On 11/12/2013 07:55 AM, Josef Karliak wrote:
Good morning,
I ve a firewall with 3 network card - WAN, LAN and DMZ. I want to
have diferend smtpd_recipient_restrictions on the WAN card, so I've
set it in the master.cf
193.11.123.9:smtp inet n - n - - smtpd
-o
smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,check_recipient_access
hash:/etc/postfix/alias_list,check_policy_service
inet:127.0.0.1:10040,check_recipient_access
hash:/etc/postfix/postmaster,check_policy_service
unix:private/spf,permit_mx_backup,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_sender_domain,reject_unknown_recipient_domain,check_sender_access
hash:/etc/postfix/dsn_exceptions,permit
But postfix complains for everything after "check_recipient_access
hash:/etc/postfix/alias_list". Maybe he do not like space char. So
there is a question - how do you solve it on your postfix ?
And why I want it ? I want to accept only existing recipients from
internet, alias list contains:
alias1@ OK
alias2@ OK
.......
A trivial solution - and one suited to more intricate collections of -o
options in master.cf - is to pre-define the options in main.cf, thus:
lan_restrictions = permit_mynetworks, reject
wan_restrictions = permit_sasl_authenticated
permit_mynetworks #this makes no sense
reject_unauth_destination
check_recipient_access hash:/etc/postfix/alias_list
check_policy_service inet:127.0.0.1:10040
check_recipient_access hash:/etc/postfix/postmaster
#postmaster is hardcoded, and cannot be rejected, as per the RFCs;
there is no need to explicitly allow it.
check_policy_service unix:private/spf
permit_mx_backup
reject_non_fqdn_sender # why would these
restrictions be omitted from user submission ?
reject_non_fqdn_recipient
reject_unknown_sender_domain
reject_unknown_recipient_domain # same here;
it's just as useless to have to bounce these later.
check_sender_access hash:/etc/postfix/dsn_exceptions
permit
And then refer to them in master.cf, thus:
10.11.12.13:smtp inet n - n - - smtpd
-o smtpd_recipient_restrictions=$lan_restrictions
193.11.123.9:smtp inet n - n - - smtpd
-o smtpd_recipient_restrictions=$wan_restrictions
Your restrictions could use some work in general, and dealing with
different LAN and WAN requirements is easily done on a single smtpd(8)
instance, but this is what you asked for.
--
J.