Re: Per IP per domain restriction
In an attempt to work around existing infrastructure, I am trying to restrict, by sender domain, what mail is accepted from certain IPs. My thought at the moment is the lookup would look something like: ip.add.re.ssdomain1.com http://domain1.com, domain2.com http://domain2.com And if a connection is started from ip.add.re.ss with a sender of u...@domain3.com mailto:u...@domain3.com the message gets rejected. Is there a way to do this in postfix? I checked out Policydv2 as I thought this might fall under its purview, but after reading its configuration and documentation, I don't think it supports this out of the box. Thanks. postfwd (http://postfwd.org) will do that with the following ruleset: id=SENDER01 sender_domain==dom1.com client_adress!=192.168.1.0/24, 1.1.1.1 action=REJECT not from this relay id=SENDER02 sender_domain==dom2.com client_adress!=172.16.16.0/22 action=REJECT not from this relay Best regards Jan
Re: Per IP per domain restriction
On Fri, 26 Aug 2011 14:12:00 -0400, Munroe Sollog wrote: under its purview, but after reading its configuration and documentation, I don't think it supports this out of the box. Thanks. why not use spf ?, policyd v2 have spf support, spf data dont need to be public in dns if its just local servers on public ips, else i would take the smtp auth subway
Re: Per IP per domain restriction
On 08/27/2011 01:52 PM, Benny Pedersen wrote: On Fri, 26 Aug 2011 14:12:00 -0400, Munroe Sollog wrote: under its purview, but after reading its configuration and documentation, I don't think it supports this out of the box. Thanks. why not use spf ?, policyd v2 have spf support, spf data dont need to be public in dns if its just local servers on public ips, else i would take the smtp auth subway SPF does the inverse of what I'm interested in. It limits a domain to a specific IP, I am interested in limiting an IP to a specific domain. As I am only dealing with 3 domains each on their own IP I think the restriction classes scales just enough to fit my needs. Unfortunately, smtp auth isn't an option until the sending servers are upgraded. Thanks for the help.
Per IP per domain restriction
In an attempt to work around existing infrastructure, I am trying to restrict, by sender domain, what mail is accepted from certain IPs. My thought at the moment is the lookup would look something like: ip.add.re.ssdomain1.com, domain2.com And if a connection is started from ip.add.re.ss with a sender of u...@domain3.com the message gets rejected. Is there a way to do this in postfix? I checked out Policydv2 as I thought this might fall under its purview, but after reading its configuration and documentation, I don't think it supports this out of the box. Thanks. Munroe Sollog Digirati Consulting sol...@digiraticonsulting.com (610) 332-7234 x805
Re: Per IP per domain restriction
Munroe Sollog: In an attempt to work around existing infrastructure, I am trying to restrict, by sender domain, what mail is accepted from certain IPs. My thought at the moment is the lookup would look something like: ip.add.re.ss domain1.com, domain2.com This, of course, works only for a small number of domains that you are intimately familiar with. If this were implemented with Postfux built-ins it would involve recursive access maps, which Postfix does not support, but there is a workaround called restriction_classes that could do the job but it gets ugly quickly as the example below illustrates. If you control the sender domains, using SPF would be simpler. Wietse Docs: http://www.postfix.org/RESTRICTION_CLASS_README.html Untested example: /etc/postfix/main.cf: restriction_classes = require_domain1_ip require_domain2_ip ... require_domain1_ip = check_client_access hash:/etc/postfix/domain1_ip_access require_domain2_ip = check_client_access cidr:/etc/postfix/domain2_ip_access.cidr smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access /etc/postfix/sender_access: domain1.com require_domain1_ip domain2.com require_domain2_ip /etc/postfix/domain1_ip_access 1.2.3.4 OK 1.2.3.5 OK /etc/postfix/domain2_ip_access.cidr 4.3.2.0/24 OK Again, totally untested.
Re: Per IP per domain restriction
One update: I forgot to add reject actions. They are included below. Wietse In an attempt to work around existing infrastructure, I am trying to restrict, by sender domain, what mail is accepted from certain IPs. My thought at the moment is the lookup would look something like: ip.add.re.ss domain1.com, domain2.com This, of course, works only for a small number of domains that you are intimately familiar with. If this were implemented with Postfux built-ins it would involve recursive access maps, which Postfix does not support, but there is a workaround called restriction_classes that could do the job. It gets ugly quickly as the example below illustrates. If you control the sender domains, using SPF would be simpler. Wietse Docs: http://www.postfix.org/RESTRICTION_CLASS_README.html Untested example: /etc/postfix/main.cf: restriction_classes = require_domain1_ip require_domain2_ip ... require_domain1_ip = check_client_access hash:/etc/postfix/domain1_ip_access reject require_domain2_ip = check_client_access cidr:/etc/postfix/domain2_ip_access.cidr reject smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access /etc/postfix/sender_access: domain1.com require_domain1_ip domain2.com require_domain2_ip /etc/postfix/domain1_ip_access 1.2.3.4 OK 1.2.3.5 OK /etc/postfix/domain2_ip_access.cidr 4.3.2.0/24 OK Again, totally untested.
