Daniel L. Miller wrote:
Noel Jones wrote:
Sahil Tandon wrote:
On Tue, 07 Jul 2009, Sahil Tandon wrote:
On Tue, 07 Jul 2009, Daniel L. Miller wrote:
So...my initial thought was I'd have to create a public Internet
name for the fax gateway, and apply some level of security to only
accept submissions from Intuit. However, I'm now wondering if I
can accomplish the same thing by using address extensions instead
of a different server name. So I'd be sending emails to
"1234567890+...@mydomain.com", and Postfix would then identify a
fax is to be sent by the extension, translate that to
"1234567...@fax.myinternaldomain.com", and process accordingly. I
would still have to protect the "fax" extension, but my thought is
that the extension would be less likely to be probed than a
published DNS name, and therefore be subject to fewer attacks.
Use some sort of virtual alias mapping along with ensuring that
foo+...@example.org is valid at SMTP time. Untested example:
/^(\d+)\+...@mydomain.com$/ $...@fax.myinternaldomain.com
Just to clarify, the above is a PCRE map example.
I think it's more natural to implement the other way around...
fax+num...@example.com
where f...@example.com is a valid user with a transport map pointing to
the fax software interface, and the address extension is the phone
number.
Or better, use a subdomain:
num...@fax.example.com
either way, use smtpd_*_restrictions to restrict access to the recipient.
-- Noel Jones
As stated originally, I didn't want to use a subdomain because (am I
wrong?) that would require publishing that subdomain via my DNS, which
increases the possibility of an attack.
The mapping example shown (regardless of the position of the "fax"
keyword) - which main.cf parameter is used? Would I use
recipient_canonical_maps and local_header_rewrite_clients? My
virtual_alias_maps is currently an LDAP lookup.
Use Sahil's pcre expression with virtual_alias_maps.
-- Noel Jones
