Postfix access restrictions

Question

I use Postfix 2.9.6 from Debian7. Defined some virtual domains, all works fine as expected.

Now I want to restrict incoming emails for one of my domains to accept email if it come from the same domain, or if sender is sasl_authenticated (from other hosted domains on the same server) or incoming mail come from one white-listed domains (about 2-3 domains).

In Postfix configs I see just sender_restrictions and recipient_restriction, but how to control recipient/sender at the same time?

score 3 · Answer 1 · answered Mar 25 '15 at 14:30

I do not think you can achieve this using only postfix alone. Have a look on postfwd, there you could set ruleset like:

&&TO_PROTECTED_DOMAIN {  recipient_domain=my_protected_domain.tld; };
&&FROM_WHITELIST_DOMAIN { sender_domain=my_protected_domain.tld; \
                          sender_domain=whitelisted1.tld; \
                          sender_domain=whitelisted2.tld; \
                        };

id=PD_01;  &&TO_PROTECTED_DOMAIN; sasl_method =~ (LOGIN|PLAIN);  action=DUNNO
id=PD_02;  &&TO_PROTECTED_DOMAIN; &&FROM_WHITELIST_DOMAIN; action=DUNNO
id=PD_03;  &&TO_PROTECTED_DOMAIN; action=REJECT You're not permitted sending to this domain.

score 3 · Answer 2 · edited Jun 11 '20 at 10:02

Postfix has features to do that called SMTPD Restriction Classes. But it's not convenient like you write some ACL with if-then-else. For this, you can use postfwd like the answer from tomas or policyD

Here you put in main.cf

# define one restrictio class, let's name it 'specialdomain'
smtpd_restriction_classes = specialdomain

# define the restriction for this class
specialdomain = 
    check_sender_access hash:/etc/postfix/specialdomain2    # permit sender same domain
    permit_sasl_authenticated                               # permint sasl_authenticated 
    check_sender_access hash:/etc/postfix/whitedomain       # permit whitelisted domain
    reject                                                  # otherwise reject        

smtpd_recipient_restrictions = 
    check_recipient_access = hash:/etc/postfix/specialdomain
    ... other restriction ...

The maps

# /etc/postfix/specialdomain
example.com     specialdomain

# /etc/postfix/specialdomain2
example.com    OK

#/etc/postfix/whitedomain
example.net     OK
example.org     OK

How it works:

First postfix check if recipient listed in /etc/postfix/specialdomain, if yes then postfix apply the restriction defined in specialdomain parameter of main.cf.

specialdomain restriction has several parameters to allow email. There two check_sender_access to check whether the sender domain was same or already whitelisted. There is also permit_sasl_authenticated to permit the user authenticated by SASL. Otherwise reject it.

Masegaloeh and Tomas, thanks for detailed answers. So in fact it is possible do apply my requirement with access classes as you show in example. Also I found PolicyD more featured (including quotas, checkSPF) than postfwd. How they perform in terms of performance? Wich is better? I see postfwd is written in Perl so it's not native compiled, just interpreted? — Marcodor, Mar 26 '15 at 13:28
Currently I don't have data. Benchmark it. Obviously postfix access list would be faster than postfwd and policyd — masegaloeh, Mar 28 '15 at 04:23

Postfix access restrictions

2 Answers2

How it works: