Postfix restrict senders based on what VLAN they are on

rothgar · 09-20-2012, 01:00 PM

My postfix server is up and running great but I want to be able to restrict what senders can send to external recipients based on what VLAN the user is connecting from.
I already found the documentation to restrict users based on the senders address http://www.postfix.org/RESTRICTION_C....html#external and I tried putting in a network rather than a sender in the restricted senders file (eg 192.168.0.0/24) but it appears to restrict internal and external email with that. Here is my main.cf file, local_domains, and restricted_senders.
Can someone tell me if this is even possible to restrict based on VLAN instead of based on senders address.

Code:

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_owner = postfix
myhostname = postfix-test.example.com
myorigin = example.com
inet_interfaces = all
mydestination =
local_transport = error:Local delivery is unavailable
unknown_local_recipient_reject_code = 550
mynetworks = $config_directory/mynetworks
relay_domains = example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
 
  
debug_peer_level = 2
debugger_command =
	 PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
	 xxgdb $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.3.3/samples
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
smtpd_recipient_restrictions = 
	check_sender_access hash:/etc/postfix/restricted_senders
	permit_mynetworks
	reject
smtpd_restriction_classes = local_only
	
local_only = 
	check_recipient_access hash:/etc/postfix/local_domains
	reject
smtpd_peername_lookup = no
message_size_limit = 26214400
smtpd_delay_reject = yes

restricted_senders file

Code:

10.200.0.0/18 local_only

local_domains

Code:

example.com OK

I also have a mynetworks file (you can see it referenced in the main.cf) which contains all the VLANS that are allowed to send through the postfix server including the one restricted network (10.200.0.0/18). I then compiled the db files with postmap restricted_senders and postmap local_domains.

Does postfix have the ability to restrict based on network rather than sender email?

acid_kewpie · 09-21-2012, 07:28 AM

As I see this, can't you just treat this untrusted subnet as a generic remote client? remove that range from mynetworks and then they'll have as much permission to send to postfix as a remote relay, i.e. to the domains that you host.

rothgar · 09-21-2012, 12:53 PM

Quote:

Originally Posted by acid_kewpie

As I see this, can't you just treat this untrusted subnet as a generic remote client? remove that range from mynetworks and then they'll have as much permission to send to postfix as a remote relay, i.e. to the domains that you host.

I tried taking out the network range from mynetworks but it denies sending emails even to internal addresses. Is there a setting to allow forwarding from all hosts to only internal addresses and then trusted networks can send to external addresses?