Re: SMTP relay only

Sun, 15 Feb 2009 06:21:28 -0800 

Rocco Scappatura a écrit :
> Hello,
> 
> I need to setup a mail server for outgoing email only. I clearly would
> like to restrict access to my networks only.
> 
> Moreover, I would like to permit only to some envelope senders to relay
> email trhough a such MTA. And no other envelope sender should be able to
> relay trhough this MTA.
> 
> So the restriction classes are made so:
> 
> smtpd_client_restrictions =
>     check_client_access
> proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf <-- this
> let me disable some content checking through filter (Amavisd-new). No
> matter.
> 
> 
> smtpd_helo_restrictions =
> smtpd_sender_restrictions =
> 
> smtpd_recipient_restrictions =
>     check_client_access
> proxy:mysql:/etc/postfix/mysql-check-client-access.cf 
>     check_sender_access
> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
>     reject
> 

If I understand you, you want something like:

- if IP is in a list of allowed IPs, _and_ if sender is in a list of
allowed sender, permit
- anything else is rejected

right?

what you did above is
- if IP .... _OR_ ...

which is not the same thing. (I am assuming your maps return OK).

you want

smtpd_sender_restrictions =
     check_sender_access        
        proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
     reject

smtpd_recipient_restrictions =
     check_client_access
        proxy:mysql:/etc/postfix/mysql-check-client-access.cf
     reject

This is also safer (if check_sender_access accidentally returns an OK,
you don't become an open relay).


> Please note that I use "check_client_access" restriction together with:
> 
> mynetworks = /etc/postfix/relay
> 
> to limit access to SMTP relay server per IP.
> 

I don't understand this part. I see no permit_mynetworks in the snippet
you posted.


> [snip]
> This configuration doesn't work. What is conceptually wrong in my
> config?
> 
> Finally I would like to deny message delivery to my mail server.. It
> should suffice to unset "relay_domains" or it is too restrictive doing
> so?
> 

to disable "local" delivery, check the FIREWALL README.

In addition, if you don't have relay domains, then set
relay_domains =

Reply via email to