postfix open relay for only list of IPs

Red Squirrel

No Lifer
May 24, 2003
70,167
13,573
126
www.anyf.ca
I remember I once had a setup like this where there was a file I could simply add an IP or IP range and postfix would allow relay to only those IPs. I can't figure out how to set that up. I've did some research on google but found no straight up answer, all of them were very complex setups that I don't need all I want is a file that I can edit and specify the IPs. I think the file was called access.conf or something like that.
 

Netopia

Diamond Member
Oct 9, 1999
4,793
4
81
Perhaps you mean the "mynetworks" setting in postfix's main.cf ... or perhaps the "relay_domains" settings in the same file.


Joe
 

Netopia

Diamond Member
Oct 9, 1999
4,793
4
81
FROM:
http://www.postfix.org/postconf.5.html#relay_domains

relay_domains (default: $mydestination)
What destination domains (and subdomains thereof) this system will relay mail to. Subdomain matching is controlled with the parent_domain_matches_subdomains parameter. For details about how the relay_domains value is used, see the description of the permit_auth_destination and reject_unauth_destination SMTP recipient restrictions.

Domains that match $relay_domains are delivered with the $relay_transport mail delivery transport. The SMTP server validates recipient addresses with $relay_recipient_maps and rejects non-existent recipients. See also the relay domains address class in the ADDRESS_CLASS_README file.

Note: Postfix will not automatically forward mail for domains that list this system as their primary or backup MX host. See the permit_mx_backup restriction in the postconf(5) manual page.

Specify a list of host or domain names, "/file/name" patterns or "type:table" lookup tables, separated by commas and/or whitespace. Continue long lines by starting the next line with whitespace. A "/file/name" pattern is replaced by its contents; a "type:table" lookup table is matched when a (parent) domain appears as lookup key. Specify "!pattern" to exclude a domain from the list. The form "!/file/name" is supported only in Postfix version 2.4 and later.
 

Red Squirrel

No Lifer
May 24, 2003
70,167
13,573
126
www.anyf.ca
Yeah think its mynetworks since I don't care about domains in this case. But mynetworks only allows to put 1 IP address, theres one that has an actual file, just cant recall what Im supose to name the file. I'm using CentOS5
 

child of wonder

Diamond Member
Aug 31, 2006
8,307
176
106
In main.cf simply put:

mynetworks = 192.168.0.0/24 127.0.0.0/8

or whatever IPs and subnets you want to list. If it's a big list you can do:

mynetworks = cidr:/etc/postfix/mynetworks

Inside that file you can specify networks:

192.168.0.0/24 OK
172.16.0.0/16 REJECT

Then postmap that file and postfix reload.
 

Skunk

Member
Mar 26, 2001
119
0
76
I would not recommend adding an external ip address to mynetworks, unless you can be absolutely sure the sending server is secure.

You are effectively whitelisting every one who uses that server regardless of which domain they are sending mail from. Which in the case of shared servers can be a very bad thing.

This is a great guide for general antispam measures but has a great relaying section.
 

Red Squirrel

No Lifer
May 24, 2003
70,167
13,573
126
www.anyf.ca
Yeah the server I'm adding is a server under my full control. I have an application that can send email, so rather then setup another email server I'll just relay the mail through my main server. Once I can figure out SMTP authentication then I will be able to not worry about open relay but I'm not at that point yet. For now I just use my ISP's SMTP servers, like for regular email from home. Though eventually I want to just be able to use my own.
 

child of wonder

Diamond Member
Aug 31, 2006
8,307
176
106
Originally posted by: Skunk
I would not recommend adding an external ip address to mynetworks, unless you can be absolutely sure the sending server is secure.

You are effectively whitelisting every one who uses that server regardless of which domain they are sending mail from. Which in the case of shared servers can be a very bad thing.

This is a great guide for general antispam measures but has a great relaying section.


Yes.. do NOT put an external IP in mynetworks. Only internal subnets.
 

Netopia

Diamond Member
Oct 9, 1999
4,793
4
81
Why don't you outline the entire scenario of what you're doing for us? It's possible that there are other ways of doing what you want, but you've asked a very narrow question. What's the bigger picture?

Joe
 

Red Squirrel

No Lifer
May 24, 2003
70,167
13,573
126
www.anyf.ca
Basically I have two servers, we'll say server1 and server2. server1 has a VM with server2 in it, they both have external internet addresses. I have a program on server2 that needs to send mail out but the mail server is on server1. So rather then have another smtp server on server2 to send mail I just relay it to server1. So I put server2 in mynetworks.

Also eventually I want to enable anyone with a pop3 account to use my smtp server, but not sure how to do that. Think I need a program to look at the pop3 logs and add the IPs in mynetworks temporarly though I just don't feel thats the best way.