0

Fairly new to Postfix.

I have Postfix setup for SMTP relay to Office365 and we are needing to set specific internal hosts to only email specific domains, e.g.

  • server1 --> example.com only. Deny all
  • server2 --> example.com only. Deny all

We want to maintain the ability for all other internal hosts to not have this restriction, e.g.

  • server3 --> example.com example.net Allow all
  • server4 --> example.com example.net Allow all
  • (Many other servers)

Rationale behind this is we want server1 and server2 to only send internally, but all other servers will utilize the relay without limitation.

My first approach was the following (partial of main.cf):

smtpd_relay_restrictions = 
    check_client_access,
    hash:/etc/postfix/blacklist,
    permit_mynetworks,
    permit_sasl_authenticated,
    defer_unauth_destination
myhostname = example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = smtp_relay.example.com
mydestination =

The /etc/postfix/blacklist has the following:

server1.example.com    REJECT  Blocked for a good reason
server2.example.com    REJECT  Blocked for a good reason
server1                REJECT  Blocked for a good reason
server2                REJECT  Blocked for a good reason
192.16.1.10            REJECT  Blocked for a good reason
192.16.1.11            REJECT  Blocked for a good reason

This blocks all traffic from server1 and server2; all traffic from other hosts work without issue.

The need is to block all traffic from these servers, except if sending to example.com., and maintain the ability for all traffic from other hosts to work without issue.

Any direction on where to look and config testing is always appreciated.

Esa Jokinen
  • 52,963
  • 3
  • 95
  • 151
Narayana P.
  • 1
  • 2

1 Answers1

0

Unfortunately, Postfix does not have a built-in mechanism to do this directly. However, Postfix does support Access Policy Delegation services that can be custom scripts.

smtpd_recipient_restrictions =
    permit_mynetworks,
    check_policy_service inet:127.0.0.1:10031,
    reject_unauth_destination

With this configuration in place, you would implement a policy service (e.g. Python) that:

  • Listens on the configured 127.0.0.1:10031.
  • Receives the client IP and recipient domain.
  • Checks if the IP is allowed to relay to that domain.
  • Returns DUNNO (accept) or REJECT (deny) based on your criteria.
Esa Jokinen
  • 52,963
  • 3
  • 95
  • 151