have domain + list of emails in the domain. with relay domains
> recipient's check stops just after foreign domain name found as destination.
> with check_recipient_access full email list scanned to reject foreign
> domain. Is this correct ?
Indeed relay_recipient_maps validates relay recipients, but with
the "default" address class you'd have to explicitly implement
recipient checks.
main.cf:
indexed = ${default_database_type}:${config_directory}/
smtpd_relay_restrictions =
check_recipient_access ${indexed}relay-rcpts
smtpd_recipient_restrictions =
check_recipient_access ${indexed}valid-rcpts
... anti-spam restrictions ...
relay-rcpts:
example.com OK
valid-rcpts:
us...@example.com DUNNO
us...@example.com DUNNO
...
us...@example.com DUNNO
example.com REJECT 5.1.1 Recipient address unknown
This may or may not be worth the effort.
> >> 1. change transport using FILTER via check_sender_access in
> >> smtpd_sender_restrictions - fine until there is no other filter action
> >
> > This would be wrong for multi-recipient email when some recipients
> > are local, or in any case should not be sent to the same destination.
>
> not the case for relay box
If the relay box sends *ALL* recipients to the same destination,
except for internally-generated email (bounces, postmaster notices)
which are not subject to content_filters, then you may be able to
get away with a sender-based "FILTER" access(5) table entry.
[ Keep in mind that setting "relayhost" may interfere with bounce
delivery, if the relayhost is an inbound relay only. The correct
way to set an inbound relay is either of:
relay_transport = relay:[nomx.example.com]
relay_transport = relay:mx.example.com
]
> >> IMO it may be useful to allow alter transport in
> >> sender_dependent_relayhost_maps as well in future releases of postfix
> >
> > No, that would not be a good idea, since transport selection needs to
> > be recipient based.
>
> what is the difference to default_transport
> /sender_dependent_default_transport_maps ?
The 'default' transport does not preempt explicit transport selection,
either by address class or transport table.
> Why relayhost/sender_dependent_relayhost_maps do not work same way - not
> include transport as well ?
I'm afraid you'll have to figure that out over time.
--
Viktor.
