Postfix : Only receive emails from specific domains?
How can I setup Postfix so that it will only receive emails from specific domains?
There's a specific email account on my server that I would only like to be able to receive emails relayed from txt.att.net, text.wireless.alltel.com, and mms.alltel.net. Any other emails relayed to this account should get bounced back to the sender.
Solution 1:
It depends how you want to restrict it. I'm not sure whether those are the mail relays you're talking about or the sending addresses.
Sending addresses
You can use the check_sender_access directive within an appropiate smtpd_*_restrictions. It's normally best practice to apply all sender, host checks etc. within the recipient restrictions (i.e. after the client has sent 'RCPT To:' )
e.g. to allow only mail from senders @gmail.com and @hotmail.com ...
set smtpd_recipient_restrictions to the following:
smtpd_recipient_restrictions =
check_sender_access hash:/etc/postfix/access,
reject
Now /etc/postfix/access should be of the form:
gmail.com OK
hotmail.com OK
use postmap hash:/etc/postfix/access to create the hash table.
Relay hostname or IP
smtpd_recipient_restrictions =
check_client_access hash:/etc/postfix/client_access,
reject
The format of client_access is similar:
host.name.of.system.com OK
ip.addr.of.system OK
Reading your logs
The following is a full excerpt from my mail.log for an example message. I picked a message and got the queue id - 31AF4761F3. It will be in the headers of the mail as well as your mail log file.
$ grep 31AF4761F3 /var/log/mail.log
Sep 4 09:30:38 cutoffs postfix/smtpd[7912]: 31AF4761F3: client=russian-caravan.cloud9.net[w.x.y.z]
Sep 4 09:30:38 cutoffs postfix/cleanup[7915]: 31AF4761F3: message-id=<007B93C54F154113B36026A22D5E0106@gaby>
Sep 4 09:30:38 cutoffs postfix/qmgr[19172]: 31AF4761F3: from=<[email protected]>, size=4225, nrcpt=1 (queue active)
Sep 4 09:30:39 cutoffs postfix/pipe[7916]: 31AF4761F3: to=<XXXX@XXXX>, relay=spamassassin, delay=1.4, delays=0.19/0.01/0/1.3, dsn=2.0.0, status=sent (delivered via spamassassin service)
Sep 4 09:30:39 cutoffs postfix/qmgr[19172]: 31AF4761F3: removed
You can see in the first line, we have client=russian-caravan.cloud9.net (which is the mail server that sends mail for the postfix mailing list) and the IP address is in brackets. You can use the hostname or the IP in the access file but remember if they have multiple mail relays or ever change their mail relays, you'll need to figure that out.
Solution 2:
phil's answer is good except for one detail. don't use "OK" on the RHS of /etc/postfix/access or /etc/postfix/client_access. that makes your mail server a partial open relay for anyone claiming to be sending mail from @gmail.com or @hotmail.com (access) or for the particular hosts allowed in client_access. this goes beyond just allowing them to send mail to specific users on your system, it allows them to relay mail to any user on any system through yours.
instead, use "permit_auth_destination". that allows them to send to your local domains, or to any that you are configured to relay for, but NOT to any arbitary domain.
e.g.
/etc/postfix/access:
gmail.com permit_auth_destination hotmail.com permit_auth_destination
/etc/postfix/client_access:
host.name.of.system.com permit_auth_destination ip.addr.of.system permit_auth_destination
even if everything else is perfectly configured, using "OK" in postfix access rules is a bad habit to get into. sometimes you really need it, but by default your habit should be to use "permit_auth_destination" instead.
Solution 3:
Based on this link: [http://www.postfix.org/RESTRICTION_CLASS_README.html#internal][2]
my config:
/etc/postfix/main.cf
smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/protected_destinations,permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_restriction_classes = insiders_only
insiders_only = check_sender_access hash:/etc/postfix/insiders, reject
/etc/postfix/insiders
mydomain.com OK
otherdomain.com OK
[email protected] OK
/etc/postfix/protected_destinations
restricted_email@ insiders_only
then
postmap /etc/postfix/insiders
postmap /etc/postfix/protected_destinations
/etc/init.d/postfix restart
This setup allows incoming emails only from the /etc/postfix/insiders objects and affects only the address/es hold in the file protected_destinations and NOT the global system, so all other users can get incoming mail as allways . Note that it can be domains and/or emails addresses.
The restricted_email@ insiders_only line covers all domains in the server. I hold only local users on my server and I need to put the "@" at the end of restricted_email in order to work with all restricted_email@domains which is what I want.