> Rocco Scappatura a écrit :
>> Hello,
>>
>> I need to setup a mail server for outgoing email only. I clearly would
>> like to restrict access to my networks only.
>>
>> Moreover, I would like to permit only to some envelope senders to relay
>> email trhough a such MTA. And no other envelope sender should be able to
>> relay trhough this MTA.
>>
>> So the restriction classes are made so:
>>
>> smtpd_client_restrictions =
>> check_client_access
>> proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf <-- this
>> let me disable some content checking through filter (Amavisd-new). No
>> matter.
>>
>>
>> smtpd_helo_restrictions =
>> smtpd_sender_restrictions =
>>
>> smtpd_recipient_restrictions =
>> check_client_access
>> proxy:mysql:/etc/postfix/mysql-check-client-access.cf
>> check_sender_access
>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
>> reject
>>
>
> If I understand you, you want something like:
>
> - if IP is in a list of allowed IPs, _and_ if sender is in a list of
> allowed sender, permit
> - anything else is rejected
>
> right?
yes, exactly.
> what you did above is
> - if IP .... _OR_ ...
>
> which is not the same thing. (I am assuming your maps return OK).
>
> you want
>
> smtpd_sender_restrictions =
> check_sender_access
> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
> reject
>
> smtpd_recipient_restrictions =
> check_client_access
> proxy:mysql:/etc/postfix/mysql-check-client-access.cf
> reject
>
> This is also safer (if check_sender_access accidentally returns an OK,
> you don't become an open relay).
NowI have understood quite all. I ve tried new config and works pretty well!
>> Please note that I use "check_client_access" restriction together with:
>>
>> mynetworks = /etc/postfix/relay
>>
>> to limit access to SMTP relay server per IP.
>>
>
> I don't understand this part. I see no permit_mynetworks in the snippet
> you posted.
>
Infact, I haven't reported it.. I just forgot! :-(
smtpd_recipient_restrictions =
check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf
permit_mynetworks
reject
This should be ok!
>> [snip]
>> This configuration doesn't work. What is conceptually wrong in my
>> config?
>>
>> Finally I would like to deny message delivery to my mail server.. It
>> should suffice to unset "relay_domains" or it is too restrictive doing
>> so?
>>
>
> to disable "local" delivery, check the FIREWALL README.
:-)
> In addition, if you don't have relay domains, then set
> relay_domains =
Indeed, I don't want to do so for delivery efficiency rights! Infact if i
set:
relay_domains =
every message destined to my domain goes on another my mail server that
accept email for that domain, and the is delivered to the post office.
While, actually now the email for one of my domain is delivered quickly to
the postoffice specified as transport for that domain.
Maybe the best solution is to deny "incoming" (from outside of my network)
connection on port 25..
thanks,
rocsca
