Perhaps I misunderstood, but you said: > With this all mail is discarded unless *all* (my emphasis) the conditions > below are met: > > - From an allowed SMTP client (IP address CIDR table) > - From an allowed envelope sender (indexed via postmap lookup table) > - To an allowed envelope recipient (indexed via postmap lookup > table)
Which isn't what I want. For hosts in client_access, I don't want any sender/recipient evaluation - I just want it to flow through - all of it. For hosts not in client_access, I want it assumed they're allowed, but the sender/recipient restrictions asserted. -----Original Message----- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Victor Duchovni Sent: Thursday, December 30, 2010 1:55 PM To: postfix-users@postfix.org Subject: Re: Relay restrictions On Thu, Dec 30, 2010 at 01:45:57PM -0600, michael.lar...@wellsfargo.com wrote: > Thanks for trying to help Viktor, but I don't think this configuration will > work for me. Let me try to explain; when I made my original post, others on > the list were somewhat surprised regarding my intent. > > This relay isn't so much a relay as a choke point. The test network I support > is subject to tight quotas regarding traffic on the corporate email system. I > need all mail discarded unless it meets the following conditions: > > All mail relays for hosts listed in client_access Best enforced in smtpd_client_restrictions. > Mail from hosts not listed in client_access is subject > to sender/recipient restrictions Best enforced via suitable and separate smtpd_sender_restrictions and smtpd_recipient_restrictions. > If a sender is allowed (rare), recipients are evaluated, > and either relayed (even rarer) or discarded That's exactly what the configuration I posted does. What about the configuration below fails to meet your requirements? > Your problem is almost certainly best solved by using each of the > multiple restriction lists to check each of the required conditions. > > cidr = cidr:${config_directory}/ > indexed = ${default_database_type}:${config_directory}/ > > smtpd_client_restrictions = > check_client_access ${cidr}allowed-clients, > check_client_access static:discard > > smtpd_sender_restrictions = > check_sender_access ${indexed}allowed-senders, > check_client_access static:discard > > smtpd_recipient_restrictions = > check_recipient_access ${indexed}allowed-recipients, > check_client_access static:discard, > # > # At least one reject by default rule is required in > # smtpd_recipient_restrictions, defeat the logic by > # listing permit, then reject. In reality permit = discard. > # > permit, reject > > With this all mail is discarded unless all the conditions below are met: > > - From an allowed SMTP client (IP address CIDR table) > - From an allowed envelope sender (indexed via postmap lookup table) > - To an allowed envelope recipient (indexed via postmap lookup table) -- Viktor.
