Re: Mail from @somedomain.tld allowed only from some CIDR ranges?

Sun, 07 Feb 2021 11:34:41 -0800 

:-)

On 2/7/21 7:51 PM, Bill Cole wrote:

On 7 Feb 2021, at 12:52, Marek Kozlowski wrote:


:-)

On 2/7/21 6:34 PM, Benny Pedersen wrote:

On 2021-02-07 18:28, Marek Kozlowski wrote:


Mail from 192.168.3/24 with sender's address 'sth3.tld' should be
accepted even if the user is not authenticated, and rejected without
authentication for other CIDR blocks.


add 192.168.0.0/16 to mynetworks

you show bogus logs btw


No!
"Mail from 192.168.1/24 with sender's address 'sth1.tld' should be accepted even if the user is not authenticated, and rejected without authentication for other CIDR blocks. "
Mail from 192.168.1/24 should be accepted for 'sth1.tld' but not for 'sth2.tld'!
I need something more flexible more restrictive in comparison to 'permit_mynetworks'. I don't want to consider come CIDR trusted, privileged hosts at all. I just want to say: unauthorized email with this domainname (exactly this one!) address should be accepted if it goes from this (exactly this one!) IP range and should be unconditionally rejected in all other cases.
You need to use a custom restriction class for this. See http://www.postfix.org/RESTRICTION_CLASS_README.html 

Something like:

smtpd_restriction_classes = localnets, othernets
localnets = permit_sasl_authenticated, check_sender_access hash:/etc/postfix/localdomains, reject_unauth_destination 
othernets = permit_sasl_authenticated, reject_unauth_destination
smtpd_recipient_access = [...] check_client_access cidr:/etc/postfix/client_nets, [...] 

/etc/postfix/localdomains:
@sth1.tld    permit
@sth2.tld    dunno

/etc/postfix/client_nets:
192.168.1.0/24   localnets
0.0.0.0/0        othernets
I'm not sure but as far as I can see the solution described above works only for *relying*. Imagine a local recipient and an external sender. In such case 'othernets' apply which means just: 

        permit_sasl_authenticated, reject_unauth_destination
If the recipient is local then 'reject_unauth_destination' doesn't do any work. So it won't block mail from '@sth1.tld' from external hosts addressed to local recipients. Again:
"Mail from 192.168.1/24 with sender's address 'sth1.tld' should be accepted even if the user is not authenticated, and rejected without authentication for other CIDR blocks." 

NO MATTER WHAT THE RECIPIENT IS!

Best regards,
Marek

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to