From: EHCnet Help (helpehcnet4.net)
Date: Mon Jul 21 2008 - 05:22:26 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Magnus

Thanks

See comments/queries below

Rod

----- Original Message -----
From: "Magnus Bäck" <magnusdsek.lth.se>
To: <postfix-userspostfix.org>
Sent: Monday, July 21, 2008 10:30 AM
Subject: Re: Restricting source of incoming messages

> On Monday, July 21, 2008 at 11:29 CEST,
> EHCnet Help <helpehcnet4.net> wrote:
>
> > I have postfix on a server which needs to accept mail from only two
> > directions:
> >
> > 1. incoming mail from a commercial service which vets mail for spam
> > etc - my domain's MX records point to this and the service then
> > forwards to my server.
> >
> > 2. outgoing mail from users with mail accounts on the server but
> > who all connect remotely from a diverse and changing range of servers
> > and IP addresses
> >
> > I have SASL set up to allow mail to be sent as in 2 above, and this
> > works OK, but ...
> >
> > How do I specify that the incoming mail (1 above) is only to be
> > permitted from two specific hosts? (Preferably by host name or domain
> > name rather than by IP address)
>
> mynetworks = 1.2.3.4, 1.2.3.5

> smtpd_recipient_restrictions =
> permit_mynetworks,
> permit_sasl_authenticated,
> reject
>
> You could do the equivalent with check_client_access and your validhosts
> files instead of using mynetworks/permit_mynetworks. One point of doing
> the above is that you won't risk rate-limiting your external inbound
> relay servers (see anvil(8)).
>

OK
But is there any way of achieving the same effect with hostnames or domain names instead
of IPs? The IPs could be changed without notice by the external service.

>
> > smtpd_client_restrictions = check_client_access hash:/etc/postfix/validhosts, reject
> > smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, rej
> > ect_unauth_destination
> > smtpd_sasl_auth_enable = yes
> > smtpd_sasl_security_options = noanonymous
> > transport_maps = hash:/etc/postfix/transport
> > unknown_local_recipient_reject_code = 450
> > virtual_mailbox_domains = $transport_maps
>
> Don't reuse maps like that. What would happen if you, for example, would
> add hotmail.com to your transport table?
>

OK

> > -----------
> >
> > validhosts contains:
> >
> > -----------
> > 123.123.123.123 OK
> > 123.123.123.124 OK
> > -----------
> > where 123.123.123 and .124 are the known hosts.
> >
> > Supplementary question:
> >
> > I would rather use the hostname, as the commercial service could
> > change their IPs without notice, but if I substitute:
> >
> > knownhost1.externalservice.com OK
> > knownhost2.externalservice.com OK
> >
> > this doesn't seem to work. What am I doing wrong here?
>
> Well, it won't work with IP addresses either since they'll be
> rejected by the final reject action in smtpd_recipient_restrictions.

It works at present but I guess this is because I don't have a final reject as you are
recommmending.

> Don't spread out the checks between smtpd_client_restrictions and
> smtpd_recipient_restrictions.
>
> --
> Magnus Bäck
> magnusdsek.lth.se
>
>
> This message has been scanned for viruses by MailController -
www.MailController.altohiway.com
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]