|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: D. Karapiperis (dimkar
thessaloniki.gr)
Date: Tue Dec 30 2008 - 10:37:23 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
O/H mouss έγραψε:
> D. Karapiperis a écrit :
>
>> Hi All
>>
>>> I have a question regarding postfix restrictions.
>>>
>>> Is there a way for Postfix to enforce some kind of policy so that all
>>> the outgoing (allowed) mails be " business.com" and all the others be
>>> rejected.
>>> Of course this policy should be enforced only to the outgoing emails
>>> not in the incoming.
>>>
>>>
>> - if mail comes from mynetworks, require that the sender address is
>> *example.com. you can do this with a restriction class based on
>> check_client_access.
>>
>>
>> Thanks for the reply
>>
>> I did this
>>
>> mynetworks = cidr:/etc/postfix/inside_network
>>
>> smtpd_restriction_classes=
>> from_inside_network
>>
>> from_inside_network =
>> check_client_access cidr:/etc/postfix/inside_network
>>
>>
>> smtpd_recipient_restrictions =
>> check_sender_access hash:/etc/postfix/sending-domains,
>> reject_unauth_destination
>>
>>
>>
>> /etc/postfix/inside_network
>> 192.168.2.0/24 OK
>> 127.0.0.0/8 OK
>>
>>
>> /etc/postfix/sending-domains
>> business.gr from_inside_network
>>
>> So I did a logical AND -> all clients form my network have the relay
>> privilege and moreover they can send e-mails only from business.gr
>> (hopefully)
>>
>
> This configuration is:
>
> - ugly because you mix unrelated tasks. blocking relay and enforcing
> outbound sender domain are two different tasks. The keywords here are:
> clarity, self-documenation, maintenance, etc. some day, you may want to
> allow your boss to post with his jackinthebox address, and you will edit
> the "sending-domains" table. some day, you may want to allow some other
> sender domains. That day, you will lose your hair trying to put ORs
> inside your ANDs. De Morgan laws are hard to put in simple key-value maps.
>
> - unsafe because if you or someone else edits sending-domains, you could
> become an open relay. oh yes, bad things do happen.
>
> - pointless. it brings nothing compared to what I suggested.
>
>
> Unless you really know what you are doing and why (and even then, you
> should think 3.1415... times [yeah, you'll have to do it until the last
> digit of PI ;-p]),
> - avoid using check_*_access before reject_unauth_destination
> - use smtpd_recipient_restrictions for relay control and spam fighting
> - use other restrictions to implement local policy (enforce outbound
> sender domain as you want to do, make some addresses "local only", ...
> etc).
>
>
> PS. There is no point to reinvent built-in functionality (your
> from_inside_network is exactly permit_mynetworks).
>
>
>
>> I need to test it on a production server.
>>
>>
>>
>>
>
>
>
>
Thanks for the reply.
I did the from_inside_network thing to do the logical AND regarding the
sending domain. Is there any way to do this woth permit_mynetworks?
Is there any way to permit local users (from the inside network) to send
emails using the business domain in a clear and nice way in postfix?
thanks
Dimitris
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]