Le 29/12/2010 17:31, michael.lar...@wellsfargo.com a écrit :
> Back in August several people helped me with the problem linked here:
>
> http://www.mail-archive.com/postfix-users@postfix.org/msg26629.html
>
> It was almost what I needed, but I didn't completely understand what I was
> asking for at the time, and the configuration is causing problems. I need to
> implement some further restrictions and can't figure out how to do it. The
> current restrictions in my main.cf look like this:
>
> smtpd_recipient_restrictions =
> check_client_access hash:/etc/postfix/client_access
> check_sender_access hash:/etc/postfix/sender_access
> check_recipient_access hash:/etc/postfix/recipient_access
> check_client_access static:discard
> reject_unauth_destination
>
> An unintended consequence is that any address that is allowed as a sender is
> allowed to relay to anyone, even invalid addresses. I need to be able to
> specify a very small subset of valid addresses as recipients, based on who
> the sender is, and discard all the others. Since this setup is
> "first-match-wins", the relay doesn't evaluate anything past
> check_sender_access. I need it to evaluate sender, and if the sender is
> allowed, discard any recipient address that isn't explicitly allowed. I tried
> blacklisting the addresses I knew to, and that worked, but new and/or invalid
> addresses keep turning up in the test code, and the blacklist has become
> unmanageable.
>
if you explain exactly what you want to implement, we can see if you can
do it without classes.
for example, in your original need, you wanted
- no relay at all (no mail except to corporate recipients). discard
instead of reject
- allow mail from NET1 to RCPT1 (set of recipients)
- allow mail from NET2 (to any corporate recipients)
- discard all other mail
then you can do it like this
# accept mail if from NET2 or to RCPT1, else discard
smtpd_client_restrictions =
check_client_access cidr:/etc/postfix/net2
check_recipient_access hash:/etc/postfix/rcpt1
#
check_client_access static:discard
# accept mail from NET1 and NET2, else discard
smtpd_helo_restrictions =
check_client_access cidr:/etc/postfix/net2
check_client_access cidr:/etc/postfix/net1
#
check_client_access static:discard
with this, you can keep smtpd_recipient_restrictions at its default
value (thus no risk of becoming an open relay in case of misconfiguration).
> I need a way to implement "check_sender_access_AND_check_recipient_access". I
> assume Noel anticipated that need when he talked about using
> "smtpd_restriction_classes for multiple-factor tests", but reading the
> documentation didn't shed any light on how to implement in this situation.
> Can anyone help turn back the darkness?
as suggested above, leave smtpd_recipient_restrictions to its default
and use the other ones.
here is a generic "tree" approach:
we first check the client. depending on the client, we check the
recipient in a client-specific map. and depending one the result, we
look up the sender in a recipient-specific map.
This is probably overkill for your needs, but since you didn't state
your needs, ... (1 map for clients, N maps for recipients, N*M maps for
sender => totalling 1 + N + N*M maps).
smtpd_recipient_restrictions =
check_client_access cidr:/etc/postfix/access_client
check_client_access static:discard
smtpd_restriction_classes =
client_policy_1
client_policy_2
rcpt_policy_11
rcpt_policy_12
rcpt_policy_13
rcpt_policy_21
rcpt_policy_22
rcpt_policy_23
client_policy_1 =
check_recipient_access hash:/etc/postfix/access_recipient_1
check_client_access static:discard
client_policy_2 =
check_recipient_access hash:/etc/postfix/access_recipient_2
check_client_access static:discard
sender_policy_11 =
check_sender_access hash:/etc/postfix/access_sender_11
check_client_access static:discard
sender_policy_12 =
check_sender_access hash:/etc/postfix/access_sender_12
check_client_access static:discard
....
== access_client
10.20.30.0/24 client_policy_1
10.40.50.60.0/24 client_policy_2
...
== access_recipient_1
j...@example.com rcpt_policy_11
example.org rcpt_policy_12
.example.org rcpt_policy_13
== access_recipient_2
j...@example.com rcpt_policy_21
example.org rcpt_policy_22
.example.org rcpt_policy_23
== access_sender_11
f...@bar.example OK
example.net OK
.example.net OK
...
