Re: Selective smtpd_sender_restrictions

Mon, 14 Dec 2009 05:35:46 -0800 

On Mon, Dec 14, 2009 at 01:12:52PM +0100, Jack Knowlton wrote:
> Hi all.
> I currently have this smtpd_sender_restrictions setup on a mail server
> hosting several domains:
> 
> smtpd_sender_restrictions =
>         permit_mynetworks,
>         reject_non_fqdn_sender,
>         check_sender_access hash:/usr/local/etc/postfix/sender_checks,
> check_sender_access hash:/usr/local/etc/postfix/origin_checks,
>         reject_unknown_sender_domain,
>         reject_rbl_client dul.dnsbl.sorbs.net,
>         reject_rbl_client dnsbl.njabl.org,
>         reject_rhsbl_sender dsn.rfc-ignorant.org,
>         permit
> 
> It seems that the users on one of the domains receive a lot of mail from
> internal/restricted addresses (eg "ms1.local" or "something.lan") which of
> course are rejected by reject_unknown_sender_domain.
> Is it possible to disable that restriction for one particular domain only
> and keep it enforced for all the other mail?

Lots of options. Surely you're not receiving these invalid sender
addresses over the Internet, are you? Or if so, they are coming from
a finite number of known hosts? In these cases, simply precede the
reject_unknown_sender_domain with a check_client_access whitelist:
    check_client_access cidr:/usr/local/etc/postfix/origin_whitelist
which contains:
    10.0.0.0/8    permit_auth_destination
    192.0.2.2     permit_auth_destination
and so on, as needed. (Since you're using smtpd_sender_restrictions
it's fine to use "OK" or "permit" as the lookup result.)

Another approach: make the addresses valid. It's not unreasonable to
ask the sender[s] to change the addresses, at least to be something
likely unique ... @companyname.local, @lan.your.domain, whatever.
Then you'd have numerous reasonably safe means of whitelisting those
addresses. Or, make them resolve! This is easy to set up with a tool
like dnsmasq(8); less easy but also doable with ISC BIND named(8).

These so far would all be global, applied to any recipient domain. If
it really has to be nailed down, use restriction classes, so that a
check_recipient_access lookup (for the one recipient domain) invokes
a check_sender_access (or other, client is best if you can use it)
whitelist. The full scoop is available at:
    http://www.postfix.org/RESTRICTION_CLASS_README.html
-- 
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header

Reply via email to