On Sat, Feb 03, 2024 at 05:52:17AM -0800, Dan Mahoney via Postfix-users wrote:
> We have an internal domain, zimbra.example.org, but it's only used for
> internal routing of our corporate mail (there's a master delivery map
> that controls what addresses at example.org route to
> zimbra.example.org). We have other domains under example.org such as
> list servers, ticket systems, and the like, many of which have
> example.org addresses pointing at them.
>
> Is there a way to reject mail destined to an internal domain (like
> zimbra.example.org) such that only our internal machines can deliver
> to it, but that any host on the outside gets an immediate reject
> notice from our border MXes?
That's the default behaviour, unless you list zimbra.example.org
in one of:
- mydestination ("local" address class)
- relay_domains ("relay" address class)
- virtual_mailbox_domains ("virtual" address class)
- virtual_alias_domains ("virtual_alias" address class)
A "generic" domain is (soft) rejected by default:
$ postconf -df smtpd_relay_restrictions
smtpd_relay_restrictions = ${{$compatibility_level} <level {1} ? {} :
{permit_mynetworks, permit_sasl_authenticated,
defer_unauth_destination}}
Once a configuration is believed production-ready, the "defer" should be
changed to a hard-reject, and typically the "SASL" permit should be only
on ports 465 and/or 587.
smtpd_relay_restrictions = permit_mynetworks, reject_unauth_destination
The only non-obvious thing to keep in mind is that if you designate
"example.com" as a "relay" or "local" domain (mydestination), then
$ postconf -df relay_domains parent_domain_matches_subdomains | sed -E 's/,
*/,\n /g'
relay_domains = ${{$compatibility_level} <level {2} ? {$mydestination} : {}}
parent_domain_matches_subdomains =
debug_peer_list,
fast_flush_domains,
mynetworks,
permit_mx_backup_networks,
qmqpd_authorized_clients,
relay_domains,
smtpd_access_maps
all subdomains of "example.com" may also default to "relay" domains,
if "example.com" is either a "relay" domain or else a "local" domain and your
"compatibility_level" setting is less than "2".
To avoid such a surprise:
- Make sure to use Postfix 3.0 (by now quite outdated) or later.
- Set compatibility level to 2 if running Postfix prior 3.0 through
3.5, or 3.6 if 3.6 or later.
- Trim "parent_domain_matches_subdomains" to either empty (my advice),
or, perhaps just:
parent_domain_matches_subdomains = smtpd_access_maps
if you like the convenience of always or black/white-listing
subdomains when yuo black/white-list a parent-domain.
I always set "mydestination" empty, and use virtual alias or virtual
mailbox domains. If I need some special addresses to be handled by
the local(8) transport, I rewrite them into an an internal-only
domain that is mapped to "local" in the transport(5) table.
The "local" transport is a legacy Sendmail-compatibilty interface,
and should generally be avoided.
- Use virtual(5) aliases not local aliases(5).
- Use virtual(8) mailbox delivery, not local delivery.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
