On 1/30/2011 3:31 PM, Daniel Bromberg wrote:
Hi,
I've recently started using postfix several weeks ago to run
my e-mail services. Using spamassassin/spamd,
greylists/SQLgrey, several RBLs, multiple domains, virtual
users against MySQL tables in multiple domains, so somewhat
knowledgeable, but mostly not.
One of the companies I administrate has a policy that users
submitting outgoing mail via submission/SSL/465 can only use
the server to submit 'MAIL FROM:' their SASL authenticated
username, so they cannot do non-company business as a
different e-mail identity through the server.
This is turning out to be harder than I thought however.
A. IIUC, check_sender_access applies to all mail received,
whether intended for local delivery via smtp/unencrypted/25 or
intended for outbound relaying via submission/SSL/465.
No, you can override most main.cf settings, including all the
smtpd_*_restrictions, with -o options on the submission/smtps
entries in master.cf. See:
http://www.postfix.org/postconf.5.html
A simple check would be adding a regexp check_sender_access
map that rejects any address that doesn't contain
@example.com. A more sophisticated check would insure that
the SASL credentials match the MAIL FROM, using
reject_sender_login_mismatch.
Also note that postfix operates on the MAIL FROM envelope
address, not the address given in the From: header.
Note that too many overrides can make postfix somewhat
confusing due to the config being in several places. At some
point it's easier and cleaner to run multiple instances.
Multiple postfix instances is substantially easier with
postfix versions 2.6 and newer.
http://www.postfix.org/MULTI_INSTANCE_README.html
-- Noel Jones
