Le 29/12/2010 12:06, Mauro a écrit :
> On 26 November 2010 12:08, /dev/rob0 <[email protected]> wrote:
>
>
>> snip
>>> smtpd_recipient_restrictions =
>>> check_client_access hash:/etc/postfix/maps/internal_networks,
>>
>> This potentially dangerous restriction might contain permit actions.
>> See SMTPD_ACCESS_README.html#danger for the danger. (In case you
>> wondered, this and the previously-mentioned DEBUG_README.html#mail
>> can be found at www.postfix.org and in your own html_directory.)
>
> Why is it potentially dangerous?
because an error will make you an open relay. avoid putting general
checks before reject_unauth_destination in smtpd_recipient_restrictions.
In your case, you can simply move the check_client_access to
smtpd_sender_restrictions:
smtpd_sender_restrictions =
check_client_access hash:/etc/postfix/maps/internal_networks
> internal_networks is:
>
> 192.168 has_our_domain_as_sender
> 172.16.10 has_our_domain_as_sender
>
now imagine you're on vacation and another admin edits this file and adds
# we only want to get mail from Joe's server if it helos correctly:
192.0.2.34 reject_invalid_helo_hostname,permit
then 192.0.2.34 would be allowed to relay.
> and has_our_domain_as_sender is:
>
>
> has_our_domain_as_sender =
> check_sender_access hash:/etc/postfix/maps/our_domain_as_sender,
> reject
>
> while our_domain_as_sender is:
>
> example.com OK
> <> OK
>
>
> That's all correct I think.
