Hi, I have a mail submit server for our users. What I would like is checking sender and rcpt addresses if they belong to the domains at least which are handled by us (of course I can't check if mail is sent to another domain where I don't know the valid addresses, and I don't want to do SAV).
I have valid addresses and our domain list in LDAP. What made me thing that it's possible at all to do this without a custom policy server: 1. check if domain part of the address is listed as our domain in LDAP if not, there is no further check by address validation (well, just the usual DNS ones) 2. if mailing of domain is handled by us, check if there is an address like "localpart@domain" or "@domain" (the second form is used to signal that all localparts are valid within that domain, ie: user has own MTA or so). If there is no match, I want to reject the mail submission. 3. Of course I want my users to use SMTP authentication (it works, using dovecot auth, just I mention here). Also some users may allowed to send mails without SMTP authentication from some well defined IP addresses though (also stored in LDAP). I used the notion of "address" because I would like to have the same check for rcpt and sender, because it also does not make too much sense to use an invalid sender (not existing within the domain handled by us). Point 3 is only an additional information, the important part is 1+2. Of course I can do basic ldap lookups with postfix, but I am not sure it's possible at all, to have more complex conditions, I mean: loc@domain can be valid or invalid based on the fact that "domain" is handled by us or not. So basically I need at least two queries it seems: if we handle a given domain then: if it is, is the "loc" local part is valid or not. Additional information: I would like to do this with only ldap maps at smtpd sender and recipient restrictions (not with postfix's rcpt/sender maps etc), since I want my own messages (including Hungarian) not postfix's built-in ones. Is it possble, or should I write a policy server instead? Or am I wrong somewhere in my theory about solving this problem? (on long term I have the idea to use _only_ policy server to decide, since I can use SQL based logging from the policy server at every protocol state, I can do custom complicated queries and conditions, also I can use my own messages everywhere, etc. But for now there would be cool to have some more quick solution for the problem I've described). Thanks a lot in advance, Gábor