Postfix restrict all incoming mail to certain domains, then allow all for specific user addresses

postfix

We use Postfix for company email address's given to employees… all are of the format username@example.com.

Basically I want to restrict all incoming mail to these addresses to only allow emails from the @example.com domain.

Simple enough I think however there are a select few supervisor addresses that need to be unrestricted (able to receive emails from any domain).

None of the answers I've found seem to answer this problem (Although I'm really weak when it comes to working with email settings)

snippit of /etc/postfix/main.cf:

smtpd_recipient_restrictions = 
    permit_sasl_authenticated, 
    permit_mynetworks, 
    reject_unauth_destination, 
    check_sender_access hash:/etc/postfix/access, 
    reject

Best Answer

You could use restriction classes. See:

For your case

Now we have to create two classes, first one for supervisor class and second one for the rest of company.

The Setup

Define smtpd_restriction_classess in main.cf

smtpd_restriction_classes = mysupervisor

Set smtpd_recipient_restrictions in main.cf, place this line after check_sender_access hash:/etc/postfix/access,

check_recipient_access hash:/etc/postfix/mycompany.rules

This file /etc/postfix/mycompany.rules, will perform decision logic to select which address that belongs to mysupervisor class. So the content is

someone999@example.com    mysupervisor
someone123@example.com    mysupervisor

Then define rule for mysupervisor class in main.cf, so postfix will permit all address.

mysupervisor = permit

To check whether the email was coming from company domain (example.com), set rule check_sender_access hash:/etc/postfix/insiders after check_recipient_access hash:/etc/postfix/mycompany.rules. The content of /etc/postfix/insiders

example.com OK

Now, main.cf hase become

smtpd_restriction_classes = mysupervisor
mysupervisor = permit
smtpd_recipient_restrictions = 
    permit_sasl_authenticated, 
    permit_mynetworks, 
    reject_unauth_destination, 
    check_sender_access hash:/etc/postfix/access,
    check_recipient_access hash:/etc/postfix/mycompany.rules,
    check_sender_access hash:/etc/postfix/insiders
    reject

How it works

For all email, postfix will apply the restriction until

check_sender_access hash:/etc/postfix/access,

After that email will be checked against mycompany.rules. If the recipient was supervisor email, than permit it, otherwise postfix will perform last restriction /etc/postfix/insiders. If the sender is @example.com then permit it, otherwise reject it.

Related Solutions

Postfix rejects all incoming mail (Client host rejected: Access denied)

I think you need to put mydestination = mydomain.com in your config.

Next guess: We know the domain is right and that SASL works... so what I now suspect is that we're seeing an error in your restrictions. I'd start with recipient_restrictions and remove every rejection after permit_sasl_authenticated. If that works, add them back one at a time. If not, your next test is sender_restrictions.

Debian – Setting up restriction classes in postfix for blocking receiving and sending mail to external domains.

When defining a new restriction class, what you basically do is telling Postfix about a new generic restriction that can be used like the builtin checks, e.g. "permit_mynetworks".

Doing so will require you to specify all restriction classes in one go, i.e.

smtpd_restriction_classes = local_only, insiders_only
insiders_only = ...
local_only = ...

Doing it this way should silence the postconf warning about an unused parameter.

As for where to put the restrictions: By default, the parameter "smtpd_delay_reject" is set to "yes", which means that even smtpd_(client|sender)_restrictions will only be evaluated after the "rctp to:<...>" stage. For this reason, it has been a long standing advice to simply collapse all restrictions within smtpd_recipient_restrictions. In your case, where the sender "restrict01@..." should only be able to send to internal destinations, you could probably use something like this as a good starting point:

smtpd_recipient_restrictions =
  reject_non_fqdn_sender
  reject_non_fqdn_recipient
  reject_unlisted_sender
  reject_unlisted_recipient
  reject_unknown_sender_domain
  reject_unknown_recipient_domain
  check_sender_access hash:/etc/postfix/restricted_senders
  permit_mynetworks
  allow_sasl_authenticated
  reject_unauth_destination
  check_policy_service inet:127.0.0.1:10023
  reject_rbl_client zen.spamhaus.org
  permit_auth_destination
  reject
smtpd_restriction_classes = local_only
local_only = check_recipient_access hash:/etc/postfix/local_domains, reject

Another thing to note is that it's (probably) a bad idea to return an "OK" from a access map before you verified the client's credentials. Therefore, the file "/etc/postfix/local_domains" should contain a line like

example.com DUNNO

This will force the restricted sender to authenticate with SASL or be within $mynetworks. As you can see, you can get away with one restriction class and get rid of smtpd_(sender|client)_restrictions.