On 12/15/2011 2:12 PM, Simon wrote: > > On 15/12/2011, at 5:28 PM, Noel Jones wrote: > >>> >>> Thanks again... what if i just wanted postfix to check a mysql-based list >>> of approved sending email addresses and/or domains? e.g. NOT associate it >>> with a SASL login but has an approved sender list. e.g. all SASL login's >>> would be able to send "from" all of the domains/addresses on the list? (I'm >>> thinking of a specific situation where i would need this). >>> >>> Simon >>> >> >> That's easy enough to do with a check_sender_access map. Assuming >> an MSA (user submission only, no general incoming mail), something >> as simple as: >> >> smtpd_sender_restrictions = >> check_sender_access hash:/path/to/allowed_senders >> reject >> >> With allowed_senders table something like >> us...@example.com OK >> example.org OK >> >> Any sender not on the approved list gets rejected. Do this in >> smtpd_sender_restrictions to avoid possible open relay accidents >> that could occur if you do this test in smtpd_recipients_restrictions. >> >> These restrictions could also be put into master.cf as -o options on >> the submission or smtps services. > > Thanks Noel, What if i needed todo this with SASL-authenticated "senders"... > This is my current setup: > > smtpd_sender_restrictions = > permit_mynetworks, > permit_sasl_authenticated, > reject_unauth_destination, > reject_unknown_sender_domain, > permit > > Can you assist me to get the order correct here? I would like > permit_sasl_authenticated as well as check_sender_access (from a mysql table) > if possible... > > Many thanks! > > Simon >
What I already wrote is will work for any users, but it must not be used on a general MX. If this is your general MX, your sasl users need to submit mail on "submission" port 587 rather than the MTA-to-MTA port 25. You can modify the master.cf "submission" service with something like: submission .... smtpd -o smtpd_sender_restrictions=check_sender_access,hash:/path/to/allowed_sender,reject -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject You can use any table type supported by your postfix in place of the hash: shown above, *sql is fine. -- Noel Jones
