Thanks again for trying to help, Viktor, but I'm unable to ascertain how your suggested configuration fulfills my goal. It appears to me that your config discards mail from all clients unless they're listed in the allowed-clients table. This isn't what I'm after. What I'm after is for all clients to be allowed to relay, but only certain ones be allowed to relay everything sent by them, and the rest be allowed to relay mail sent only by specific senders to specific recipients. I don't see where the "AND" part is for evaluation between allowed-senders and allowed-recipients. It appears to me that in this configuration, allowed-senders and allowed-recipients are evaluated independently. Can you explain what I'm missing?
-----Original Message----- From: Victor Duchovni [mailto:victor.ducho...@morganstanley.com] Sent: Thursday, December 30, 2010 2:43 PM To: Larsen, Michael W. Cc: postfix-users@postfix.org Subject: Re: Relay restrictions On Thu, Dec 30, 2010 at 02:09:57PM -0600, michael.lar...@wellsfargo.com wrote: > Perhaps I misunderstood, but you said: > > > With this all mail is discarded unless *all* (my emphasis) the conditions > > below are met: > > > > - From an allowed SMTP client (IP address CIDR table) > > - From an allowed envelope sender (indexed via postmap lookup table) > > - To an allowed envelope recipient (indexed via postmap lookup > > table) > > Which isn't what I want. For hosts in client_access, I don't want any > sender/recipient evaluation - I just want it to flow through - all of > it. For hosts not in client_access, I want it assumed they're allowed, > but the sender/recipient restrictions asserted. In that case change the client restrictions to "OR", but keep sender and recipient as "AND". main.cf: indexed = ${default_database_type}:${config_directory}/ cidr = cidr:${config_directory}/ smtpd_restriction_classes = discard_all discard_all = static:discard smtpd_sender_restrictions = check_sender_access ${indexed}allowed-senders check_client_access ${cidr}allowed-clients, smtpd_recipient_restrictions = check_recipient_access ${indexed}allowed-recipients, check_client_access ${cidr}allowed-clients, # # Required to appease validation logic, in-practice, # allowed-clients will perimit all IPs, some to deliver # and the rest to discard. # reject allowed-clients: 192.0.2.1 permit 0.0.0.0/0 discard_all, permit -- Viktor.
