smtpd_restriction_classes = has_our_domain_as_sender has_our_domain_as_sender = check_sender_access hash:/etc/postfix/our_domain_as_sender reject smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/internal_networks # # If the Client is in the our networks 10.* or 192.168.*.* networks, we # return "has_our_domain_as_sender". # "has_our_domain_as_sender" is defined as # "check_sender_access hash:/etc/postfix/our_domain_as_sender" # which will only return OK if the sender is "example.com" or the # empty sender (for bounces!!), otherwise reject. # check_sender_access hash:/etc/postfix/not_our_domain_as_sender # # The client is not in 10.* or 192.168.*.* (otherwise # the previous restriction would have matched!). # Now we check the sender. If it's example.com NOW, then # somebody from the outside is trying to use a example.com sender # Thus: 554 Bloody liar! # reject_unauth_destination # prevent relaying ... other spam checks ... permit
/etc/postfix/internal_networks:
10 has_our_domain_as_sender 192.168 has_our_domain_as_sender
/etc/postfix/our_domain_as_sender:
example.com OK <> OK
/etc/postfix/not_our_domain_as_sender:
example.com 554 Bloody liar!