Postfix - configuration of blocking distribution groups.

[Grzegorz]

Hello,
I'm new to the forum, so I apologize in advance for any mistakes in the post.

As in the topic, I have been administering a postfix based mail server for a long time.
Basic configuration. Distribution lists in vi /etc/postfix/virtual.
And I want to block users from sending firstname.lastname@company.pl to a distribution list containing all employees of list@firma.pl. Allow only selected few people to post to this list.
Please give me a detailed how to do this.

[Simon Hobson]

I think you may be in the wrong place. This is not a general Postfix help forum - this is for the separate package PostfixAdmin which configures/maintains virtual domains & mailboxes using Postfix (plus MySQL or PostgreSQL, optionally maildrop, and Courier or Dovecot).
For Postfix help you should head over to postfix.org and check out the Postfix mailing lists.

I have to admit, it's something I've pondered over occasionally. I suspect you'd need to do it in the check_sender_address or check_recipient_address blocks, using a table to allow/deny these. But I don't think you can specify both sender and recipient addresses in one table - effectively what you need is :
permitted_user1 -> list@firma.pl permit
permitted_user2 -> list@firma.pl permit

• -> list@firma.pl deny

Ah, I see you can do it, using smtpd_restriction_classes as described here : https://dan.langille.org/2019/01/25/using-postfix-to-block-mail-based-on-from-sender-and-to-recipient/
In your case, I think you'll need to tweak it slightly so in your restricted_senders file you'll permit those you want and then reject everything else.

[Grzegorz]

Hello,
in summary, I need to add the following to my entry in /etc/postfix/main.cf:

from my conf file.

smtpd_client_restrictions =

permit_mynetworks,

permit_sasl_authenticated,

reject_rbl_client bl.spamcop.net,

reject_rbl_client zen.spamhaus.org,

reject_rbl_client dev.null.dk,

reject_rbl_client smtp.dnsbl.sorbs.net,

reject_rbl_client zombie.dnsbl.sorbs.net,

reject_rbl_client korea.services.net

smtpd_recipient_restrictions =

permit_sasl_authenticated,

reject_unauth_destination,

check_client_access hash:/etc/postfix/rbl_override

check_sender_access hash:/etc/postfix/blacklist

permit_mynetworks,

check_recipient_access hash:/etc/postfix/protected_destinations

reject_rbl_client zen.spamhaus.org,

reject_rbl_client bl.spamcop.net,

reject_rbl_client opm.blitzed.org,

reject_rbl_client list.dsbl.org,

    reject_rbl_client cbl.abuseat.org,<br>
    reject_rbl_client dul.dnsbl.sorbs.net,<br>
    reject_rhsbl_sender dsn.rfc-ignorant.org,<br>
    reject_non_fqdn_sender,<br>
    reject_non_fqdn_recipient,<br>
    reject_unknown_sender_domain,<br>
    reject_unknown_recipient_domain,<br>
    reject_unauth_pipelining,<br>
    reject_invalid_hostname,<br>
    reject_non_fqdn_hostname,<br>
    reject_unverified_recipient<br>

smtpd_restriction_classes = good_senders_only

good_senders_only = check_sender_access hash:/etc/postfix/restricted_senders, permit

smtp_tls_security_level = may

smtpd_tls_security_level = may

smtpd_tls_auth_only = yes

smtp_tls_note_starttls_offer = yes

smtpd_tls_loglevel = 1

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom

and create two files vi /etc/postfix/protected_destinations

lista@domena.pl good_senders_only <-- distribution list

and
vi /etc/postfix/restricted_sender

firstname.lasname@domena.pl REJECT 521
firstname.lasname@domena.pl REJECT 521
firstname.lasname@domenapl REJECT 521
firstname.lasname@domena.pl REJECT 521

I want users firstname.lastname@domain.pl not to be able to send tolist@iwnirz.pl.
Also from outside the domain domain.pl (external) they could not send to this distribution list. Only three e-mail addresses from the company can send.