From: Lunar_Lamp on
My aim is to restrict a web application from sending to any domains
other than those specifically allowed. Obviously, by default postfix is
allowing me to send to all domains. However, I have not been able to
restrict - all domains are still sent to.

All emails are sent from the same email address (excerpt from maillogs -
apologies to those who dislike obfuscated domains):

logs:
#### snip ####
Jul 28 09:13:04 rt1 postfix/pickup[3465]: 57BF616180B2: uid=48
from=<apache>
Jul 28 09:13:04 rt1 postfix/cleanup[3545]: 57BF616180B2:
message-id=<rt-3.8.7-14324-1280308384-91.4989-15-0(a)mydomain.com>
Jul 28 09:13:04 rt1 postfix/qmgr[12167]: 57BF616180B2:
from=<apache(a)hostname.subdomain.mydomain.com>, size=1181, nrcpt=1 (queue
active)
#### snip ####

I added the following lines to my main.cf to achieve my aims:
#### snip ####
smtpd_recipient_restrictions = check_sender_access
hash:/etc/postfix/restricted_senders
smtpd_restriction_classes = allowed_only
allowed_only = check_recipient_access hash:/etc/postfix/allowed_domains,
reject
#### snip ####

/etc/postfix/restricted_senders:
####
apache(a)hostname.subdomain.mydomain.com allowed_only
####

/etc/postfix/allowed_domains:
####
mydomain.com OK
mydomain.co.uk OK
mydomain.net OK
####

postconf -n:
########
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = localhost
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_recipient_restrictions = check_sender_access
hash:/etc/postfix/restricted_senders
smtpd_restriction_classes = allowed_only
unknown_local_recipient_reject_code = 550
########
From: Brian Evans - Postfix List on
On 7/28/2010 8:53 AM, Lunar_Lamp wrote:
> My aim is to restrict a web application from sending to any domains
> other than those specifically allowed. Obviously, by default postfix
> is allowing me to send to all domains. However, I have not been able
> to restrict - all domains are still sent to.
>
> All emails are sent from the same email address (excerpt from maillogs
> - apologies to those who dislike obfuscated domains):
>
> logs:
> #### snip ####
> Jul 28 09:13:04 rt1 postfix/pickup[3465]: 57BF616180B2: uid=48
> from=<apache>
> Jul 28 09:13:04 rt1 postfix/cleanup[3545]: 57BF616180B2:
> message-id=<rt-3.8.7-14324-1280308384-91.4989-15-0(a)mydomain.com>
> Jul 28 09:13:04 rt1 postfix/qmgr[12167]: 57BF616180B2:
> from=<apache(a)hostname.subdomain.mydomain.com>, size=1181, nrcpt=1
> (queue active)
> #### snip ####
>
> I added the following lines to my main.cf to achieve my aims:
> #### snip ####
> smtpd_recipient_restrictions = check_sender_access
> hash:/etc/postfix/restricted_senders
> smtpd_restriction_classes = allowed_only
> allowed_only = check_recipient_access
> hash:/etc/postfix/allowed_domains, reject
> #### snip ####
Your webapp is submitting mail via the sendmail(1) command

smtpd restrictions apply to mail arriving via smtpd only.

To get the result you want, you must change your webapp to either: 1)
restrict the emails; 2) submit via smtp

From: Lunar_Lamp on
On 28/07/10 14:03, Brian Evans - Postfix List wrote:
> On 7/28/2010 8:53 AM, Lunar_Lamp wrote:
>> My aim is to restrict a web application from sending to any domains
>> other than those specifically allowed. Obviously, by default postfix
>> is allowing me to send to all domains. However, I have not been able
>> to restrict - all domains are still sent to.
>>
>> All emails are sent from the same email address (excerpt from
>> maillogs - apologies to those who dislike obfuscated domains):
>>
>> logs:
>> #### snip ####
>> Jul 28 09:13:04 rt1 postfix/pickup[3465]: 57BF616180B2: uid=48
>> from=<apache>
>> Jul 28 09:13:04 rt1 postfix/cleanup[3545]: 57BF616180B2:
>> message-id=<rt-3.8.7-14324-1280308384-91.4989-15-0(a)mydomain.com>
>> Jul 28 09:13:04 rt1 postfix/qmgr[12167]: 57BF616180B2:
>> from=<apache(a)hostname.subdomain.mydomain.com>, size=1181, nrcpt=1
>> (queue active)
>> #### snip ####
>>
>> I added the following lines to my main.cf to achieve my aims:
>> #### snip ####
>> smtpd_recipient_restrictions = check_sender_access
>> hash:/etc/postfix/restricted_senders
>> smtpd_restriction_classes = allowed_only
>> allowed_only = check_recipient_access
>> hash:/etc/postfix/allowed_domains, reject
>> #### snip ####
> Your webapp is submitting mail via the sendmail(1) command
>
> smtpd restrictions apply to mail arriving via smtpd only.
>
> To get the result you want, you must change your webapp to either: 1)
> restrict the emails; 2) submit via smtp

Thanks for the swift reply. Assuming that I change the webapp to send
via smtp, would my configuration be expected to work?