Ah, still one question. I don't remember exactly where, but I believe that you
said it would be better to split into separate instances. Sorry, can't find it
anymore. Both instances would work in parallel on the domain socket (unix:...)
to dovecot (lmtp authentication & delivery). Do we have to expact any problems
with that or is it safe?
> Gesendet: Montag, 14. August 2023 um 23:31 Uhr
> Von: "Viktor Dukhovni via Postfix-users" <postfix-users@postfix.org>
> An: postfix-users@postfix.org
> Betreff: [pfx] Re: How to block subaddressing from extern with a table
>
> On Mon, Aug 14, 2023 at 11:04:56PM +0200, lutz.niederer--- via Postfix-users
> wrote:
>
> > we need to block subaddressing from extern, and only from extern.
> > Internally we use it really often.
>
> A sensible initial simplification is to not mix inbound and outbound
> mail on the same Postfix instance. Then, once the only traffic coming
> into the inbound server is from "external" users:
>
> > We thought about a table that denies recipient addresses that got a
> > "+". But how do we filter only if they do not come from mynetwork and
> > not the authenticated users, but only from users outside?
>
> main.cf:
> pcre = pcre:${config_directory}/
> smtpd_recipient_restrictions =
> ...
> check_recipient_access ${pcre}extension-access.pcre
>
> extension-access.pcre:
> # Either +ext@domain (or address literal) or just bare +ext
> if /[+](?:.*?@[^@]+|[^@]*)$/
> /^first-exception+/ DUNNO
> /^another-exception+/ DUNNO
> # ...
> # Disallowed by default
> /^/ REJECT 554 5.1.1 restricted address extension
> endif
>
> > What does not work for us is a separate smtpd in master.cf listening
> > on a different port.
>
> You really should separate inbound and outbound mail, this makes many
> aspects of the configuration much simpler.
>
> That said, you could replace the "REJECT ..." with:
>
> /^/ permit_mynetworks, permit_sasl_authenticated,
> reject_unauth_destination
>
> at the cost of a much less clear error response to the hapless sender.
> That too can be worked-around, but why jump through all the hoops, you
> could simply (but I repeat myself) ...
>
> --
> Viktor.
> _______________________________________________
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
>
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
