|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: mouss (mlist.only
free.fr)
Date: Wed Nov 28 2007 - 10:52:48 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Laurent Neiger wrote:
> Hello all,
>
> I'd like to make some tuning in my postfix config but I cannot
> find out if it's possible...
>
> I have a postfix 2.3.8-2 which stands onto a server and support
> several domains : a main one, for our users, and other ones, for
> conferences, external projects, etc.
>
> This mail server is not our MX, as we have a frontal SMTP gateway
> running qpsmtpd which, in association with spam-assassin, reject
> spams on-the-fly (before the end of the smtp transaction, before
> accepting the mail) and forward hams to the postfix server for
> local delivery.
>
> But this gateway only acts for our main domain, mail addressed
> to our other domains arrive directly to the postfix machine.
> So the postfix machine is accepting TCP/25 connections from
> anywhere (as a normal MX)...
>
> One trick we encounter is we occasionnaly receive spam for our
> main domain because it is directly addresses to the postfix server.
> Some spammer seem to have found out they can skip our gateway
> by not asking the DNS for the MX but send directly to the postfix
> server.
>
> Thus (thanks guys for having kept reading, my question is here !)
> I'd like to configure postfix for accepting connections only from
> our local domain (for local mail) or our gateway (for mails coming
> from outside) but ONLY for our main domain.
>
> In effect, I can't put an ACL on the postfix server as for delivery
> for other domains, external emails must arrive directly.
>
> And in postfix docs, I see configs for allow/reject mail depending
> on sender parameter (e.g. check_client_address, check_sender_address,
> ...) but this seem to apply to whole configuration, all the supported
> domains or destinations, so I can't here reject all external connections...
>
smtpd_recipient_restrictions =
...
reject_unauth_destination
# allow our gateway
check_client_access cidr:/etc/postfix/trusted_client
# block mail to main domain
check_recipient_access hash:/etc/postfix/block_main_domain
...
== trusted_client:
10.1.2.0/24 OK
== block_main_domain:
main.example.com REJECT
In short:
1. if it is our gateway, allow
2. if it is to main domain, block (the gateway was allowed in step 1)
> Is there a way to tell postfix to apply a policy for one (or some) of
> its supported domains (destinations), and another policy to the
> other ones ?
>
> Thanks a lot in advance for your help,
>
> I hope to read from you soon and of course can sharpen the description
> of my problem or config if you need.
>
> Best regards,
>
> Laurent.
>
>
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]