Hi Hans.
I'm not sure if there is an easier way, but one way to achieve this is
with a restriction class per server. (BTW I don't know much about LDAP
so the example below is based on files...)
main.cf:
indexed = ${default_database_type}:${config_directory}/
smtpd_restriction_classes = server1_sender_restrictions,
server2_sender_restrictions, server3_sender_restrictions
smtpd_relay_restrictions =
check_client_access ${indexed}allservers_client_access,
reject_unauth_destination
server1_sender_restrictions = check_sender_access
${indexed}server1_sender_access, reject
server2_sender_restrictions = check_sender_access
${indexed}server2_sender_access, reject
server3_sender_restrictions = check_sender_access
${indexed}server3_sender_access, reject
allservers_client_access:
server1.internal.example.com server1_sender_restrictions
server2.internal.example.com server2_sender_restrictions
server3.internal.example.com server3_sender_restrictions
server1_sender_access:
example.com ok
<> ok
server2_sender_access:
example.org ok
<> ok
server3_sender_access:
example.net ok
<> ok
I use something like this myself and it works well if the number of
servers is small and doesn't change often.
Nick.
On 25/09/20 2:42 am, Hans van Zijst wrote:
Is it possible to let Postfix decide which hosts to relay mail for,
based on the domain from which that mail is sent?
I'm building a relayhost that should accept e-mail from a whole bunch of
internal mailservers, and relay it to the Internet, after scanning,
DKIM-signing and rate limiting.
But I don't want to give Postfix one list of all hosts that are allowed
to relay mail through it, because that would allow users of all internal
servers to send mail from all domains. I'm looking for a way to let
Postfix check if the host is allowed to send mail for the domain involved.
I'm using an LDAP backend and what I thought I wanted to do under
"smtpd_relay_restrictions" is a "check_client_access" query for the
domain, and return the attribute which contains the host(s) that are
allowed, with "PERMIT", like this:
smtpd_relay_restrictions = check_client_access ldap:relay_access
Where the file relay_access contains something like:
query_filter = domainName=%d
result_attribute = allowedHost
result_format = %s PERMIT
But the input key here is not the domain name, but the address of the
smtpserver sending the message.
How do I match a domain name with an IP-address or FQDN? Or am I looking
in the wrong direction here?
Kind regards,
Hans
