On Thu, Sep 24, 2020 at 04:42:22PM +0200, Hans van Zijst wrote:
> I'm building a relayhost that should accept e-mail from a whole bunch of
> internal mailservers, and relay it to the Internet, after scanning,
> DKIM-signing and rate limiting.
>
> But I don't want to give Postfix one list of all hosts that are allowed
> to relay mail through it, because that would allow users of all internal
> servers to send mail from all domains. I'm looking for a way to let
> Postfix check if the host is allowed to send mail for the domain involved.
While this is possible, it is not a good idea to do this. So the right
answer to "HOW" is probably "DON'T".
The reason for this is that about email routing is more complicated
in general than just a linear delivery chain from a single author
or sender to the originally addressed mailboxes.
Email from a sender in domain A may be addressed to a "distribution
list" at domain B, that contains some recipients there, but also
forwards the mail to domains C, and D and maybe even some mailboxes
on the Internet. The envelope sender may or may not change en-route,
the message may be redirected by a recipient who adds "Resent-From"
headers, but leaves "From:" unchanged...
If you erect walls between the domains, you do violence legitimate
email delivery use-cases.
--
Viktor.
