Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
check_recipient_access with exceptions
20 views
Skip to first unread message
Vladimir Parkhaev
Nov 30, 2011, 8:38:13 PM11/30/11
to
Hello,
I am running a mail relay that forwards all mail from some "management
network" to a corporate MTA. For security reasons, my gateway is configured to
relay mail only to internal destination addresses (us...@mydomain.com). There are a few
exceptions and all "external" addresses must be whitelisted.
Pretty basic setup -
smtpd_recipient_restrictions = check_recipient_access hash:/usr/local/etc/postfix/access,
reject_unauth_destination, permit
/usr/local/etc/postfix/access:
us...@external.com OK
us...@faraway.com OK
It did what I needed so far. Now there is a new host ABC that would need
to send mail to a large number of external addresses and whitelist management becomes a pain.
I am looking for a way to create an exception for check_recipient_access, ideally, IP-based.
Basically, I would like to allow IP of ABC to freely send mail outside and to enforce check_recipient_access
for all other hosts.
I checked some smtpd_restriction_classes examples, but did find anything similar.
Any ideas?
Thank you.
--
.signature: No such file or directory
I am running a mail relay that forwards all mail from some "management
network" to a corporate MTA. For security reasons, my gateway is configured to
relay mail only to internal destination addresses (us...@mydomain.com). There are a few
exceptions and all "external" addresses must be whitelisted.
Pretty basic setup -
smtpd_recipient_restrictions = check_recipient_access hash:/usr/local/etc/postfix/access,
reject_unauth_destination, permit
/usr/local/etc/postfix/access:
us...@external.com OK
us...@faraway.com OK
It did what I needed so far. Now there is a new host ABC that would need
to send mail to a large number of external addresses and whitelist management becomes a pain.
I am looking for a way to create an exception for check_recipient_access, ideally, IP-based.
Basically, I would like to allow IP of ABC to freely send mail outside and to enforce check_recipient_access
for all other hosts.
I checked some smtpd_restriction_classes examples, but did find anything similar.
Any ideas?
Thank you.
--
.signature: No such file or directory
Viktor Dukhovni
Nov 30, 2011, 8:39:54 PM11/30/11
to
On Wed, Nov 30, 2011 at 08:38:13PM -0500, Vladimir Parkhaev wrote:
Augment this:
> smtpd_recipient_restrictions =
> check_recipient_access hash:/usr/local/etc/postfix/access,
> reject_unauth_destination,
> permit
As follows (and avoid using "access", name each table after its
specific role):
main.cf:
cidr = cidr:${config_directory}/
indexed = ${default_database_type}:${config_directory}/
#
smtpd_recipient_restrictions =
check_client_access ${cidr}trusted-clients,
check_recipient_access ${indexed}rcpt-whitelist,
reject_unauth_destination,
permit
/usr/local/etc/postfix/rcpt-whitelist: (postmap rcpt-whitelist when changed)
us...@external.com OK
us...@faraway.com OK
/usr/local/etc/postfix/rcpt-whitelist: (no postmap for cidr tables)
192.0.2.1 permit
--
Viktor.
Augment this:
> smtpd_recipient_restrictions =
> check_recipient_access hash:/usr/local/etc/postfix/access,
> reject_unauth_destination,
> permit
specific role):
main.cf:
cidr = cidr:${config_directory}/
indexed = ${default_database_type}:${config_directory}/
#
smtpd_recipient_restrictions =
check_client_access ${cidr}trusted-clients,
check_recipient_access ${indexed}rcpt-whitelist,
reject_unauth_destination,
permit
/usr/local/etc/postfix/rcpt-whitelist: (postmap rcpt-whitelist when changed)
us...@external.com OK
us...@faraway.com OK
/usr/local/etc/postfix/rcpt-whitelist: (no postmap for cidr tables)
192.0.2.1 permit
--
Viktor.
Jeroen Geilman
Dec 1, 2011, 3:26:19 AM12/1/11
to
/usr/local/etc/postfix/trusted-clients: (no postmap for cidr tables)
192.0.2.1 permit
--
J.
Vladimir Parkhaev
Dec 1, 2011, 9:15:14 AM12/1/11
to
It is much easier that I thought. :)
Thank you.
Quoting Viktor Dukhovni (postfi...@dukhovni.org):
> On Wed, Nov 30, 2011 at 08:38:13PM -0500, Vladimir Parkhaev wrote:
>
> Augment this:
>
> > smtpd_recipient_restrictions =
> > check_recipient_access hash:/usr/local/etc/postfix/access,
> > reject_unauth_destination,
> > permit
>
> As follows (and avoid using "access", name each table after its
> specific role):
>
> main.cf:
> cidr = cidr:${config_directory}/
> indexed = ${default_database_type}:${config_directory}/
> #
> smtpd_recipient_restrictions =
> check_client_access ${cidr}trusted-clients,
> check_recipient_access ${indexed}rcpt-whitelist,
> reject_unauth_destination,
> permit
>
> /usr/local/etc/postfix/rcpt-whitelist: (postmap rcpt-whitelist when changed)
> us...@external.com OK
> us...@faraway.com OK
>
> /usr/local/etc/postfix/rcpt-whitelist: (no postmap for cidr tables)
> 192.0.2.1 permit
>
> Viktor.
0 new messages