The following is taken from the official postfix documentation:
We want to implement an internal email distribution list. Something like email@example.com, which aliases to all employees. My first thought was to use the aliases map, but that would lead to “all” being accessible from the “outside”, and this is not desired… 🙂
Postfix can implement per-address access controls. What follows is based on the SMTP client IP address, and therefore is subject to IP spoofing.
/etc/postfix/main.cf: smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/access ...the usual stuff... /etc/postfix/access: firstname.lastname@example.org permit_mynetworks,reject email@example.com permit_mynetworks,reject
Specify dbm instead of hash if your system uses dbm files instead of db files. To find out what map types Postfix supports, use the command postconf -m.
Now, that would be sufficient when your machine receives all Internet mail directly from the Internet. That’s unlikely if your network is a bit larger than an office. For example, your backup MX hosts would “launder” the client IP address of mail from the outside so it would appear to come from a trusted machine.
In the general case you need two lookup tables: one table that lists destinations that need to be protected, and one table that lists domains that are allowed to send to the protected destinations.
What follows is based on the sender SMTP envelope address, and therefore is subject to SMTP sender spoofing.
/etc/postfix/main.cf: smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/protected_destinations ...the usual stuff... smtpd_restriction_classes = insiders_only insiders_only = check_sender_access hash:/etc/postfix/insiders, reject /etc/postfix/protected_destinations: firstname.lastname@example.org insiders_only email@example.com insiders_only /etc/postfix/insiders: my.domain OK matches my.domain and subdomains another.domain OK matches another.domain and subdomains
Getting past this scheme is relatively easy, because all one has to do is to spoof the SMTP sender address.
If the internal list is a low-volume one, perhaps it makes more sense to make it moderated.
To get this working you have to perform these additional steps.
1.You need to run postmap to create the database:
# postmap /etc/postfix/protected_destinations # postmap /etc/postfix/insiders
2. Restart postfix :
# /etc/init.d/postfix restart