How to allow relaying per domain?

> Hi Hans.
>
> I'm not sure if there is an easier way, but one way to achieve this is
> with a restriction class per server. (BTW I don't know much about LDAP
> so the example below is based on files...)
>
> main.cf:
> indexed = ${default_database_type}:${config_directory}/
> smtpd_restriction_classes = server1_sender_restrictions, server2_sender_restrictions, server3_sender_restrictions
> smtpd_relay_restrictions =
> check_client_access ${indexed}allservers_client_access,
> reject_unauth_destination
> server1_sender_restrictions = check_sender_access ${indexed}server1_sender_access, reject
> server2_sender_restrictions = check_sender_access ${indexed}server2_sender_access, reject
> server3_sender_restrictions = check_sender_access ${indexed}server3_sender_access, reject
>
> allservers_client_access:
> server1.internal.example.com server1_sender_restrictions
> server2.internal.example.com server2_sender_restrictions
> server3.internal.example.com server3_sender_restrictions
>
> server1_sender_access:
> example.com ok
> <> ok
>
> server2_sender_access:
> example.org ok
> <> ok
>
> server3_sender_access:
> example.net ok
> <> ok
>
> I use something like this myself and it works well if the number of
> servers is small and doesn't change often.
>
> Nick.
>
>
> On 25/09/20 2:42 am, Hans van Zijst wrote:
>> Is it possible to let Postfix decide which hosts to relay mail for,
>> based on the domain from which that mail is sent?
>>
>> I'm building a relayhost that should accept e-mail from a whole bunch of
>> internal mailservers, and relay it to the Internet, after scanning,
>> DKIM-signing and rate limiting.
>>
>> But I don't want to give Postfix one list of all hosts that are allowed
>> to relay mail through it, because that would allow users of all internal
>> servers to send mail from all domains. I'm looking for a way to let
>> Postfix check if the host is allowed to send mail for the domain involved.
>>
>> I'm using an LDAP backend and what I thought I wanted to do under
>> "smtpd_relay_restrictions" is a "check_client_access" query for the
>> domain, and return the attribute which contains the host(s) that are
>> allowed, with "PERMIT", like this:
>>
>> smtpd_relay_restrictions =  check_client_access ldap:relay_access
>>
>> Where the file relay_access contains something like:
>>
>> query_filter = domainName=%d
>> result_attribute = allowedHost
>> result_format = %s PERMIT
>>
>> But the input key here is not the domain name, but the address of the
>> smtpserver sending the message.
>>
>> How do I match a domain name with an IP-address or FQDN? Or am I looking
>> in the wrong direction here?
>>
>> Kind regards,
>>
>> Hans

>
> Hi Nick,
>
> Thanks for your reaction, it gave me some food for thought.
>
> I can see how this works for a limited number of servers, but
> unfortunately (?) our environment is a lot bigger than that.
>
> I think my solution is to write a policy service:
>
> http://www.postfix.org/SMTPD_POLICY_README.html
>
> That would give me all the variables I need, at the disadvantage of
> having to write and maintain some separate code.
>
> On 27-09-2020 08:32, Nick Tait wrote:
> > Hi Hans.
> >
> > I'm not sure if there is an easier way, but one way to achieve this is
> > with a restriction class per server. (BTW I don't know much about LDAP
> > so the example below is based on files...)
> > ...
> >
> > Nick.
> >
> >
> > On 25/09/20 2:42 am, Hans van Zijst wrote:
> >> Is it possible to let Postfix decide which hosts to relay mail for,
> >> based on the domain from which that mail is sent?
> >>
> >> I'm building a relayhost that should accept e-mail from a whole bunch of
> >> internal mailservers, and relay it to the Internet, after scanning,
> >> DKIM-signing and rate limiting.
> >>
> >> But I don't want to give Postfix one list of all hosts that are allowed
> >> to relay mail through it, because that would allow users of all internal
> >> servers to send mail from all domains. I'm looking for a way to let
> >> Postfix check if the host is allowed to send mail for the domain involved.
> >>
> >> I'm using an LDAP backend and what I thought I wanted to do under
> >> "smtpd_relay_restrictions" is a "check_client_access" query for the
> >> domain, and return the attribute which contains the host(s) that are
> >> allowed, with "PERMIT", like this:
> >>
> >> smtpd_relay_restrictions =  check_client_access ldap:relay_access
> >>
> >> Where the file relay_access contains something like:
> >>
> >> query_filter = domainName=%d
> >> result_attribute = allowedHost
> >> result_format = %s PERMIT
> >>
> >> But the input key here is not the domain name, but the address of the
> >> smtpserver sending the message.
> >>
> >> How do I match a domain name with an IP-address or FQDN? Or am I looking
> >> in the wrong direction here?
> >>
> >> Kind regards,
> >>
> >> Hans