Re: SMTP relay only

From: mouss (no email)
Date: Sun Feb 15 2009 - 09:20:55 EST

  • Next message: Victor Duchovni: "Re: SMTP relay only"

    Rocco Scappatura a écrit :
    > Hello,
    >
    > I need to setup a mail server for outgoing email only. I clearly would
    > like to restrict access to my networks only.
    >
    > Moreover, I would like to permit only to some envelope senders to relay
    > email trhough a such MTA. And no other envelope sender should be able to
    > relay trhough this MTA.
    >
    > So the restriction classes are made so:
    >
    > smtpd_client_restrictions =
    > check_client_access
    > proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf <-- this
    > let me disable some content checking through filter (Amavisd-new). No
    > matter.
    >
    >
    > smtpd_helo_restrictions =
    > smtpd_sender_restrictions =
    >
    > smtpd_recipient_restrictions =
    > check_client_access
    > proxy:mysql:/etc/postfix/mysql-check-client-access.cf
    > check_sender_access
    > proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
    > reject
    >

    If I understand you, you want something like:

    - if IP is in a list of allowed IPs, _and_ if sender is in a list of
    allowed sender, permit
    - anything else is rejected

    right?

    what you did above is
    - if IP .... _OR_ ...

    which is not the same thing. (I am assuming your maps return OK).

    you want

    smtpd_sender_restrictions =
         check_sender_access
            proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
         reject

    smtpd_recipient_restrictions =
         check_client_access
            proxy:mysql:/etc/postfix/mysql-check-client-access.cf
         reject

    This is also safer (if check_sender_access accidentally returns an OK,
    you don't become an open relay).

    > Please note that I use "check_client_access" restriction together with:
    >
    > mynetworks = /etc/postfix/relay
    >
    > to limit access to SMTP relay server per IP.
    >

    I don't understand this part. I see no permit_mynetworks in the snippet
    you posted.

    > [snip]
    > This configuration doesn't work. What is conceptually wrong in my
    > config?
    >
    > Finally I would like to deny message delivery to my mail server.. It
    > should suffice to unset "relay_domains" or it is too restrictive doing
    > so?
    >

    to disable "local" delivery, check the FIREWALL README.

    In addition, if you don't have relay domains, then set
    relay_domains =


  • Next message: Victor Duchovni: "Re: SMTP relay only"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    Powered By FreeBSD   Powered By FreeBSD