Hi Nick, Thanks for your reaction, it gave me some food for thought.
I can see how this works for a limited number of servers, but unfortunately (?) our environment is a lot bigger than that. I think my solution is to write a policy service: http://www.postfix.org/SMTPD_POLICY_README.html That would give me all the variables I need, at the disadvantage of having to write and maintain some separate code. Kind regards, Hans On 27-09-2020 08:32, Nick Tait wrote: > Hi Hans. > > I'm not sure if there is an easier way, but one way to achieve this is > with a restriction class per server. (BTW I don't know much about LDAP > so the example below is based on files...) > > main.cf: > indexed = ${default_database_type}:${config_directory}/ > smtpd_restriction_classes = server1_sender_restrictions, > server2_sender_restrictions, server3_sender_restrictions > smtpd_relay_restrictions = > check_client_access ${indexed}allservers_client_access, > reject_unauth_destination > server1_sender_restrictions = check_sender_access > ${indexed}server1_sender_access, reject > server2_sender_restrictions = check_sender_access > ${indexed}server2_sender_access, reject > server3_sender_restrictions = check_sender_access > ${indexed}server3_sender_access, reject > > allservers_client_access: > server1.internal.example.com server1_sender_restrictions > server2.internal.example.com server2_sender_restrictions > server3.internal.example.com server3_sender_restrictions > > server1_sender_access: > example.com ok > <> ok > > server2_sender_access: > example.org ok > <> ok > > server3_sender_access: > example.net ok > <> ok > > I use something like this myself and it works well if the number of > servers is small and doesn't change often. > > Nick. > > > On 25/09/20 2:42 am, Hans van Zijst wrote: >> Is it possible to let Postfix decide which hosts to relay mail for, >> based on the domain from which that mail is sent? >> >> I'm building a relayhost that should accept e-mail from a whole bunch of >> internal mailservers, and relay it to the Internet, after scanning, >> DKIM-signing and rate limiting. >> >> But I don't want to give Postfix one list of all hosts that are allowed >> to relay mail through it, because that would allow users of all internal >> servers to send mail from all domains. I'm looking for a way to let >> Postfix check if the host is allowed to send mail for the domain involved. >> >> I'm using an LDAP backend and what I thought I wanted to do under >> "smtpd_relay_restrictions" is a "check_client_access" query for the >> domain, and return the attribute which contains the host(s) that are >> allowed, with "PERMIT", like this: >> >> smtpd_relay_restrictions = check_client_access ldap:relay_access >> >> Where the file relay_access contains something like: >> >> query_filter = domainName=%d >> result_attribute = allowedHost >> result_format = %s PERMIT >> >> But the input key here is not the domain name, but the address of the >> smtpserver sending the message. >> >> How do I match a domain name with an IP-address or FQDN? Or am I looking >> in the wrong direction here? >> >> Kind regards, >> >> Hans
