I'd like to configure postfix to relay mail from certain sender addresses only. Postfix should relay mail to different relayhosts(/smarthosts) (Gmail, AOL, …) dependent on the sender's address ("MAIL FROM:").
So far, my current configuration works as follows:
-
Users authenticate on postfix for mail relay in general. If they cannot authenticate, no relay is possible. Note that this authentication is different from the authentication for the relayhosts.
-
Dependent on the sender's address ("MAIL FROM:"), a certain relayhost is selected (
smtp_sender_dependent_authentication
,sender_dependent_relayhost_maps
,smtp_sasl_password_maps
). This also works fine. -
However, if the user can authenticate, and has a sender address not covered in
sender_dependent_relayhost_maps
, postfix tries to directly relay the mail – which often does not work due to IP address restrictions (blacklists).
My question is now: how to reject mail that would have been relayed directly (without smarthost), i.e., where the sender's address is not listed in sender_dependent_relayhost_maps
? Any hints how to achieve this?
Best Answer
You would need some limiting test before
permit_sasl_authenticated
. A prerequisite for this would be having separated smtpd on port25
for incoming mail and another smtpd for submission on port587
. Otherwise this limitation would cause incoming mail to be rejected as it won't pass the test. Then, remove thepermit_sasl_authenticated
from the port25
altogether, and add the test to your submission configuration inmaster.cf
.To answer your question literally,
check_sender_access
would be a suitable test, whitelisting all the domains listed insender_dependent_relayhost_maps
and rejecting mail for the rest.This can be added to either
smtpd_sender_restrictions
orsmtpd_recipient_restrictions
.What would do the same, but further prevent users from using each other's addresses is using
reject_sender_login_mismatch
. This needs an additionalsmtpd_sender_login_maps
table, but if yourvirtual_alias_maps
entries are already formed asaddress@example.com username
, you can use the same file and the allowed sender addresses are automatically updated whenever you update your virtual aliases database withpostmap
. An example of such submission configuration in themaster.cf
: