0

I have defined global whitelist in postfix using MYSQL with the following options:

smtpd_recipient_restrictions =
        reject_invalid_hostname,
        check_client_access mysql:/etc/postfix/client_whitelist
        check_sender_access mysql:/etc/postfix/sender_whitelist
        check_recipient_access mysql:/etc/postfix/recipient_whitelist
        permit_mynetworks,reject

Content of /etc/postfix/client_whitelist

host = localhost:3306
user = root
password = password
dbname = postfix
query = SELECT restriction FROM client_whitelist WHERE client = "%s" AND status = "1";

The mysql table

+---------------+-------------+--------+
| client        | restriction | status |
+---------------+-------------+--------+
| 192.168.66.18 | OK          |      1 |
| 192.168.66.92 | OK          |      1 |
| 192.168.66.93 | REJECT      |      1 |
+---------------+-------------+--------+

And I have the same table for sender and receivers. My main problem is that I have multiple domains behind postfix and I would like to filter the clients/senders taking into account which is the receiver. For example:

Mail from 192.168.66.92 and sender "user1@test.com" IS ALLOW to "user2@domain1.com"

Mail from 192.168.66.92 and sender "user1@test.com" IS NOT ALLOW to "user2@domain2.com"

Mail from 192.168.66.18 IS ALLOW for recipient or domain "domain1.com"

Mail from 192.168.66.18 IS NOT ALLOW for recipient or domain "domain2.com"

Is there any way to implement this in postfix? I have been googleing but no luck.

On the other way I was thinking to put a "postfix proxy" to redirect to another postfix instances and each instance filter each domain. But I'm not sure about the performance of this environment, even if it is possible.

masegaloeh
  • 17,978
  • 9
  • 56
  • 104
magiza83
  • 83
  • 2
  • 10

1 Answers1

2

This is not possible in one access check since that only provides one of the values as input (either client, sender, or recipient, based on the access check you used), but not more than one.

This is inherent in how postfix access tables work.

You can work around this by either using a policy service like postfwd (which has access to all these values at once), or by using restriction classes.

This allows you to, for example, implement a restriction class on clients and return an access check as the result, instead of OK or REJECT.

See the access man page for more details about access maps and the possible outcomes.

Note that "whitelist" is not a useful term for what you have if it includes both OK and REJECT as results.

adaptr
  • 16,479
  • 21
  • 33