On Tuesday 11 November 2008 12:01, Noel Jones wrote:
> Kevin P. Knox wrote:
> > On Tuesday 11 November 2008 11:29, Noel Jones wrote:
> >> Kevin P. Knox wrote:
> >>> If you all would be so kind, I need a "pointer" in the general
> >>> direction. I think I'm on the right track, but here's the situation.
> >>>
> >>> I have a Postfix server that performs SMTP relay services ONLY. It
> >>> relays for about six domain names. Final delivery of these six domains
> >>> is handled by three SMTP servers behind our firewall. I want to
> >>> prevent Internet based SMTP servers from forging messages to my users
> >>> from addresses set to be one our domains. In otherwords, the ONLY
> >>> sending server that should EVER send messages from mydomain.com is
> >>> 1.2.3.4 (or perhaps 1.2.3.0/24). I want to prevent any other host from
> >>> sending a message having an envelope sender other than 1.2.3.0/24.
> >>> However, I NEED for 1.2.3.4 to be able to send messages from all other
> >>> envelope senders. This particular internal host in question is a IBM
> >>> Mainframe and I'm afraid I'm not terribly knowledgeable on its SMTP
> >>> server at the moment.
> >>
> >> No need for restriction classes if the requirement is:
> >> {allow any sender from the specified client}
> >> {reject your domains as sender from any other client}.
> >>
> >> # main.cf
> >> smtpd_sender_restrictions =
> >> check_client_access cidr:/etc/postfix/ibmclient
> >> check_sender_access hash:/etc/postfix/rejectmydomains
> >>
> >> #ibmclient
> >> 1.2.3.4 OK
> >>
> >> # rejectmydomains
> >> example1.com REJECT unauthorized use of sender domain
> >> example2.com REJECT unauthorized use of sender domain
> >> example3.com REJECT unauthorized use of sender domain
> >>
> >>
> >> From your description I'm making the assumption that the set
> >> of clients allowed to relay ($mynetworks) is different from
> >> the set of clients allowed to use these domains as sender.
> >> That's somewhat unusual. If my assumption is wrong, just add
> >> the IBM IP to $mynetworks and use permit_mynetworks rather
> >> than the cidr table above. (Either way will work, but using
> >> permit_mynetworks is easier.)
> >
> > My Postfix server is running 2.2.10, so I don't "think" I can use CIDRs,
> > but can possibly list the internal servers as 32 bit addresses?
> >
> > Thanks!
> >
> > ... Kev
>
> Postfix 2.2 should support cidr tables. run:
> # postconf -m
> to list the available table types.
>
> If you don't have cidr, you can use a hash table listing that
> single IP (do NOT specify a netmask such as /24 or /32 with
> hash tables). See "man 5 access" for a description of the
> search order.
>
> 1.2.3.4 OK
You are CORRECT! My Postfix server DOES support cidr! Cool! :-) I'm going
to test this in just a little while. Thanks!
... Kev
