postfix – Restrict Mail Relay for Specific Sender Addresses

postfix

I'd like to configure postfix to relay mail from certain sender addresses only. Postfix should relay mail to different relayhosts(/smarthosts) (Gmail, AOL, …) dependent on the sender's address ("MAIL FROM:").

So far, my current configuration works as follows:

Users authenticate on postfix for mail relay in general. If they cannot authenticate, no relay is possible. Note that this authentication is different from the authentication for the relayhosts.
Dependent on the sender's address ("MAIL FROM:"), a certain relayhost is selected (smtp_sender_dependent_authentication, sender_dependent_relayhost_maps, smtp_sasl_password_maps). This also works fine.
However, if the user can authenticate, and has a sender address not covered in sender_dependent_relayhost_maps, postfix tries to directly relay the mail – which often does not work due to IP address restrictions (blacklists).

My question is now: how to reject mail that would have been relayed directly (without smarthost), i.e., where the sender's address is not listed in sender_dependent_relayhost_maps? Any hints how to achieve this?

Best Answer

You would need some limiting test before permit_sasl_authenticated. A prerequisite for this would be having separated smtpd on port 25 for incoming mail and another smtpd for submission on port 587. Otherwise this limitation would cause incoming mail to be rejected as it won't pass the test. Then, remove the permit_sasl_authenticated from the port 25 altogether, and add the test to your submission configuration in master.cf.

To answer your question literally, check_sender_access would be a suitable test, whitelisting all the domains listed in sender_dependent_relayhost_maps and rejecting mail for the rest.

check_sender_access type:table

Search the specified access(5) database for the MAIL FROM address, domain, parent domains, or localpart@, and execute the corresponding action.

This can be added to either smtpd_sender_restrictions or smtpd_recipient_restrictions.
What would do the same, but further prevent users from using each other's addresses is using reject_sender_login_mismatch. This needs an additional smtpd_sender_login_maps table, but if your virtual_alias_maps entries are already formed as address@example.com username, you can use the same file and the allowed sender addresses are automatically updated whenever you update your virtual aliases database with postmap. An example of such submission configuration in the master.cf:
```
submission inet n - - - - smtpd
# Other parameters
  -o smtpd_sender_login_maps=hash:/etc/postfix/virtual
  -o smtpd_sender_restrictions=reject_sender_login_mismatch
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# Other parameters
```

Related Solutions

Postfix with relayhost – relay access denied for bounces

Bounce messages intentionally do not have a sender address. This is to prevent email loops. Sending email without an address has been used to send spam, intentionally or not. If your relay requires you to provide credentials before sending to verify the sender, it will not be able to verify the sender for bounce messages.

You can avoid the issue of not being able to send out bounce messages after accepting the message by bouncing the message before accepting it. Bouncing a message after receipt is a source of backscatter spam. It is common for spam to have faked source addresses. By accepting the message before bouncing it, you will be spamming the faked address rather than rejecting the incoming message.

One way to avoid backscatter spam, is to use BATV (bounce address tag validation). This adds a signed value to the return path. Only legitimate bounce messages should have this signature, so other bounces from the Internet can be ignored.

EDIT: It is no longer unusual to quietly drop emails to invalid addresses. This prevents the receiving system from being classified as a spam source when it sends backscatter spam. Postfix accepts all recipients by default, and is therefore prone to producing backscatter spam. If possible, I would recommend enabling recipient verofication. I prefer Exim, which rejects mail for unknown recipients by default.

Postfix: sender-dependent-relay and mail for host

Because you've set mydomain.com in mydestination, then you can put permit_auth_destination in your restricition.

smtpd_recipient_restrictions = permit_sasl_authenticated, permit_auth_destination, reject

As NickW say, smtpd_client_restrictions was redundant. You can delete that line.

Best Answer

Related Solutions

Postfix with relayhost – relay access denied for bounces

Postfix: sender-dependent-relay and mail for host

Related Topic