In an earlier post about configuring Postfix as a mail gateway to Exchange, I mentioned that if you use a message filtering service, you can restrict all access to your gateway to a specific set of server IP addresses after you’ve set your DNS MX resource records to point to your provider. But what about cases where you have multiple domains and only a subset are using such a service? You need to restrict access on a domain by domain basis. How can you do this with Postfix? In your main.cf file, add the following:

smtpd_client_restrictions =
        check_client_access hash:/etc/postfix/destination_access

# The following is a documented hack to make recursion work.
smtpd_restriction_classes = example_com_exchangers_only
example_com_exchangers_only =
        check_client_access hash:/etc/postfix/example_com_access reject

The destination_access file contains one line per domain, setting it either ‘OK’ or to ‘example_com_exchangers_only’, as follows:

example.com                    example_com_exchangers_only
another.com                    OK
hosted.com                     OK

Finally, the example_com_access file contains the IP addresses of valid clients for your SMTP service, i.e. those that can send mail to example.com addresses:

# SMTP clients allowed to send to example.com
64.18.2.0/24      OK
64.18.6.10         OK
64.18.6.11         OK
64.18.6.13         OK
64.18.6.14         OK
10.1.1.10          OK
192.168.1.2       OK
192.168.1.3       OK

These are samples, some that happen to correspond to Postini addresses at the moment. Note, you also include your internal Exchange server’s IP address, and any DMZ hosts that also send mail. If you need other restriction classes for different domains, simply add another to the smtpd_restriction_classes directive. Of course, as always use postmap to create your lookup tables.

Advertisements