Originally Posted by d3ckard
Heh, postfix can't easily do that, because none of the rules checking check the sending system as WELL as the destination..
This isn't correct. This is what restriction classes is all about. The various smtpd_mumble_restrictions allow all sorts of combinations.
There are several ways to accomplish what the OP desires. Here are two:
1) Configure your postfix server with a submission port (587) for your prodx.test.ph server, which allows sending to any recipients. And configure the MUAs on that server to submit via port 587.
Configure your postfix server's standard port 25 smtpd with a check_recipient_access list which includes @sistercompany.com and rejects all other email.
You should have firewall rules that prohibit the other systems from attempting their own outbound port 25 connections.
2) Use restriction classes. I've commented below:
# test our client IP with check_client_access.
# declare a restrictive restriction class
smtpd_restriction_classes = restrictive
# define the class. It will perform a check_recipient_access check,
# using the file restricted_domains. If a match is found, it will return
# OK; otherwise, fall through to the reject rule.
# Our client IP access file. If any IP matches the list
# (replace non-prodx-IPx with the IP addressses of your
# restricted clients), return "restricted". This value has
# already been declared in main.cf to be another access lookup,
# so Postfix will then perform the access checks defined in
# the "restrictive" class.
# This is the list of domains we will allow sending to from our
# restricted clients. If the recipient envelope contains any
# domain listed below, the mail will be allowed.
Originally Posted by janskey
I'm also confused on
smtpd_recipient_restrictions and smtpd_sender_restrictions. Which is best solution will do on this problem?
In order to understand the smtpd_XXX_restrictions, you need to keep in mind the stages in the SMTP protocol. The basic conversation goes like this:
- MAIL FROM
- RCPT TO
At each stage, the sending client sends information appropriate for that stage, and the mail server considers that information and responds. The various smtpd_XXX_checks consider that information, and act upon it. So, there is an smtpd_helo_restrictions which corresponds to the HELO stage. And smtpd_sender_restrictions corresponds to the MAIL FROM stage. Likewise smtpd_recipient_restrictions (RCPT TO) and smtpd_data_restrictions (DATA). There are some more too, but we can ignore those for now.
There is additional information available to the Postfix smtpd mail server as well: the sending clients IP address, and it corresponds to smtpd_client_restrictions.
All these restrictions allow Postfix to reject a message at any of the various stages in the SMTP conversation based upon what the client has passed, or other client-specific information (client hostname, reverse hostname, etc.).
Many admins generally place most of their restrictions in the smtpd_recipient_restrictions because *more data is available* to Postfix for logging purposes and to make intelligent decisions about acceptance or rejection. Postfix by default does not respond with a reject at various stages of the SMTP conversation, and delays that response until the client has provided as much information as necessary.
If you have a real interest in how to configure Postfix and in its operation, consider getting The Book of Postfix.