Scratching my head on whether this is possible:
I suppose I want to do something like a database 'join' in my Postfix setup.
e.g. enforce this check_client_access rule if and only if the recipient
is in one of the following domains...
This has arisen because we use MXLogic to filter inbound email, but only
for a subset of the domains we're hosting.
MXLogic works by pointing the domain MX record at their servers, which
then relay/proxy to our Postfix.
Spammers figure out how to bypass the filtering by delivering directly
to the Postfix server (presumably
they spot that mail.foo.com points to a machine that accepts connections
on port 25 and delivery for foo.com).
The way to thwart this filter bypass traffic is to deny local delivery
to clients that are not on MXLogic's
subnets. This is easy to do with a check_client_access directive and a
cidr table.
But if there are some domains hosted that are not subject to MXLogic
filtering (their spam filtering
is done MUA-side), a global check_client_access rule won't work because
it will deny local delivery to
legitimate MTA traffic for those domains.
Hence the desire to make the subnet restriction domain-specific.
What's the best way to implement this ? I think restriction classes are
the way to go , but I'm not 100% sure.
Any pointers appreciated.
Thanks.
