allow relay based on DNS domain lookup rather than IP subnet

Discussion:

(too old to reply)

p***@gmail.com

2018-04-25 16:12:53 UTC

How with postfix can I allow relay for any SMTP client connection that the reverse DNS lookup on matches a domain? The mail server is using a DNS server I control that is final authority on that domain. My hundreds of clients in my domain are scattered over hundreds of different IP subnets on campus so maintaining an IP list for postfix in addition to DNS would be unneeded redundancy prone to error.

For sendmail this is as simple as adding the domain to /etc/mail/relay-domains

In postfix, conceptually I want to do:

mynetworks = *.mydomain.com
smtpd_relay_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
defer_unauth_destination

but mynetworks does not seem to accept non-IP address/mask values.

p***@gmail.com

2018-04-25 16:34:07 UTC

Permalink

This doesn't seem to work even with IP mask values. I have

mynetworks = 172.21.21.0/24
smtpd_relay_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
defer_unauth_destination

but still get rejected from that subnet

Apr 25 12:27:20 mail-new postfix/smtpd[28726]: NOQUEUE: reject: RCPT from client.domain.com[172.21.21.32]: 554 5.7.1 <***@gmail.com>: Relay access denied; from=<***@domain.com> to=<***@gmail.com> proto=ESMTP helo=<client.domain.com>

p***@gmail.com

2018-04-25 16:52:36 UTC

Permalink

Sorry, I failed to add permit_mynetworks to smtpd_recipient_restrictions as well. Once I did that it worked.

Still my problem of using domains instead of IP network/mask values still exists

p***@gmail.com

2018-04-25 17:13:51 UTC

Permalink

The following seems to be working for me but please someone interject if this is the wrong way to do it.

I created a /etc/postfix/relay-domains file with the line:

domain.com OK

and ran postmap on it.

I then added to both smtpd_recipient_restrictions and smtpd_relay_restrictions
the line:

check_client_access hash:/etc/postfix/relay-domains

and restarted postfix.