Eric Williams:
>
> On Jan 5, 2010, at 9:57 AM, Wietse Venema wrote:
>
> > Eric Williams:
> >> On Tue, Jan 5, 2010 at 9:12 AM, Stan Hoeppner
> >> <[email protected]>wrote:
> >>
> >>> Eric Williams put forth on 1/5/2010 8:02 AM:
> >>>
> >>>> I would like to apply the same access list so that users sending mail
> >>> through this server can only reach those same domains.
> >>>>
> >>>> I've tried lots of recipient checking configs but nothing works so far.
> >>> I'd rather not do this with the firewall, keeping the whitelist monitored
> >>> by
> >>> postfix only.
> >>>
> >>> So you want a dedicated smtp relay server that will only transfer mail
> >>> between a
> >>> handful of domains?
> >
> > You could use a tool such as Fail2Ban to watch the maillog file
> > and update a Postfix access table.
> >
> > The steps would be
> >
> > 1) See if the domain is already in the Postfix access table.
> > 2) Add the domain.
> > 3) Rebuild the table.
> >
> > Example add-domain script:
> >
> > #!/bin/sh
> >
> > # usage: add-domain name
> >
> > case $# in
> > 1) postmap -q "$1" the-postfix-access-table >/dev/null || {
> > echo "$1" OK >>the-postfix-access-table
> > postmap the-postfix-access-table
> > };;
> > *) echo Usage: $0 domainame 1>&2; exit 1;;
> > esac
> >
> > If you handle lots of mail you will want to read and update the
> > database files without running postmap commands for each email
> > logfile record.
> >
> > Wietse
>
>
>
> This is great info. I'll look into applying that is some form.
>
> I think what I'm still missing is the proper restriction in the
> smptd_recipient_restrictions section to restrict the outgoing mail.
>
> check_sender_access hash:/etc/postfix/access
>
> works for incoming blocking. I haven't found the right config for the
> blocking.
>
> It if is implied in your response I apologize for my in-experience with this.
smtpd_sender_restrictions =
permit_mynetworks
permit_sasl_authenticated
check_sender_access hash:/etc/postfix/sender_access
reject
Wietse
