On 2024-02-03 at 08:52:17 UTC-0500 (Sat, 3 Feb 2024 05:52:17 -0800)
Dan Mahoney via Postfix-users <d...@prime.gushi.org>
is rumored to have said:
> All,
>
> Pretty simple question:
>
> We have an internal domain, zimbra.example.org, but it's only used for
> internal routing of our corporate mail (there's a master delivery map that
> controls what addresses at example.org route to zimbra.example.org). We have
> other domains under example.org such as list servers, ticket systems, and the
> like, many of which have example.org addresses pointing at them.
>
> In no case should anything on the outside be directing mail directly to
> zimbra.example.org, and it is firewalled so only our border MXes can talk to
> it.
>
> Is there a way to reject mail destined to an internal domain (like
> zimbra.example.org) such that only our internal machines can deliver to it,
> but that any host on the outside gets an immediate reject notice from our
> border MXes?
There are ways to do almost anything...
One way to implement this is to use restriction classes. I do this for some of
my list-specific addresses that get scraped for spam, but it would work just as
well for a domain e.g.:
main.cf:
smtpd_restriction_classes = privdom
smtpd_recipient_restrictions = ...,check_recipient_access
pcre:/etc/postfix/recipient_checks.pcre,...
privdom = check_client_access hash:/etc/postfix/privdom-allow, reject
recipient_checks.pcre:
[...]
/^.*@zimbra.example.org$/ privdom
[...]
privdom-allow:
.example.org DUNNO
192.0.2 DUNNO
Where 192.0.2.0/24 is your privileged network and you want to allow anyone on
that network or any client with a verified hostname under example.org.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
