Victor Duchovni:
> On Mon, Jan 18, 2010 at 07:01:45PM +0200, Henrik K wrote:
>
> > I think I prefer a separate daemon that tails postfix log and greps all
> > to=xxx, relay=xxx info and passes it to the policy daemon. That way the
> > policy daemon doesn't need to have a big DNS mess to resolve all the
> > recipient MX ips.
>
> MX IPs have nothing to do with it. A sender's sending IP often bears
> little relation to the IP where mail for the same address is delivered.
>
> If you whitelist an outside sender address for a given internal recipient
> (original sender), no IP or DNS information is appropriate or required.
Note, that Victor is talking about sender-receiver PAIRS. It would
be a bad idea to accept all mail that pretends to be from a
whitelisted sender address.
If you don't whitelist sender-receiver PAIRS, then you need to
restrict the network blocks that may use a whitelisted sender
address, and guessing the /24 (or even /16) is a start.
Wietse
