What you're trying to do can't be done with Postfix access(5) tables. You're trying to encode a pair of lookup keys, the sender and the receiving alias into a single query, so that different receiving aliases can have different allowed senders.
Postfix has only single-key queries. If a single set of authorized senders across all the aliases will not do, you need one restriction class per-alias, or will need to move the lookups into a policy service, which can do multi-key lookups. > On Oct 9, 2018, at 10:19 AM, Marcio Vogel Merlone dos Santos > <marcio.merl...@a1.ind.br> wrote: > > I have to implement a restriction class as per > http://www.postfix.org/RESTRICTION_CLASS_README.html to protect some internal > aliases, allowing just selected users to send mails to. Initial idea is to > create a security group (called PSIU below) inside AD (Samba 4.7) and put > granted people there. I went this way: > > main.cf: > > smtpd_restriction_classes = insiders_only > insiders_only = check_sender_access > ldap:/etc/postfix/adinsidersok.cf, reject > > smtpd_recipient_restrictions = > ... > check_recipient_access ldap:/etc/postfix/adinsiders.cf, > > ... > > > > adinsiders.cf defines the aliases to protect: > > server_host = ldap://addc > bind_dn = CN=postfix,OU=Sistemas,DC=tld > bind_pw = xxx > search_base = OU=MailAliases,DC=tld > query_filter = (mail=%s) > result_attribute = msDS-AzApplicationData > > On msDS-AzApplicationData attribute I have "insiders_only" for some aliases. > This is fine. > > adinsidersok.cf defines who can use those protected aliases: > > server_host = ldap://addc > bind_dn = CN=postfix,OU=Sistemas,DC=tld > bind_pw = xxx > search_base = CN=PSIU,OU=Sistemas,DC=tld > query_filter = (member=%s) > result_attribute = memberOf > > -- Viktor.
