Re: smtpd restrictions on mail that comes from certain servers

Mon, 18 Jul 2016 16:39:44 -0700 

James Reynolds:
> >> My server's MX records points to some servers that do spam filtering
> >> then they send it to my server.  However, some servers ignore the
> >> MX record and are connecting directly to my server (using the IP
> >> returned by the DNS A record I presume).  I am trying to set up
> >> an smtpd restrictions for all incoming mail except when it comes
> >> from the servers I know about.  I'm struggling to figure out how
> >> I'd do this.
> >> 
> >> I think the solution is to use check_helo_access by changing my
> >> main.cf like so:
> >> 
> >> smtpd_recipient_restrictions = ...  reject_unauth_destination
> >> check_helo_access hash:/etc/postfix/helo_access
> > 
> > Use "check_client_access cidr:/etc/postfix/client_access" with 
> > a table that "permit"s the IP addresses that are allowed to connect.
> > 
> >     Wietse
> 
> Would it look like this?
> 
> smtpd_client_restrictions =
>  permit_mynetworks
>  permit_sasl_authenticated
>  check_client_access cidr:/etc/postfix/client_access
>  deny
> 
> /etc/postfix/client_access
> 127.0.0.0/8        OK
> [::1]/128             OK
> # my networks   OK

I suppose that permit_mynetworks already takes care of those.
But you will want to add the networks of your primary MX provider.

> Is there any way to test this first?  Would this work or is it
> pure silliness?

You can use XCLIENT to test how Postfix responds to a client with
an arbitrary name and IP address.

/etc/postfix/main.cf:
    smtpd_authorized_xclient_hosts = 127.0.0.1
    # Don't forget to "postfix reload".

Example:
    $ telnet 127.0.0.1 25
    220 server.example ESMTP Postfix
    xclient name=mail.example.com addr=10.0.0.2
    220 server.example ESMTP Postfix
    ehlo mail.example.com
    250-server.example 
    ...
    mail from:<>
    250 2.1.0 Ok
    rcpt to:<[email protected]>
    454 4.7.1 <[email protected]>: Relay access denied

Logging:
    Jul 18 19:30:07 server postfix/smtpd[4134]: NOQUEUE: reject:
    RCPT from example.com[10.0.0.2]: 454 4.7.1 <[email protected]>:
    Relay access denied; from=<> to=<[email protected]> proto=ESMTP
    helo=<mail.example.com>

More at http://www.postfix.org/XCLIENT_README.html

        Wietse

Reply via email to