Am Samstag, den 09.08.2008, 12:08 +0200 schrieb Leonardo Boselli:
> On Fri, 8 Aug 2008, Tony Finch wrote:
> > On Fri, 8 Aug 2008, Peter Thomassen wrote:
> > > stuff; that is already done by the main machine. Therefore I want to
> > > narrow the "mail-in chain" to mail from this trusted machine.
> > I think that kind of access restriction is the job of the access control
> > lists, not the routers.
>
> This ?
> #!!# ACL that is used after the RCPT command
> check_recipient:
> accept hosts = :
> # accept domains = +local_domains
> # accept domains = +relay_domains
> accept hosts = +relay_hosts
> accept hosts = +auth_relay_hosts
> endpass
> message = authentication required
> authenticated = *
> deny message = relay not permitted
>
> so just comment out the accept-domains line and restrict relay_hosts to
> the single authorized machine (possibly add localhost).
I now set up another ACL for acl_smtp_connect which also seems ok:
acl_check_host:
deny !hosts = MAIN_RELAY_NETS
message = access restricted
accept
If there are any objections, please let me know.
BTW, can the ACL "hosts" condition contain subnets like 192.168.1/24?
Thanks,
Peter
