On Sun, 18 Jan 2009, Jacky Chan wrote:
Noel Jones-2 wrote:
Jacky Chan wrote:
Dears,
I have serveral digital senders (scanning machine) on site, which relay
my
Postfix 2.5 as default email gateway. From my requirment, they can only
send
mail to INTRANET, I need to restrict those machines from sending mails to
Internet.
Currently, I setup a user based restriction but with no SMTP
authentication.
The details is: (example)
/etc/postfic/restricted_senders
/....@abc\.com/ local_only
/a...@abc.com/ OK
/etc/postfix/main.cf
smtpd_recipient_restrictions =
check_sender_access regexp:/etc/postfix/restricted_senders,
**DANGER** an OK in the above map makes your server a
sender-based open relay. This is bad.
permit_mynetworks, reject_unauth_destination
smtpd_restriction_classes = local_only
local_only = check_recipient_access hash:/etc/postfix/local_domains,
reject
/etc/postfix/local_only
subdomain1.abc.com OK
subdomain2.abc.com OK
From the above setting, I can successfully restrict those machines from
sending outside. But I would like to carify that is it the only way to
identify the sender is by SMTP authentication, because not all the
machine
support SMTP client authentication. I am thinking, whether I can setup a
restriction based on IP rather than sender because SMTP sender is not
alwasy
trusted.
Thank you very much.
Yes, it's easy to restrict relay access based on IP.
The easiest way to do that is by excluding them from mynetworks
http://www.postfix.org/postconf.5.html#mynetworks
# main.cf
mynetworks =
!192.168.1.55
!192.168.1.56
192.168.1.0/24
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
--
Noel Jones
Thanks Noel. If we take the above example configuration in #main.cf for
mynetworks, 192.168.1.0/24 would be able to relay, back to my starting
point, can we restrict the client from 192.168.1.0/24 from sending mail
to the Internet and thus make it Intranet only?
In Noel's example, 192.168.1.55 and 192.168.1.56 would NOT be able to
relay. Anyone else would.
