On Sep 23, 2014, at 3:40 AM, Robert Schetterer <r...@sys4.de> wrote:
> Am 23.09.2014 um 09:28 schrieb CSS: >> Im having a hard time copying something I did in qmail (using some >> random patch). >> >> Ive got four postfix instances, two used exclusively for submission >> (all outbound email from us), two as mxers (all inbound email, >> primary then forwards to an old qmail/vpopmail setup). >> >> Im looking to have a list of staff/role accounts defined and limit >> those senders to only be able to reach the mxers via the submission >> hosts. >> >> Example: >> >> sender: supp...@example.com >> recipient: any...@example.com >> connecting IP (from mxer’s view): either of our submission servers >> action: accept >> >> vs. >> >> sender: supp...@example.com >> recipient: any...@example.com >> connecting IP (from mxer’s view): not either of our submission servers >> action: reject >> >> vs. >> >> sender: randomcusto...@example.com >> recipient: any...@example.com >> connecting IP (from mxer’s view): not either of our submission servers >> action: accept >> >> I can block senders, I can block hosts, but Im not clear on how to >> combine the two criteria. >> >> The last example is something I dont want to support, but we do have >> people relaying through their own ISP and using a (legit) sender >> address from our domain. This also keeps me from effectively using >> SPF, and I dont see this policy changing anytime soon. >> >> Can someone point me to the right section of the docs? >> >> Thanks, >> >> Charles >> >> ps - for the curious, qmails badmailfromnorelay patch lets you >> combine a list of senders that are banned only if the RELAYCLIENT >> env var is not set. >> > > perhaps this helps > > http://www.postfix.org/RESTRICTION_CLASS_README.html I suspect I was making this more complicated than it needed to be. I took the example used for the all@ alias and modified that a bit to apply to the sender rather than recipient (the banned_senders map is just some sender address permabans, banned_senders_norelay is the one of interest here: smtpd_sender_restrictions = check_sender_access hash:$config_directory/banned_senders, hash:$config_directory/banned_senders_norelay banned_senders_norelay looks like this: supp...@example.com permit_mynetworks,reject n...@example.com permit_mynetworks,reject bill...@example.com permit_mynetworks,reject [etc.] The relays that would be sending mail with those from addresses are already part of mynetworks, so as long as our employees relay through those senders, they can send as those various role accounts. If someone from outside attempts to use those addresses they are denied. The same rules exist on both the primary and secondary mxers. It appears this is accomplishing what I want without having to resort to strict SPF checks. Thanks for pushing me to read that README again Charles > > or you try some policy server > > > Best Regards > MfG Robert Schetterer > > -- > [*] sys4 AG > > http://sys4.de, +49 (89) 30 90 46 64 > Franziskanerstraße 15, 81669 München > > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 > Vorstand: Patrick Ben Koetter, Marc Schiffbauer > Aufsichtsratsvorsitzender: Florian Kirstein
