On Friday, March 13, 2009 at 22:09 CET,
"M. Rodrigo Monteiro" <[email protected]> wrote:
> I have an Postfix as gateway for other domains (domain1, domain2, domain3).
> When domain1 send an e-mail to domain2, it goes to Postfix and then to
> domain2, and vice-versa.
> When domain2 send an e-mail to Internet, it goes to Postfix and then
> do the Internet.
Don't think in terms of "Postfix relays mail for domain X". Relay
control is made on the basis of the client address (or authentication)
and, unless you actively configure it otherwise, the sender domain is
irrelevant.
> I want to know where to put the IPs of domain1 (2 and 3) to allow them
> to relay though Postfix.
> I put them in network_table
>
> mynetworks = hash:/etc/postfix/network_table
>
> /etc/postfix/network_table
> IP_DOMAIN_1 OK
> IP_DOMAIN_2 OK
Yes, this is fine.
> smtpd_sender_restrictions =
> permit_mynetworks,
> reject_non_fqdn_sender,
> reject_unknown_sender_domain,
> check_client_access regexp:/etc/postfix/white_list_ip,
> permit
If this check_client_access restriction only returns OK it's useless
since it only exempts clients from the permit restriction.
> smtpd_recipient_restrictions =
> permit_mynetworks,
> reject_non_fqdn_sender,
> reject_non_fqdn_recipient,
> reject_unknown_sender_domain,
> reject_unknown_recipient_domain,
> reject_unauth_pipelining,
> reject_multi_recipient_bounce,
> reject_unauth_destination,
> check_sender_access regexp:/etc/postfix/white_list_from,
> check_recipient_access regexp:/etc/postfix/white_list_to,
> check_sender_access regexp:/etc/postfix/black_list_from,
> check_recipient_access regexp:/etc/postfix/black_list_to,
> check_client_access regexp:/etc/postfix/black_list_ip,
> check_client_access regexp:/etc/postfix/black_list_client_ip,
> check_policy_service inet:127.0.0.1:2501,
> permit
>
> smtpd_client_restrictions =
> regexp:/etc/postfix/ip-access,
> permit
>
> The problem is that the verifications in the check_sender_access and
> check_recipient_access is not in action, because the permit_mynetworks
> in the beginning smtpd_recipient_restrictions.
Okay, so move those restrictions above permit_mynetworks. When placing
check_sender_access restrictions above reject_unauth_destination in
smtpd_recipient_restrictions, you must be very careful not to return
OK in that table since that would make you an open relay. If the
restriction must apply for clients in mynetworks, I suggest you move
the restriction to smtpd_sender_restrictions instead. That way your
server cannot turn into an open relay (for that reason, anyway).
--
Magnus Bäck
[email protected]
