an...@iguanait.com a écrit : > Hi, > > i have a question about using smtpd_sender_logins_map, > reject_sender_login_mismatch and check_client_access. > > I set smtpd_sender_logins_map and set these rules in sender > restrictions: > > smtpd_sender_restrictions = > permit_mynetworks, > permit_sasl_authenticated, > check_sender_access hash:/etc/postfix/access,
if this map contains an "OK", then you are an open relay. better move these checks to smtpd_sender_restrictions. > check_client_access cidr:/etc/postfix/access_client, > reject_sender_login_mismatch, > reject_non_fqdn_sender, > reject_unknown_sender_domain, > reject_unauth_pipelining, > permit > > > The file /etc/postfix/access_client contains the ip addresses that i > permit to pass reject_sender_login_mismatch rule. > > But i have a question about this. > > In this case these ips can use my email address to send messages to me. > I don't want this to be possible. I want to permit the ips, but also I > want them to be allowed to send mail only if they do so from a specific > domain, for examle @igdomain.com. So, I need to filter mail sending not > only by IPs, but by domain name at the same time - even if an IP is > permitted in /etc/postfix/access_client, it still should not be able to > send mail if the sender domain is different from @igdomain.com. > if the domain depens on the IP, you need a policy server. if not, use restriction calsses as Noel suggested. > This is an example: > > Lets say that we have permitted this IP in access_client 198.236.125.7 > and i have 2 domains that i manage emails for: > domain1.com > domain2.com > > Lets say that we have 2 email addresses, one per domain. > an...@domain1.com > i...@domain2.com > > The current situation with only permitted ip address is this: > > This ip connects to my mail server and send to an...@domain1.com or > i...@domain2.com, message from i...@domain2.com and/or an...@domain1.com > without requiring authentication. > > It can use both e-mail addresses in MAIL FROM and it can send spam. > if an IP "can send spam", why whitelist it? if you need to (customers, ...), use a dedicated port (or IP) and have a specific configuration. otherwise, your config would quickly become too complicated. with a dedicated (ip, port), you can use a specific content filter, you can rate limit, ... etc. > I want to achieve the following: > > I permit this ip in access_client file and it connects. > And we have 2 conditions: > > 1. If it try to send email to an...@domain1.com or i...@domain2.com > using an...@domain1.com in MAIL FROM field, than it must be rejected, > because it is not authenticated and i don't want this ip to use my email > address to send message to me or someone else in my system. > > 2. If it try to send email to an...@domain1.com, or i...@domain2.com > using i...@domain2.com in MAIL FROM field, then this should be allowed > (permitted) and in this situation it should pass > reject_sender_login_mismatch rule and send message successfully. > what is the purpose of putting i...@domain2.com in smtpd_sender_logins_map? > > I suppose it is almost clear :) > > Is it possible this to be realize and how? > > > Thanks in advanced! > >