Victor Duchovni: > On Mon, Jan 18, 2010 at 07:01:45PM +0200, Henrik K wrote: > > > I think I prefer a separate daemon that tails postfix log and greps all > > to=xxx, relay=xxx info and passes it to the policy daemon. That way the > > policy daemon doesn't need to have a big DNS mess to resolve all the > > recipient MX ips. > > MX IPs have nothing to do with it. A sender's sending IP often bears > little relation to the IP where mail for the same address is delivered. > > If you whitelist an outside sender address for a given internal recipient > (original sender), no IP or DNS information is appropriate or required.
Note, that Victor is talking about sender-receiver PAIRS. It would be a bad idea to accept all mail that pretends to be from a whitelisted sender address. If you don't whitelist sender-receiver PAIRS, then you need to restrict the network blocks that may use a whitelisted sender address, and guessing the /24 (or even /16) is a start. Wietse