On Tuesday 11 November 2008 12:01, Noel Jones wrote: > Kevin P. Knox wrote: > > On Tuesday 11 November 2008 11:29, Noel Jones wrote: > >> Kevin P. Knox wrote: > >>> If you all would be so kind, I need a "pointer" in the general > >>> direction. I think I'm on the right track, but here's the situation. > >>> > >>> I have a Postfix server that performs SMTP relay services ONLY. It > >>> relays for about six domain names. Final delivery of these six domains > >>> is handled by three SMTP servers behind our firewall. I want to > >>> prevent Internet based SMTP servers from forging messages to my users > >>> from addresses set to be one our domains. In otherwords, the ONLY > >>> sending server that should EVER send messages from mydomain.com is > >>> 1.2.3.4 (or perhaps 1.2.3.0/24). I want to prevent any other host from > >>> sending a message having an envelope sender other than 1.2.3.0/24. > >>> However, I NEED for 1.2.3.4 to be able to send messages from all other > >>> envelope senders. This particular internal host in question is a IBM > >>> Mainframe and I'm afraid I'm not terribly knowledgeable on its SMTP > >>> server at the moment. > >> > >> No need for restriction classes if the requirement is: > >> {allow any sender from the specified client} > >> {reject your domains as sender from any other client}. > >> > >> # main.cf > >> smtpd_sender_restrictions = > >> check_client_access cidr:/etc/postfix/ibmclient > >> check_sender_access hash:/etc/postfix/rejectmydomains > >> > >> #ibmclient > >> 1.2.3.4 OK > >> > >> # rejectmydomains > >> example1.com REJECT unauthorized use of sender domain > >> example2.com REJECT unauthorized use of sender domain > >> example3.com REJECT unauthorized use of sender domain > >> > >> > >> From your description I'm making the assumption that the set > >> of clients allowed to relay ($mynetworks) is different from > >> the set of clients allowed to use these domains as sender. > >> That's somewhat unusual. If my assumption is wrong, just add > >> the IBM IP to $mynetworks and use permit_mynetworks rather > >> than the cidr table above. (Either way will work, but using > >> permit_mynetworks is easier.) > > > > My Postfix server is running 2.2.10, so I don't "think" I can use CIDRs, > > but can possibly list the internal servers as 32 bit addresses? > > > > Thanks! > > > > ... Kev > > Postfix 2.2 should support cidr tables. run: > # postconf -m > to list the available table types. > > If you don't have cidr, you can use a hash table listing that > single IP (do NOT specify a netmask such as /24 or /32 with > hash tables). See "man 5 access" for a description of the > search order. > > 1.2.3.4 OK
You are CORRECT! My Postfix server DOES support cidr! Cool! :-) I'm going to test this in just a little while. Thanks! ... Kev