Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Date: Tue Aug 17 2010 - 13:48:31 CDT
Sorry I'm so late to the game, Noel - I forgot I implemented a rule to move these to a separate folder. <blush> Thanks to Brian for the heads-up to look. I'll play with this and see how it goes, post a response in a bit. Thanks!
From: owner-postfix-userspostfix.org [mailto:owner-postfix-userspostfix.org] On Behalf Of Noel Jones
Sent: Monday, August 16, 2010 4:47 PM
Subject: Re: Configuring internal mail relay
On 8/16/2010 1:54 PM, Michael.Larsenwellsfargo.com wrote:
> I need to implement a relay on a test network that will
> discard all mail destined for corporate email addresses
> _/except//_/ the corporate email addresses that are explicitly
> allowed. The reason is that my test network is subject to
> quotas, and I have to throttle the traffic through the
> corporate email servers to keep testing going. Stan has been
> graciously helping me offline to try implementing a
> whitelist/blacklist system, but we're still running into
> problems with the configuration - most likely because I'm
> unable to adequately articulate my needs. Essentially what I'm
> after is:
> Relay mail from _/specific/_ test network application hosts to
> _/specific/_ corporate email addresses (whitelist)
> Relay mail from _/one specific/_ test network host to _/any
> corporate //email// address/_ (whitelist)
> "DISCARD" (rather than reject) all other mail traffic that
> hits my relay (blacklist)
> smtpd_recipient_restrictions =
> check_client_access hash:/etc/postfix/whitelist_access
> check_sender_access hash:/etc/postfix/whitelist_access
> check_recipient_access hash:/etc/postfix/whitelist_access
> check_client_access hash:/etc/postfix/blacklist_access
> check_sender_access hash:/etc/postfix/blacklist_access
> check_recipient_access hash:/etc/postfix/blacklist_access
> The problem I'm having is with reject_unauth_destination. If I
> specify the corporate domain name in relay.db, any email
Move reject_unauth_destination to below your white/black
lists. Once you do that, you're on your own to insure you
don't create an open relay, but your access maps give you full
control over who is allowed to relay.
If you need two-factor tests, you can use
smtpd_restriction_classes. The basic idea is explained here:
> I want to relay only the "from hosts"/"to email
> addresses" specified in the whitelist, and DISCARD everything
> else. Is this possible?
Sure... But you'll need to do some work yourself.
Postfix restrictions are a simple first-match-wins. Your
general outline will look like:
... local whitelist ...
... local whitelist ...
Don't use permit_mynetworks (or set mynetworks=127.0.0.1).
Then use as many whitelists as you need to allow the
clients/senders/etc. you want. Use smtpd_restriction_classes
for multiple-factor tests. Using the above outline, anything
not specifically allowed with an OK is discarded; you don't
even need a specific blacklist unless you want to put a
never-relay blacklist before the whitelist.