When dealing with legacy applications that lack proper email address validation, we often need to implement mail server-level restrictions. The specific challenge here involves ensuring Postfix only allows outbound emails with authorized domains in the MAIL FROM field when originating from internal networks.
The most effective solution combines multiple Postfix features:
# /etc/postfix/main.cf additions
smtpd_restriction_classes = domain_restriction
domain_restriction =
check_sender_access hash:/etc/postfix/authorized_domains
reject
smtpd_sender_restrictions =
reject_non_fqdn_sender
reject_unknown_sender_domain
check_client_access cidr:/etc/postfix/internal_networks
permit
First, we define which networks are considered internal:
# /etc/postfix/internal_networks
192.168.0.0/16 domain_restriction
10.0.0.0/8 domain_restriction
127.0.0.0/8 domain_restriction
0.0.0.0/0 permit
Create the authorized domains file:
# /etc/postfix/authorized_domains
example.com OK
.example.com OK
test.example.com OK
# REJECT message is optional
*.otherdomain.com REJECT Unauthorized domain
After creating these files, execute:
postmap /etc/postfix/authorized_domains
postmap /etc/postfix/internal_networks
postfix reload
Use these commands to verify:
# From internal network (should pass)
telnet localhost 25
MAIL FROM:<valid@example.com>
# From internal network (should fail)
MAIL FROM:<invalid@external.com>
# From external network (should pass regardless of FROM)
For simpler cases, you might consider:
smtpd_sender_restrictions =
check_sender_access hash:/etc/postfix/sender_checks
reject_unauth_destination
permit_mynetworks
reject
# /etc/postfix/sender_checks
example.com OK
.example.com OK
* REJECT Sender domain not allowed
If emails are being blocked unexpectedly:
- Check /var/log/mail.log for rejection reasons
- Verify postmap created .db files correctly
- Test with postmap -q "test@example.com" hash:/etc/postfix/authorized_domains
For high-volume mail servers:
- Use hash: instead of regex: for better performance
- Place frequently matched domains earlier in the list
- Consider memcache for very large domain lists
When dealing with applications that allow arbitrary MAIL FROM addresses, we need to implement strict sender domain validation at the MTA level. Here's how to configure Postfix to only allow outbound emails with approved domains when originating from internal networks.
The most effective solution involves three main configuration files working together:
# /etc/postfix/main.cf additions
smtpd_restriction_classes =
external_sender_access
internal_sender_access
external_sender_access =
check_sender_access hash:/etc/postfix/external_sender_access
permit
internal_sender_access =
check_sender_access hash:/etc/postfix/internal_sender_access
reject
smtpd_sender_restrictions =
reject_non_fqdn_sender
reject_unknown_sender_domain
check_client_access cidr:/etc/postfix/network_sender_access
permit
The network_sender_access file defines which IP ranges should be subject to strict sender validation:
# /etc/postfix/network_sender_access
127.0.0.0/24 internal_sender_access
192.168.0.0/16 internal_sender_access
0.0.0.0/0 external_sender_access
For internal senders, we specify exactly which domains are permitted:
# /etc/postfix/internal_sender_access
example.com OK
.example.com OK
The rejected alternative using reject_unlisted_sender doesn't work because:
- It only verifies if sender addresses exist in virtual_alias_maps
- It doesn't perform domain-level validation
- The check occurs before client IP-based restrictions are applied
When deploying this solution, consider:
- Test with non-destructive settings first (replace REJECT with WARN)
- Monitor mail logs during implementation
- Consider adding notification mechanisms for rejected emails
Verify your configuration with:
postmap /etc/postfix/internal_sender_access
postfix reload
Then test both allowed and blocked scenarios from internal and external networks.