On Sat, Feb 03, 2024 at 05:52:17AM -0800, Dan Mahoney via Postfix-users wrote:
> We have an internal domain, zimbra.example.org, but it's only used for > internal routing of our corporate mail (there's a master delivery map > that controls what addresses at example.org route to > zimbra.example.org). We have other domains under example.org such as > list servers, ticket systems, and the like, many of which have > example.org addresses pointing at them. > > Is there a way to reject mail destined to an internal domain (like > zimbra.example.org) such that only our internal machines can deliver > to it, but that any host on the outside gets an immediate reject > notice from our border MXes? That's the default behaviour, unless you list zimbra.example.org in one of: - mydestination ("local" address class) - relay_domains ("relay" address class) - virtual_mailbox_domains ("virtual" address class) - virtual_alias_domains ("virtual_alias" address class) A "generic" domain is (soft) rejected by default: $ postconf -df smtpd_relay_restrictions smtpd_relay_restrictions = ${{$compatibility_level} <level {1} ? {} : {permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination}} Once a configuration is believed production-ready, the "defer" should be changed to a hard-reject, and typically the "SASL" permit should be only on ports 465 and/or 587. smtpd_relay_restrictions = permit_mynetworks, reject_unauth_destination The only non-obvious thing to keep in mind is that if you designate "example.com" as a "relay" or "local" domain (mydestination), then $ postconf -df relay_domains parent_domain_matches_subdomains | sed -E 's/, */,\n /g' relay_domains = ${{$compatibility_level} <level {2} ? {$mydestination} : {}} parent_domain_matches_subdomains = debug_peer_list, fast_flush_domains, mynetworks, permit_mx_backup_networks, qmqpd_authorized_clients, relay_domains, smtpd_access_maps all subdomains of "example.com" may also default to "relay" domains, if "example.com" is either a "relay" domain or else a "local" domain and your "compatibility_level" setting is less than "2". To avoid such a surprise: - Make sure to use Postfix 3.0 (by now quite outdated) or later. - Set compatibility level to 2 if running Postfix prior 3.0 through 3.5, or 3.6 if 3.6 or later. - Trim "parent_domain_matches_subdomains" to either empty (my advice), or, perhaps just: parent_domain_matches_subdomains = smtpd_access_maps if you like the convenience of always or black/white-listing subdomains when yuo black/white-list a parent-domain. I always set "mydestination" empty, and use virtual alias or virtual mailbox domains. If I need some special addresses to be handled by the local(8) transport, I rewrite them into an an internal-only domain that is mapped to "local" in the transport(5) table. The "local" transport is a legacy Sendmail-compatibilty interface, and should generally be avoided. - Use virtual(5) aliases not local aliases(5). - Use virtual(8) mailbox delivery, not local delivery. -- Viktor. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org