OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: Enforcing sending domain from the inside network

From: D. Karapiperis (dimkarthessaloniki.gr)
Date: Tue Dec 30 2008 - 15:19:48 CST


O/H Wietse Venema έγραψε:
> Since he asked for a "nice" way to specify this in Postfix, a "nice"
> implementation of this would look like this:
>
> /etc/postfix/main.cf:
> smtpd_sender_restrictions = permit_mydomain, reject_mynetworks
>
> Where the details are hidden by restriction classes:
>
> /etc/postfix/main.cf:
> restriction_classes = permit_mydomain, reject_mynetworks
> permit_mydomain = check_sender_access hash:/etc/postfix/sender_access
> reject_mynetworks = check_client_access cidr:/etc/postfix/client_access.cidr
>
> hash:/etc/postfix/sender_access
> example.com permit
>
> /etc/postfix/client_access.cidr
> 192.168.0.0/24 reject must send mail as userexample.com
>
> Note that moving this into smtpd_recipient_restrictions would
> make this an open relay, as anyone can claim to have a sender
> address in your domain.
>
> Wietse
>

Many thanks for your replies, u really help a lot.

I cannot understand why if we move the statement on the
smtpd_recipient_restricitons will end up on open relay.
Again check_sender_access will examine the MAIL FROM right?
and the client access the IP, right?

probably I am missing sth

thanks again