Postfix / MailScanner question - per domain relaying
Quintin S. Giesbrecht
q at snj.ca
Tue Oct 10 20:34:05 UTC 2017
Thank you very much, that all makes sense. Just a question that was raised now though...we're using MailWatch, and of course, the client IP is always our external relay's IP, so by using internal_networks and trusted_networks in spamassassin.conf, the RBL checks should then be done against the next IP address in the headers? Do you know if MailWatch should then report the client IP as the actual sending server, and not our relay then? Because that would be cool.
Thanks,
Q
-----Original Message-----
From: MailScanner [mailto:mailscanner-bounces+q=snj.ca at lists.mailscanner.info] On Behalf Of David Jones via MailScanner
Sent: Tuesday, October 10, 2017 10:47 AM
To: mailscanner at lists.mailscanner.info
Cc: David Jones <djones at ena.com>
Subject: Re: Postfix / MailScanner question - per domain relaying
On 10/10/2017 10:02 AM, Quintin S. Giesbrecht wrote:
> We use an external mail host that relays all of our email to us on
> domain abc.domain.com. So all email on this domain comes from 1 subnet.
>
> We also have another domain xyz.domain.com which I need to receive
> email from anywhere for.
>
> In order to tighten things up a bit, I want to reject all mail
> destined to abc.domain.com that is NOT from the subnet of our external
> mail relay. Is this possible? Can someone point me in the right direction?
>
> Here is how I picture this:
>
> Reject all mail to abc.domain.com
>
> Allow mail from 123.123.123.0/24 to abc.domain.com
>
Add this network CIDR to Postfix main.cf mynetworks and make sure permit_mynetworks is in all smtpd_* sections if you have customized any of them:
smtpd_client_restrictions
smtpd_helo_restrictions
smtpd_sender_restrictions
smtpd_relay_restrictions
smtpd_recipient_restrictions
postscreen_access_list
This will allow all email from that network to relay through which is a little more than you asked for but that network should be under your control so this is fine.
Make sure you also add this subnet to SA internal_networks and trusted_networks so SA RBL checks will properly ignore that trusted relay and check against the IP in the previous Received: header.
Then you would remove the abc.domain.com from the main.cf relay_domains since all destinations will be allowed from that subnet. Any other source subnets will be rejected.
The Postfix mynetworks should be basically identical to the SA internal_networks and the SA trusted_networks should be internal_networks plus any external networks that may be trusted.
> Allow mail from anywhere to xyz.domain.com
>
Leave this domain in the main.cf relay_domains list.
> Thanks for any insight.
>
> ----------------------------------------------------------------------
> --
>
> Smith Neufeld Jodoin LLP
>
--
David Jones
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
________________________________
This communication, including its attachments, if any, is confidential and intended only for the person(s) to whom it is addressed, and may contain proprietary and/or privileged material. Any unauthorized review, disclosure, copying, other distribution of this communication or taking of any action in reliance on its contents is strictly prohibited. If you have received this message in error, please notify SNJ immediately so that we may amend our records. Then, please delete this message, and its attachments, if any, without reading, copying or forwarding it to anyone.
More information about the MailScanner
mailing list