On 12/29/2010 10:31 AM, michael.lar...@wellsfargo.com wrote:
Back in August several people helped me with the problem
linked here:
_http://www.mail-archive.com/postfix-users@postfix.org/msg26629.html_
It was almost what I needed, but I didn’t completely
understand what I was asking for at the time, and the
configuration is causing problems. I need to implement some
further restrictions and can’t figure out how to do it. The
current restrictions in my main.cf look like this:
smtpd_recipient_restrictions =
check_client_access hash:/etc/postfix/client_access
check_sender_access hash:/etc/postfix/sender_access
check_recipient_access hash:/etc/postfix/recipient_access
check_client_access static:discard
reject_unauth_destination
An unintended consequence is that any address that is allowed
as a sender is allowed to relay to anyone, even invalid
addresses. I need to be able to specify a very small subset of
valid addresses as recipients, based on who the sender is, and
discard all the others. Since this setup is
“first-match-wins”, the relay doesn’t evaluate anything past
check_sender_access. I need it to evaluate sender, and if the
sender is allowed, discard any recipient address that isn’t
explicitly allowed. I tried blacklisting the addresses I knew
to, and that worked, but new and/or invalid addresses keep
turning up in the test code, and the blacklist has become
unmanageable.
I need a way to implement
“check_sender_access_AND_check_recipient_access”. I assume
Noel anticipated that need when he talked about using
“smtpd_restriction_classes for multiple-factor tests”, but
reading the documentation didn’t shed any light on how to
implement in this situation. Can anyone help turn back the
darkness?
Read this several times until it starts to make sense:
http://www.postfix.org/RESTRICTION_CLASS_README.html
Postfix restriction classes allow you to "nest" restrictions
so that you can combine sender and recipient tests. This will
work for you if your list of allowed senders can send to any
of the allowed recipients. The example
http://www.postfix.org/RESTRICTION_CLASS_README.html#external
does just about exactly what you ask for, just use full
recipient addresses instead of domains for the local_domains
list (you can use a different name than local_domains in your
setup).
If you need finer control - ie. each sender has their own list
of allowed recipients, you'll need to use an external policy
service to make those decisions. This is quite a bit more
complex than restriction classes, but gives you much finer
control over postfix decisions.
http://www.postfix.org/SMTPD_POLICY_README.html
Here are some pre-built policy servers; maybe one of them
would help if you need fine-grained control.
http://www.postfix.org/addon.html#policy
-- Noel Jones
