0

I would like to add a virtual host/domain with several mailboxes on postfix where the users can only send mail to addresses with a specific domain hosted on the same postfix instance.

The scenario here is that I have a bunch of internal servers and applications, they all run under "appname.local.domain.tld". I would like to allow these applications to only send mail from [email protected] to mailboxes at [email protected]. Other destinations than *@domain.tld should not be allowed for mail originating from *@local.domain.tld. This is to prevent data leaks from a misconfigured application (or an application under attack) and to make sure that all mail from these systems stays within the organization.

Both, mail for *@domain.tld and *.local.domain.tld is handled by the same postfix instance. Mail from *@domain.tld should obviously not be impacted by the restrictions defined above.

How can I configure postfix to achieve the scenario stated above?

Improve this question

1 Answer 1

Reset to default
1

As for limiting who can send to what, I believe this is what you are looking for:

In the general case you need two lookup tables: one table that lists destinations that need to be protected, and one table that lists domains that are allowed to send to the protected destinations. /etc/postfix/main.cf: smtpd_recipient_restrictions = ... check_recipient_access hash:/etc/postfix/protected_destinations ...the usual stuff... smtpd_restriction_classes = insiders_only insiders_only = check_sender_access hash:/etc/postfix/insiders, reject /etc/postfix/protected_destinations: [email protected] insiders_only [email protected] insiders_only /etc/postfix/insiders: my.domain OK matches my.domain and subdomains another.domain OK matches another.domain and subdomains

From http://www.postfix.org/RESTRICTION_CLASS_README.html

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.