On Mon, Aug 14, 2023 at 11:04:56PM +0200, lutz.niederer--- via Postfix-users
wrote:
> we need to block subaddressing from extern, and only from extern.
> Internally we use it really often.
A sensible initial simplification is to not mix inbound and outbound
mail on the same Postfix instance. Then, once the only traffic coming
into the inbound server is from "external" users:
> We thought about a table that denies recipient addresses that got a
> "+". But how do we filter only if they do not come from mynetwork and
> not the authenticated users, but only from users outside?
main.cf:
pcre = pcre:${config_directory}/
smtpd_recipient_restrictions =
...
check_recipient_access ${pcre}extension-access.pcre
extension-access.pcre:
# Either +ext@domain (or address literal) or just bare +ext
if /[+](?:.*?@[^@]+|[^@]*)$/
/^first-exception+/ DUNNO
/^another-exception+/ DUNNO
# ...
# Disallowed by default
/^/ REJECT 554 5.1.1 restricted address extension
endif
> What does not work for us is a separate smtpd in master.cf listening
> on a different port.
You really should separate inbound and outbound mail, this makes many
aspects of the configuration much simpler.
That said, you could replace the "REJECT ..." with:
/^/ permit_mynetworks, permit_sasl_authenticated,
reject_unauth_destination
at the cost of a much less clear error response to the hapless sender.
That too can be worked-around, but why jump through all the hoops, you
could simply (but I repeat myself) ...
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
