Multi-tenant EFA System

Questions and answers about how to do stuff
Post Reply
zohman
Posts: 42
Joined: 12 Sep 2015 07:36

Multi-tenant EFA System

Post by zohman »

Hi guys,

i configured EFA appliance, and its serving 3 companies as a mail relay for outgoing and mail shield for incoming,
so all the traffic inbound and outbound from those companies goes through the EFA appliance.

to allow relay im adding the remote static IPs to "mynetworks" on postfix main.cf
and for the mail shield i added the remote domains to /etc/postfix/transport with the related fqdn of the final destination.
(of course i have security checks, custom ports and other stuff not for your concerns)

everything is working great and smooth,
i just try to understand if it's possible in postfix to bind the sender domain to the IP is relaying from,

let me explain,
remote mail server ip: 1.1.1.1
sent from domain: @abc.com

if remote mail server send an email it goes to the EFA, postfix check if the sending IP allow relay, and permit this IP to relay,
so far so good, but i want to tell postfix regardless of the allowing relay
to allow not just the remote IP but also the "MAIL FROM:" domain from the envelpoe.

the idea is, if it comes from server ip: 1.1.1.1 and from @abc.com it will be Allow,
if it comes from server ip: 1.1.1.1 but from @xyz.com it will be deny,

im trying to prevent spambot or open relay proxy if the remote site will get virus or any trojan.

Thank you in advance.
Top
User avatar
shawniverson
Posts: 3783
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:
Contact shawniverson

Re: Multi-tenant EFA System

Post by shawniverson »

I'm not sure about Postfix, but MailScanner would have no problem with a concatenated rule for this address and domain defined.
Top
zohman
Posts: 42
Joined: 12 Sep 2015 07:36

Re: Multi-tenant EFA System

Post by zohman »

shawniverson wrote:I'm not sure about Postfix, but MailScanner would have no problem with a concatenated rule for this address and domain defined.
if there is no alternative rejecting the sender from the protocol level i will check it out..
my idea is to block it from even reaching to MailScanner and others mail checks after hiting the postfix.
Top
zohman
Posts: 42
Joined: 12 Sep 2015 07:36

Re: Multi-tenant EFA System

Post by zohman »

shawniverson wrote:I'm not sure about Postfix, but MailScanner would have no problem with a concatenated rule for this address and domain defined.
i found a sulotion with postfix working great for me!

if someone see it interesting, i follow this:
http://serverfault.com/questions/664610 ... ng-postfix

With this, server ip that i'm allowing 'em to relay through my EFA will be access-deny if it try to use not allowed MAIL FROM: domain.
Also, if someone try to pretend MAIL FROM: with some domain that EFA serv he will get "you are not from here!" reject.

life is good :)
Top
Post Reply

Return to “How-to”