Prev: Spooling mail Question
Next: fail2ban for spamtraps
From: Philippe Chaintreuil on 22 Jun 2010 12:59
Hello all,

I have a some what convoluted setup that I'd like to make a
modification to, and was looking for some pointers.

The Long-winded situation:

I run a small host that servers as a mail server for multiple domains
(about 25). All but one of these is a fairly standard setup using
virtual_alias_domains + virtual_alias_maps +

-----------------------------------------------------------------------
smtpd_recipient_restrictions =
check_client_access hash:/etc/postfix/helo_client_exceptions,
check_sender_access hash:/etc/postfix/sender_checks,
reject_invalid_hostname,
permit_sasl_authenticated,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
permit_mynetworks,
reject_unauth_destination,
# Check with sqlgrey.
check_policy_service inet:127.0.0.1:2501
check_client_access hash:/etc/postfix/rbl_client_exceptions,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_rhsbl_sender dns.rfc-ignorant.org

mynetworks = 192.168.0.0/16 127.0.0.0/8 64.18.0.0/20
# Note: 64.18.0.0/20 is Postini.
-----------------------------------------------------------------------

The one odd-ball domain, however, pays Postini to filter their mail,
which is included in "mynetworks". The Postini domain's MX records all
point to Postini servers.

The QUESTION:
Is there a way to get just this domain to only accept messages from
Postini + other virtual domains on this server (I guess this is likely
just "mynetworks"), while all the others continue to accept "valid"
messages from "anyone" (as above)?


Thanks!

-- Philippe Chaintreuil

From: mouss on 22 Jun 2010 18:49
Philippe Chaintreuil a �crit :
> Hello all,
>
> I have a some what convoluted setup that I'd like to make a
> modification to, and was looking for some pointers.
>
> The Long-winded situation:
>
> I run a small host that servers as a mail server for multiple domains
> (about 25). All but one of these is a fairly standard setup using
> virtual_alias_domains + virtual_alias_maps +
>
> -----------------------------------------------------------------------
> smtpd_recipient_restrictions =
> check_client_access hash:/etc/postfix/helo_client_exceptions,
> check_sender_access hash:/etc/postfix/sender_checks,
> reject_invalid_hostname,
> permit_sasl_authenticated,
> reject_non_fqdn_hostname,
> reject_non_fqdn_sender,
> reject_non_fqdn_recipient,
> reject_unknown_sender_domain,
> reject_unknown_recipient_domain,
> permit_mynetworks,
> reject_unauth_destination,
> # Check with sqlgrey.
> check_policy_service inet:127.0.0.1:2501
> check_client_access hash:/etc/postfix/rbl_client_exceptions,
> reject_rbl_client cbl.abuseat.org,
> reject_rbl_client sbl-xbl.spamhaus.org,
> reject_rbl_client bl.spamcop.net,
> reject_rhsbl_sender dns.rfc-ignorant.org
>
> mynetworks = 192.168.0.0/16 127.0.0.0/8 64.18.0.0/20
> # Note: 64.18.0.0/20 is Postini.
> -----------------------------------------------------------------------
>
> The one odd-ball domain, however, pays Postini to filter their mail,
> which is included in "mynetworks".

not the best you can do. mynetworks can relay, which postini don't need
to. use a check_client_access instead... see below.

> The Postini domain's MX records all
> point to Postini servers.
>
> The QUESTION:
> Is there a way to get just this domain to only accept messages from
> Postini + other virtual domains on this server (I guess this is likely
> just "mynetworks"), while all the others continue to accept "valid"
> messages from "anyone" (as above)?
>

you can use smtpd_restriction_classes.

smtpd_restriction_classes =
...
postini_protected

smtpd_client_restrictions =
check_recipient_access hash:/etc/postfix/postini_domains.hash

postini_protected =
check_client_access cidr:/etc/postfix/postini.cidr
reject


== postini_domains.hash
example.com postini_protected


== postini.cidr
10.1.2.0/24 OK
....

 | 
Pages: 1
Prev: Spooling mail Question
Next: fail2ban for spamtraps