Postfix / MailScanner question - per domain relaying

[David Jones]

On 10/10/2017 10:02 AM, Quintin S. Giesbrecht wrote:
> We use an external mail host that relays all of our email to us on 
> domain abc.domain.com. So all email on this domain comes from 1 subnet.
> 
> We also have another domain xyz.domain.com which I need to receive email 
> from anywhere for.
> 
> In order to tighten things up a bit, I want to reject all mail destined 
> to abc.domain.com that is NOT from the subnet of our external mail 
> relay.  Is this possible? Can someone point me in the right direction?
> 
> Here is how I picture this:
> 
> Reject all mail to abc.domain.com
> 
> Allow mail from 123.123.123.0/24 to abc.domain.com
> 

Add this network CIDR to Postfix main.cf mynetworks and make sure 
permit_mynetworks is in all smtpd_* sections if you have customized any 
of them:

smtpd_client_restrictions
smtpd_helo_restrictions
smtpd_sender_restrictions
smtpd_relay_restrictions
smtpd_recipient_restrictions
postscreen_access_list

This will allow all email from that network to relay through which is a 
little more than you asked for but that network should be under your 
control so this is fine.

Make sure you also add this subnet to SA internal_networks and 
trusted_networks so SA RBL checks will properly ignore that trusted 
relay and check against the IP in the previous Received: header.

Then you would remove the abc.domain.com from the main.cf relay_domains 
since all destinations will be allowed from that subnet.  Any other 
source subnets will be rejected.

The Postfix mynetworks should be basically identical to the SA 
internal_networks and the SA trusted_networks should be 
internal_networks plus any external networks that may be trusted.

> Allow mail from anywhere to xyz.domain.com
> 

Leave this domain in the main.cf relay_domains list.

> Thanks for any insight.
> 
> ------------------------------------------------------------------------
> 
> Smith Neufeld Jodoin LLP
> 

-- 
David Jones