Hi, thanks for the reply. Sorry i didn't understand what you meant here:
> > restrictions: > > > > smtpd_sender_restrictions = > > permit_mynetworks, > > permit_sasl_authenticated, > > check_sender_access hash:/etc/postfix/access, > > if this map contains an "OK", then you are an open relay. > > better move these checks to smtpd_sender_restrictions. > > in /etc/postfix/access_client we have few ips that we permit with "OK". Yes, probably restriction classes will do the job that i want. smtp_sender_logins_map is set to ldap-qeury file. So it contains all our users. This is why i...@domain2.com is in the list. I'm reading now about the classes. > if an IP "can send spam", why whitelist it? if you need to (customers, > ...), use a dedicated port (or IP) and have a specific configuration. > otherwise, your config would quickly become too complicated. with a > dedicated (ip, port), you can use a specific content filter, you can > rate limit, ... etc. Who knows what users are behind this server. If they have an infected PC then, it is possible to send spam to me :) On Sat, 2009-02-14 at 07:05 -0500, Digest of postfix-users list wrote: > Date: Fri, 13 Feb 2009 21:32:00 +0100 > From: mouss <mo...@ml.netoyen.net> > Subject: Re: Question about smptd_sender_logins_map and allow to use > only for several domains? > > an...@iguanait.com a écrit : > > Hi, > > > > i have a question about using smtpd_sender_logins_map, > > reject_sender_login_mismatch and check_client_access. > > > > I set smtpd_sender_logins_map and set these rules in sender > > restrictions: > > > > smtpd_sender_restrictions = > > permit_mynetworks, > > permit_sasl_authenticated, > > check_sender_access hash:/etc/postfix/access, > > if this map contains an "OK", then you are an open relay. > > better move these checks to smtpd_sender_restrictions. > > > check_client_access cidr:/etc/postfix/access_client, > > reject_sender_login_mismatch, > > reject_non_fqdn_sender, > > reject_unknown_sender_domain, > > reject_unauth_pipelining, > > permit > > > > > > The file /etc/postfix/access_client contains the ip addresses that i > > permit to pass reject_sender_login_mismatch rule. > > > > But i have a question about this. > > > > In this case these ips can use my email address to send messages to > me. > > I don't want this to be possible. I want to permit the ips, but also > I > > want them to be allowed to send mail only if they do so from a > specific > > domain, for examle @igdomain.com. So, I need to filter mail sending > not > > only by IPs, but by domain name at the same time - even if an IP is > > permitted in /etc/postfix/access_client, it still should not be able > to > > send mail if the sender domain is different from @igdomain.com. > > > > > if the domain depens on the IP, you need a policy server. if not, use > restriction calsses as Noel suggested. > > > This is an example: > > > > Lets say that we have permitted this IP in access_client > 198.236.125.7 > > and i have 2 domains that i manage emails for: > > domain1.com > > domain2.com > > > > Lets say that we have 2 email addresses, one per domain. > > an...@domain1.com > > i...@domain2.com > > > > The current situation with only permitted ip address is this: > > > > This ip connects to my mail server and send to an...@domain1.com or > > i...@domain2.com, message from i...@domain2.com and/or > an...@domain1.com > > without requiring authentication. > > > > It can use both e-mail addresses in MAIL FROM and it can send spam. > > > > if an IP "can send spam", why whitelist it? if you need to (customers, > ...), use a dedicated port (or IP) and have a specific configuration. > otherwise, your config would quickly become too complicated. with a > dedicated (ip, port), you can use a specific content filter, you can > rate limit, ... etc. > > > I want to achieve the following: > > > > I permit this ip in access_client file and it connects. > > And we have 2 conditions: > > > > 1. If it try to send email to an...@domain1.com or i...@domain2.com > > using an...@domain1.com in MAIL FROM field, than it must be > rejected, > > because it is not authenticated and i don't want this ip to use my > email > > address to send message to me or someone else in my system. > > > > 2. If it try to send email to an...@domain1.com, or i...@domain2.com > > using i...@domain2.com in MAIL FROM field, then this should be > allowed > > (permitted) and in this situation it should pass > > reject_sender_login_mismatch rule and send message successfully. > > > > what is the purpose of putting i...@domain2.com in > smtpd_sender_logins_map? > > > > > I suppose it is almost clear :) > > > > Is it possible this to be realize and how? > > > > > > Thanks in advanced! > > > > >
