> On Apr 11, 2018, at 1:49 AM, Dominic Raferd <domi...@timedicer.co.uk> wrote:
>
>> How would I go about doing that? I thought I could configure a
>> check_sender_access restriction, list host2.example.com as "ok" then
>> reject everything else:
>>
>> host2.example.com OK
>> * 554 REJECT
See the documentation:
http://www.postfix.org/access.5.html
where you'll find that "*" is not a documented lookup key for access(5) tables.
>> For host2.example.com, users send mail using either submission or
>> webmail which talks to postfix on localhost/25. I believe this would
>> be a smtpd recipient restriction?
>
> Put these entries in a client-based, not sender-based, restriction e.g.
>
> ​check_client_access hash:/etc/postfix/client_access
The OP has not been at all clear about whether the policy applies to the
envelope sender address, or the connecting client hostname.
Whitelist policies based on the connecting client hostname are fragile,
DNS lookups can tempfail, and so one needs to make sure that any resulting
rejection is also a temporary failure.
> This could appear in any of the restriction lists, including
> smtpd_recipient_restrictions.
This is also nuanced, as one must take care to not become an open relay
for forgeries of the envelope sender address, or even for a particular
host that is authorized to send inbound email, but should not as a result
be also allowed to send outbound email to remote domains.
If the intent is to limit mail to a single client hostname (not envelope
sender domain) and refuse everyone else then the correct configuration is:
# Postfix >= 2.10
# No relay service
#
smtpd_relay_restrictions = reject_unauth_destination
smtpd_client_restrictions =
#
# softfail when DNS resolution tempfails,
# hardfail for clients with no FcrDNS
#
reject_unknown_client_hostname,
#
# Postfix >= 3.0, use another table type with older versions
# permit just the whitelisted host
#
check_client_access inline:{smtp.example.com = OK}
#
# Reject everyone else
#
reject
--
Viktor.
