NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2000-02

Subject: $smtpd_recipient_restrictions = reject_unauth_destination vs. check_relay_domains...
From: Brad Knowles (blkskynet.be)
Date: Fri Feb 11 2000 - 11:37:26 CST

Next message: Brad Knowles: "Re: Scalability metrics?"
Previous message: Vivek Khera: "Re: How to juggle spam and customers?"
Next in thread: LaMont Jones: "Re: $smtpd_recipient_restrictions = reject_unauth_destination vs. check_relay_domains..."
Reply: LaMont Jones: "Re: $smtpd_recipient_restrictions = reject_unauth_destination vs. check_relay_domains..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Folks,

I'm having a bit of trouble working out what I need to use here.

I'm setting up our first postfix-based inbound mail relay
(backup), and I'm trying to guarantee that it accepts and relays mail
only for certain domains that we know we host (I'll periodically run
a script to update this information from somewhere else), and rejects
everything else.

If I use $smtpd_recipient_restrictions = check_relay_domains,
then postfix looks at the client address to see if it's in
$relay_domains or is a subdomain thereof, and if it is, then it
accepts anything the client may have to send. But there are far too
many people out there that own their own reverse DNS, and could use
this to lie to our server and claim to be local.

If I use $smtpd_recipient_restrictions =
reject_unauth_destination, then the entire envelope recipient address
is checked against $relay_domains, and if it's not found then the
message is rejected. But at this level, we don't know what users are
valid for what domains, and I don't have a complete list of all the
hundreds of thousands of aliases, etc... that would more properly
exist in $virtual_maps anyway.

Any suggestions?

Thanks!

-- 
   These are my opinions and should not be taken as official Skynet policy
  _________________________________________________________________________
|o| Brad Knowles, <blkskynet.be>                 Belgacom Skynet NV/SA |o|
|o| Systems Architect, Mail/News/FTP/Proxy Admin  Rue Col. Bourg, 124   |o|
|o| Phone/Fax: +32-2-706.13.11/726.93.11          B-1140 Brussels       |o|
|o| http://www.skynet.be                          Belgium               |o|
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
     Unix is like a wigwam -- no Gates, no Windows, and an Apache inside.
      Unix is very user-friendly.  It's just picky who its friends are.

Next message: Brad Knowles: "Re: Scalability metrics?"
Previous message: Vivek Khera: "Re: How to juggle spam and customers?"
Next in thread: LaMont Jones: "Re: $smtpd_recipient_restrictions = reject_unauth_destination vs. check_relay_domains..."
Reply: LaMont Jones: "Re: $smtpd_recipient_restrictions = reject_unauth_destination vs. check_relay_domains..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]