[pfx] Re: Domain-Specific inbound relay host rules

[Viktor Dukhovni via Postfix-users]

On Sun, Oct 15, 2023 at 11:40:57AM -0400, Viktor Dukhovni via Postfix-users 
wrote:

> > This is rather straightforward with access(5) rules:
> > 
> >     smtpd_restriction_classes = reject_unfiltered
> > 
> >     # Allow the filtering service IPv4/IPv6 CIDR blocks and reject
> >     # everything else.
> >     reject_unfiltered =
> >         check_client_access cidr:{
> >             {192.0.2.0/24               permit_auth_destination},
> >             {2001:db8:feed:cafe::/64    permit_auth_destination},
> >             {0.0.0.0/0                  REJECT 5.7.1 MX bypass attempt},
> >             {::/0                       REJECT 5.7.1 MX bypass attempt}
> >         }
> > 
> >     # If large enough, or changes more than rarely, use an access(5)
> >     # table ("cdb", "hash", ...) instead.  Assumes smtpd_delay_reject
> >     # is not changed from "yes" default.
> >     #
> >     smtpd_client_restrictions =
> >         check_recipient_access inline:{
> >             {filtered1.example = reject_unfiltered},
> >             {filtered2.example = reject_unfiltered}
> >         }
>
> OK, in this example, where would I specify which domains must go through the 
> spam filter?

Replace the names "filter1.example", "filter2.example", ... with the
names of the domains that are accepted only from the filter services.

> These domains MUST go through the spam filter: domain1.com domain2.net

    smtpd_client_restrictions =
        check_recipient_access inline:{
            {domain1.com = reject_unfiltered},
            {domain2.net = reject_unfiltered}
        }


> These can be delivered directly WITHOUT going through the spam filters: 
> bypass1.com bypass2.net

They don't need to be specifically mentioned.

> Would this be put into a hash table or in place of the
> filtered1.example in your config?

Whether to use a hash table for the recipient access checks, or not, is
up to you.

  main.cf:
    indexed = ${default_database_type}:${config_directory}/
    smtpd_client_restrictions =
        check_recipient_access ${indexed}filtered

  filtered:
    domain1.com reject_unfiltered
    domain2.net reject_unfiltered

The client access lookup could also be configured in a separate file,
but not a "postmapped" indexed table, "cidr" tables stay in source form.

  main.cf:
    reject_unfiltered =
        check_client_access cidr:reject_unfiltered.cidr

  reject_unfiltered.cidr:
    192.0.2.0/24               permit_auth_destination
    2001:db8:feed:cafe::/64    permit_auth_destination
    0.0.0.0/0                  REJECT 5.7.1 MX bypass attempt
    ::/0                       REJECT 5.7.1 MX bypass attempt

-- 
    Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org