Re: postfix 2.9.x and smtpd_recipient_restrictions in the main.cf and master.cf

Tue, 12 Nov 2013 14:55:50 -0800 

On 11/12/2013 07:55 AM, Josef Karliak wrote:

  Good morning,
I ve a firewall with 3 network card - WAN, LAN and DMZ. I want to have diferend smtpd_recipient_restrictions on the WAN card, so I've set it in the master.cf 
193.11.123.9:smtp      inet  n       -       n       - -       smtpd
-o smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,check_recipient_access hash:/etc/postfix/alias_list,check_policy_service inet:127.0.0.1:10040,check_recipient_access hash:/etc/postfix/postmaster,check_policy_service unix:private/spf,permit_mx_backup,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_sender_domain,reject_unknown_recipient_domain,check_sender_access hash:/etc/postfix/dsn_exceptions,permit 


  But postfix complains for everything after "check_recipient_access 
hash:/etc/postfix/alias_list". Maybe he do not like space char. So 
there is a question - how do you solve it on your postfix ?
  And why I want it ? I want to accept only existing recipients from 
internet, alias list contains:


alias1@ OK
alias2@ OK
.......




A trivial solution - and one suited to more intricate collections of -o 
options in master.cf - is to pre-define the options in main.cf, thus:


lan_restrictions = permit_mynetworks, reject

wan_restrictions = permit_sasl_authenticated
                   permit_mynetworks     #this makes no sense
                   reject_unauth_destination
                   check_recipient_access hash:/etc/postfix/alias_list
                   check_policy_service inet:127.0.0.1:10040

                   check_recipient_access hash:/etc/postfix/postmaster 
  #postmaster is hardcoded, and cannot be rejected, as per the RFCs; 
there is no need to explicitly allow it.

                   check_policy_service unix:private/spf
                   permit_mx_backup

                   reject_non_fqdn_sender     # why would these 
restrictions be omitted from user submission ?

                   reject_non_fqdn_recipient
                   reject_unknown_sender_domain

                   reject_unknown_recipient_domain        # same here; 
it's just as useless to have to bounce these later.

                   check_sender_access hash:/etc/postfix/dsn_exceptions
                   permit


And then refer to them in master.cf, thus:

10.11.12.13:smtp      inet  n       -       n       -       - smtpd
    -o smtpd_recipient_restrictions=$lan_restrictions

193.11.123.9:smtp      inet  n       -       n       -       - smtpd
    -o smtpd_recipient_restrictions=$wan_restrictions



Your restrictions could use some work in general, and dealing with 
different LAN and WAN requirements is easily done on a single smtpd(8) 
instance, but this is what you asked for.


--
J.
























					Reply via email to