On 27 Aug 2020, at 8:30, Marek Kozlowski wrote:
:-)Let's assume my hostname is 'sth.mydomain.tld' The following configuration: #------------------------------------------------- smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_sender_access hash:/etc/postfix/sender_checks_my, ... # cat /etc/postfix/sender_checks_my sth.mydomain.tld 554 Please enable SMTP AUTH #-------------------------------------------------accepts mail from '...@sth.mydomain.tld' only from authenticated users or the hosts specified by the 'mynetworks' list.
Why offer AUTH on port 25 at all? Enable initial mail submission (port 465 with SSL 'wrappermode' and/or port 587 with STARTTLS) with AUTH and disable AUTH for port 25. Removing support for initial mail submission from port 25 SMTP allows for a more tightly defined configuration and depending on what your specific needs are, you may be able to eliminate IP-based authentication altogether.
I'm wondering if there is a simple way of extending the list of hosts that may send me e-mails with '...@sth.mydomain.tld' as the sender address to my whole network (lets say '1.2.3.4/24') but without modifying the 'mynetworks' (which AFAIK grant much more privileges) list.
Viktor wrote up the standard approach to do what you asked in his reply, using a restriction class.
A simpler solution may be to limit the privilege given to $mynetworks by adding an explicit definition for smtpd_relay_restrictions:
smtpd_relay_restrictions = permit_sasl_authenticated, reject_unauth_destination
With that set, the permit_mynetworks directive in smtpd_recipient_restrictions only applies to inbound mail, not relayed mail, so you may feel more comfortable adding more addresses to $mynetworks.
-- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not For Hire (currently)
