On Thu, Aug 27, 2020 at 02:30:21PM +0200, Marek Kozlowski wrote:
> #-------------------------------------------------
> smtpd_recipient_restrictions =
> permit_mynetworks,
> permit_sasl_authenticated,
> reject_unauth_destination,
> check_sender_access hash:/etc/postfix/sender_checks_my,
> ...
I assume that perhaps you also have "smtpd_relay_restrictions" defined
as a safety net, but it is good to see "reject_unauth_destination"
safely above the sender checks.
> # cat /etc/postfix/sender_checks_my
> 1.2.3.4/24 OK
> sth.mydomain.tld 554 Please enable SMTP AUTH
Well that can't work, because "1.2.3.4/24" is not a sender address,
and CIDR syntax doesn't work in a hashed file anyway.
> ? Is there any other way? Thanks!
Yes, there is another way:
main.cf:
default_database_type = hash
indexed = ${default_datbase_type}:${config_directory}/
cidr = cidr:${config_directory}/
# See http://www.postfix.org/RESTRICTION_CLASS_README.html
smtpd_restriction_classes = check_impersonator
check_impersonator =
check_client_access ${cidr}impersonators.cidr
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
check_sender_access ${indexed}sender_checks_my,
...
sender_checks_my:
# Restricted sender domains
sth.mydomain.tld check_impersonator
impersonators.cidr:
# Order matters, list permitted clients above the final REJECT
# No need to return "OK", a DUNNO suffices to avoid the reject.
1.2.3.4/24 DUNNO
0.0.0.0/0 REJECT 5.7.1 Please enable SASL AUTH
--
Viktor.
