Loading ...
Sorry, an error occurred while loading the content.

smtpd client restrictions.

Expand Messages
  • Erik Paulsen Skaalerud
    Hi everyone. I have a postfix-pop3/imap4 server at our office who gets incoming smtp mail from either 2 fixed IP adresses (antispam-company), from my local
    Message 1 of 2 , Sep 1, 2008
    • 0 Attachment
      Hi everyone.

      I have a postfix-pop3/imap4 server at our office who gets incoming
      smtp mail from either 2 fixed IP adresses (antispam-company), from my
      local network or from clients authenticated via SASL.
      Is it possible to restrict smtp access so that unknown smtp clients
      gets refused? I only want the hosts/networks mentioned above to be
      able to use the smtpd!

      - Erik
    • Charles Marcus
      ... Just use the following in smtpd_recipient_restrictions: smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated,
      Message 2 of 2 , Sep 1, 2008
      • 0 Attachment
        On 9/1/2008 12:15 PM, Erik Paulsen Skaalerud wrote:
        > I have a postfix-pop3/imap4 server at our office who gets incoming
        > smtp mail from either 2 fixed IP adresses (antispam-company), from my
        > local network or from clients authenticated via SASL.
        > Is it possible to restrict smtp access so that unknown smtp clients
        > gets refused? I only want the hosts/networks mentioned above to be
        > able to use the smtpd!

        Just use the following in smtpd_recipient_restrictions:

        smtpd_recipient_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination,
        check_client_access cidr:/etc/postfix/allowed_clients.cidr,

        where allowed_clients.cidr contains the netblocks of your outsourced
        anti-spam service (we use webroot):

        ******************* allowed_clients.cidr ****************

        # webroot netblocks
        ###.##.###.0/28 dunno
        ###.###.##.0/26 dunno
        ###.###.###.0/23 dunno

        # reject all clients not matching anything above, and be sure
        # there is no final reject under recipient_restrictions
        #
        0.0.0.0/0 reject unauthorized client, please use our MX

        ******************* allowed_clients.cidr ****************

        We use additional checks to provide custom rejects for x-employees, and
        for blocking specific senders (rarely use it, but the boss has asked me
        to do it occasionally), so use 'dunno' in the webroot netblocks above.
        If you don't need any additional checks, you could use OK instead of dunno.

        --

        Best regards,

        Charles
      Your message has been successfully submitted and would be delivered to recipients shortly.