Ali Nebi a écrit : > Hi, thanks for the reply. > > Sorry i didn't understand what you meant here: > >>> restrictions: >>> >>> smtpd_sender_restrictions = >>> permit_mynetworks, >>> permit_sasl_authenticated, >>> check_sender_access hash:/etc/postfix/access, >> if this map contains an "OK", then you are an open relay. >>
I meant that if you have a line like mydomain.example OK in /etc/postfix/access, then anyone gets free relay by forging an address in this domain. In short, avoid putting check_sender_access in smtpd_recipient_restrictions before reject_unauth_destination. >> better move these checks to smtpd_sender_restrictions. >> >> > > in /etc/postfix/access_client we have few ips that we permit with "OK". my remark applies to maps used in check_sender_access, because a sender address is easily forged. > Yes, probably restriction classes will do the job that i want. > smtp_sender_logins_map is set to ldap-qeury file. So it contains all our > users. This is why i...@domain2.com is in the list. I'm reading now > about the classes. > > >> if an IP "can send spam", why whitelist it? if you need to (customers, >> ...), use a dedicated port (or IP) and have a specific configuration. >> otherwise, your config would quickly become too complicated. with a >> dedicated (ip, port), you can use a specific content filter, you can >> rate limit, ... etc. > > Who knows what users are behind this server. If they have an infected PC > then, it is possible to send spam to me :) >