On 5/7/2011 1:01 PM, Dennis Carr wrote:
I'm ultimately trying to
reject any mail from servers that say they are me and are distinctively
NOT.
Ultimately, the proper way to separate public connections from private
connections is to create separate smtpd listeners (or use a separate
server for outbound relay):
1. TCP 25 - public internet delivery
2. TCP 587 - roaming user submission (laptop/smartphone)
3. TCP 10025 (example) - internal servers relaying or delivering
With this setup, you can easily reject anything containing your domain
name on TCP 25, the default Postfix smtpd listener, while allowing your
domain name on the dedicated listeners. To do this you'd remove the
remark from the 'submission' smtpd in master.cf and you'd create an
additional listener called 10025 (example) and add any appropriate
overrides for these new smtpds. You can then create a single file
called, say, 'not-me.access' and use it as such:
/etc/postfix/not-me.access
chez-vrolet.net REJECT
smtpd_recipient_restrictions
permit_my_networks,
permit_sasl_authenticated,
reject_unauth_destination,
check_helo_access hash:/etc/postfix/not-me.access
check_sender_access hash:/etc/postfix/not-me.access
...
At the firewall allow TCP 587 from both outside and inside. Do not
allow 10025 from the outside. Reconfigure any internal hosts that relay
or deliver mail to your MX to connect to TCP 10025. I think that covers
it, at least from relatively low altitude.
--
Stan
