On Tue, Jan 19, 2010 at 09:56:46AM +0700, Tr???n Tr???ng T???n wrote:
> Do you have any way to check domain of email and IP of sending host before
> relay it? I'm trying to setup a gateway which accept relay for some IP
> address, and make sure this IP can only send email from domain(s) it owned.
You want to restrict a set of client systems to a given set of sender
domains, when the client wants to relay to a remote destination.
Postfix can do this directly, when the number of distinct sets
of sender domains is not too large:
http://www.postfix.org/RESTRICTION_CLASS_README.html
main.cf:
cidr = cidr:${config_directory}/
indexed = ${default_database_type}:${config_directory}/
smtpd_restriction_classes =
restrict_to_sender_domain_set_A,
restrict_to_sender_domain_set_B,
restrict_to_sender_domain_set_C,
restrict_to_sender_domain_set_D
restrict_to_sender_domain_set_A =
check_sender_access ${indexed}domain-acl-A,
reject
restrict_to_sender_domain_set_B =
check_sender_access ${indexed}domain-acl-B,
reject
restrict_to_sender_domain_set_C =
check_sender_access ${indexed}domain-acl-C,
reject
restrict_to_sender_domain_set_D =
check_sender_access ${indexed}domain-acl-D,
reject
smtpd_client_restrictions =
#
# If client sending mail to remote destination,
# don't enforce sender domain restrictions.
# Comment out if want to restrict regardless...
#
permit_auth_destination,
#
# Otherwise restrict sender domain for selected clients
#
check_client_access ${cidr}client-domain-acl.cidr
client-domain-acl.cidr:
# .1, .2 and .3 can relay with domains A, B and C respectively
#
192.0.2.1/32 restrict_to_sender_domain_set_A
192.0.2.2/32 restrict_to_sender_domain_set_B
192.0.2.3/32 restrict_to_sender_domain_set_C
# .5/32 can relay with any sender domain
#
192.0.2.5/32 permit
# The /24 restricted to sender domains D
#
192.0.2.0/24 restrict_to_sender_domain_set_D
domain-acl-A:
example.com permit
example.org permit
domain-acl-B:
example.net permit
domain-acl-C:
example.edu permit
domain-acl-D:
com.example permit
net.example permit
org.example permit
If the set of domains can grow large, you need a policy service instead,
that consults a suitable database with a query that specifies the
client ip and the sender domain, and returns a suitable verdict.
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[email protected]?body=unsubscribe%20postfix-users>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
