On 7 Feb 2021, at 14:33, Marek Kozlowski wrote:
:-)
On 2/7/21 7:51 PM, Bill Cole wrote:
On 7 Feb 2021, at 12:52, Marek Kozlowski wrote:
:-)
On 2/7/21 6:34 PM, Benny Pedersen wrote:
On 2021-02-07 18:28, Marek Kozlowski wrote:
Mail from 192.168.3/24 with sender's address 'sth3.tld' should be
accepted even if the user is not authenticated, and rejected
without
authentication for other CIDR blocks.
add 192.168.0.0/16 to mynetworks
you show bogus logs btw
No!
"Mail from 192.168.1/24 with sender's address 'sth1.tld' should be
accepted even if the user is not authenticated, and rejected without
authentication for other CIDR blocks. "
Mail from 192.168.1/24 should be accepted for 'sth1.tld' but not for
'sth2.tld'!
I need something more flexible more restrictive in comparison to
'permit_mynetworks'. I don't want to consider come CIDR trusted,
privileged hosts at all. I just want to say: unauthorized email with
this domainname (exactly this one!) address should be accepted if it
goes from this (exactly this one!) IP range and should be
unconditionally rejected in all other cases.
You need to use a custom restriction class for this. See
http://www.postfix.org/RESTRICTION_CLASS_README.html
Something like:
smtpd_restriction_classes = localnets, othernets
localnets = permit_sasl_authenticated, check_sender_access
hash:/etc/postfix/localdomains, reject_unauth_destination
othernets = permit_sasl_authenticated, reject_unauth_destination
smtpd_recipient_access = [...] check_client_access
cidr:/etc/postfix/client_nets, [...]
/etc/postfix/localdomains:
@sth1.tld permit
@sth2.tld dunno
/etc/postfix/client_nets:
192.168.1.0/24 localnets
0.0.0.0/0 othernets
I'm not sure but as far as I can see the solution described above
works only for *relying*. Imagine a local recipient and an external
sender. In such case 'othernets' apply which means just:
permit_sasl_authenticated, reject_unauth_destination
If the recipient is local then 'reject_unauth_destination' doesn't do
any work. So it won't block mail from '@sth1.tld' from external hosts
addressed to local recipients. Again:
"Mail from 192.168.1/24 with sender's address 'sth1.tld' should be
accepted even if the user is not authenticated, and rejected without
authentication for other CIDR blocks."
NO MATTER WHAT THE RECIPIENT IS!
So switch 'reject_unauth_destination' to 'reject' or add whatever other
directives you like to the 'othernets' restriction list.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
