Postfix: reject all senders except one mail address

Hi Forum,

is that even possible to accomplish?

I started with:

Code:

$ postconf | grep smtpd_sender_restrictions
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/access

$ cat access
allowed@dom.ain OK

  •            REJECT
    

But wildcard “*” seems to be no available char in the access table, I
tried something different (First one matches wins, right?):

Code:

allowed@dom.ain OK
127.0.0.1 REJECT
localhost REJECT


Also didn’t work.

Even this config

Code:

127.0.0.1 REJECT
localhost REJECT


let me send mails via “-telnet localhost 25-”

Of course after every change I did a -postmap access- and restarted
postfix…

Any suggestions?

Thanks in advance,
Pascal


“Have you tried turn it off and on again?”

bendeichp’s Profile: http://forums.novell.com/member.php?userid=62174
View this thread: http://forums.novell.com/showthread.php?t=448404

After some testing i figured out, one way is to use regexp.
Here are the parts, that I changed and which are different now from the
default sles config:

Code:

main.cf:
mynetworks_style = host
smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/access
smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination

access:
!/^noreply@dom.ain$/ REJECT


With this config, only smtp connections from localhost are accepted and
only one sender address: noreply@dom.ain.
That was my intention :slight_smile:

Cheers,
Pascal


“Have you tried turn it off and on again?”

bendeichp’s Profile: http://forums.novell.com/member.php?userid=62174
View this thread: http://forums.novell.com/showthread.php?t=448404

bendeichp;2155509 Wrote:[color=blue]

After some testing i figured out, one way is to use regexp.
Here are the parts, that I changed and which are different now from the
default sles config:

[color=green]

[/color][/color]
Code:
--------------------[color=blue][color=green]

[/color]
main.cf:
mynetworks_style = host
smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/access
smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination[/color]
--------------------[color=blue][color=green]

[/color][/color]
It is better style to just use smtpd_recipient_restrictions and collect
all your restrictions there.

Code:

smtpd_recipient_restrictions = check_sender_access regexp:/etc/postfix/access,
permit_mynetworks,
reject_unauth_destination

[color=blue]

With this config, only smtp connections from localhost are accepted and
only one sender address: noreply@dom.ain.
That was my intention :)[/color]
To restrict connecting host use check_client_access, that is why you IP
address try failed - the sending IP address is not the “sender”, it the
client.
But if you only want localhost to connect, you can restict the listing
interfaces to localhost by inet_interfaces = loopback-only


MoserHans

MoserHans’s Profile: http://forums.novell.com/member.php?userid=53101
View this thread: http://forums.novell.com/showthread.php?t=448404

[color=blue]

It is better style to just use smtpd_recipient_restrictions and collect
all your restrictions there.[/color]
Even it seems very logical to me, to put sender related restrictions to
“smtpd_sender_restrictions” it’s changed for better style:

[color=blue]

But if you only want localhost to connect, you can restict the listing
interfaces to localhost by inet_interfaces = loopback-only[/color]
IMHO the man page said, that “mynetworks_style = host” will have the
same effect. Like always, there are many ways :slight_smile:

Thanks,
Pascal


“Have you tried turn it off and on again?”

bendeichp’s Profile: http://forums.novell.com/member.php?userid=62174
View this thread: http://forums.novell.com/showthread.php?t=448404

bendeichp;2156160 Wrote:[color=blue]

Even it seems very logical to me, to put sender related restrictions to
“smtpd_sender_restrictions” it’s changed for better style:[/color]
OK, but “permit_mynetworks” is what, a recipient_restriction? No, it is
a client_restriction, because it restricts the connecting hosts. But you
put it in “smtpd_recipient_restrictions”, right? :slight_smile:
By putting all restrictions in recipient you have full control over
the order in which the restrictions take place, you can have
client_restrictions after sender_restriction, what you can not do by
dividing the restrictions. Do you see, what I mean?
Have a look at ‘Postfix SMTP relay and access control’
(http://www.postfix.org/SMTPD_ACCESS_README.html)
All restrictions but smtpd_recipient_restrictions are optional, even
though all restriction are only evaluated after RCTP TO anyway:> Current Postfix versions postpone the evaluation of client, helo and[color=blue]
sender restriction lists until the RCPT TO or ETRN command.[/color]
[color=blue]
IMHO the man page said, that “mynetworks_style = host” will have the
same effect. Like always, there are many ways :)[/color]
No, not really:[color=blue]
Specify “mynetworks_style = host” when Postfix should “trust” only the
local machine.[/color]
mynetworks and mynetworks_style influence the permit_mynetworks
restriction, not more. Port 25 is still accessable from anywhere else in
the network. Whereas inet_interfaces restricts the opened ports to the
network itself. This is a huge difference.


MoserHans

MoserHans’s Profile: http://forums.novell.com/member.php?userid=53101
View this thread: http://forums.novell.com/showthread.php?t=448404

Hi,

thanks for the explication.[color=blue]

Have a look at Postfix SMTP relay and access control[/color]
I’ll do that :slight_smile:

Cheers,
Pascal


“Have you tried turn it off and on again?”

bendeichp’s Profile: http://forums.novell.com/member.php?userid=62174
View this thread: http://forums.novell.com/showthread.php?t=448404