Postfix / MailScanner question - per domain relaying

Quintin S. Giesbrecht q at
Tue Oct 10 20:34:05 UTC 2017

Thank you very much, that all makes sense.  Just a question that was raised now though...we're using MailWatch, and of course, the client IP is always our external relay's IP, so by using internal_networks and trusted_networks in spamassassin.conf, the RBL checks should then be done against the next IP address in the headers?  Do you know if MailWatch should then report the client IP as the actual sending server, and not our relay then?  Because that would be cool.



-----Original Message-----
From: MailScanner [ at] On Behalf Of David Jones via MailScanner
Sent: Tuesday, October 10, 2017 10:47 AM
To: mailscanner at
Cc: David Jones <djones at>
Subject: Re: Postfix / MailScanner question - per domain relaying

On 10/10/2017 10:02 AM, Quintin S. Giesbrecht wrote:
> We use an external mail host that relays all of our email to us on
> domain So all email on this domain comes from 1 subnet.
> We also have another domain which I need to receive
> email from anywhere for.
> In order to tighten things up a bit, I want to reject all mail
> destined to that is NOT from the subnet of our external
> mail relay.  Is this possible? Can someone point me in the right direction?
> Here is how I picture this:
> Reject all mail to
> Allow mail from to

Add this network CIDR to Postfix mynetworks and make sure permit_mynetworks is in all smtpd_* sections if you have customized any of them:


This will allow all email from that network to relay through which is a little more than you asked for but that network should be under your control so this is fine.

Make sure you also add this subnet to SA internal_networks and trusted_networks so SA RBL checks will properly ignore that trusted relay and check against the IP in the previous Received: header.

Then you would remove the from the relay_domains since all destinations will be allowed from that subnet.  Any other source subnets will be rejected.

The Postfix mynetworks should be basically identical to the SA internal_networks and the SA trusted_networks should be internal_networks plus any external networks that may be trusted.

> Allow mail from anywhere to

Leave this domain in the relay_domains list.

> Thanks for any insight.
> ----------------------------------------------------------------------
> --
> Smith Neufeld Jodoin LLP

David Jones

MailScanner mailing list
mailscanner at

This communication, including its attachments, if any, is confidential and intended only for the person(s) to whom it is addressed, and may contain proprietary and/or privileged material. Any unauthorized review, disclosure, copying, other distribution of this communication or taking of any action in reliance on its contents is strictly prohibited. If you have received this message in error, please notify SNJ immediately so that we may amend our records. Then, please delete this message, and its attachments, if any, without reading, copying or forwarding it to anyone.

More information about the MailScanner mailing list