15

We have postfix on our development server, and I'd like it to be able to only send mail to our domain, not to other domains, preventing outside users from accidentally receiving mail from our development server.

I searched through the docs, tried several things but it's still sending to all domains...

Chida
  • 2,471
  • 1
  • 16
  • 29
datadevil
  • 525
  • 1
  • 6
  • 22

4 Answers4

10

transport(5) maps are used to redefine how email is routed by postfix.

  • Add the following line to /etc/postfix/main.cf:

    transport_maps = hash:/etc/postfix/transport

  • Add the new file /etc/postfix/transport with this content:

    .example.com   :
example.com    :
*              discard:

Replace example.com with the domain your mailserver should still send mails to. If you don't care about sub-domains then remove the first line.

Don't forget to hash the file after editing it with postmap(1) and reload postfix so that the changes can take effect:

# postmap /etc/postfix/transport && postfix reload
Victor Schröder
  • 493
  • 4
  • 7
Carlo Arenas
  • 118
  • 1
  • 7
  • discard: silently --> **relay=none, delay=8.7, delays=8.7/0.01/0/0, dsn=2.0.0, status=sent** error: Show you message --> **Recipient address rejected: Show you message;** – alf-man Apr 15 '21 at 15:17
9

You can easily restrict the recipients with standard smtpd_recipient_restrictions or more precisely check_recipient_access.

Just create an access(5) table /etc/postfix/access with the following content (example.com being the domain you want to allow to send mail to):

example.com    OK

You can also allow only some specific addresses:

user1@example.com    OK
user2@example.com    OK

Don't forget to hash the file after editing it with postmap(1):

# postmap /etc/postfix/access

Now put the following recipient restrictions in your main.cf:

smtpd_recipient_restrictions = 
    hash:/etc/postfix/access
    reject

and reload Postfix:

postfix reload

After that, test it if it works.

Marco Sulla
  • 207
  • 2
  • 4
  • 15
joschi
  • 20,747
  • 3
  • 46
  • 50
  • 2
    That will work for mail sent via SMTP, not via /usr/lib/sendmail command and local processes can do both. It seems the 'authorized_submit_users' setting may be used to block local submission with sendmail/postdrop, then the smtpd restrictions will be enough. – Jacek Konieczny Feb 28 '10 at 10:23
  • 1
    "To block anyone (local (mail/sendmail command) system users and SMTP users) from sending to an email address you cannot rely on smtpd_recipient_restrictions. You need to place the restriction into the qmgr phase. For this I've found that transport_maps works well." - https://serverfault.com/questions/412638/block-outgoing-mail-to-specific-address-using-postfix – Roland Pihlakas Aug 14 '20 at 16:38
8

So if someone stumbles over this like I did: the answer is indeed header_checks and it works as such:

  • Add the following line to /etc/postfix/main.cf:

    header_checks = regexp:/etc/postfix/header_checks

  • Add the new file /etc/postfix/header_checks with this content:

    /^To:.*@allowed-domain.com/  DUNNO
/^To:.*@/   REDIRECT redirect@example.com

Replace allowed-domain.com with the domain your mailserver should still send mails to. Replace redirect@example.com with the email address all other emails should be redirected to.

If you need to allow multiple domains, the first line should look like this:

/^To:.*@(allowed-domain.com|another-domain.com)/  DUNNO

Instead of redirecting you can simple drop all other mails. Replace the second line above with:

/^To:.*@/   DISCARD No outgoing mails allowed

Explanation:

  • Postfix goes through the mail headers one-by-one.
  • Each header line gets matched against the header_checks file line-by-line.
  • If it matches the first line (To: contains the allowed domain), it skips to the next header line and starts the header checks again from the top. Since no other line will match, this means the mail gets delivered.
  • If it matches the second line (To: contains another external email address), it redirects the mail.
Jonas
  • 221
  • 2
  • 5
3

Have you tried header_checks(5)?

0x44
  • 346
  • 1
  • 2
  • 6