This is the English translation of my originally Dutch article.

An organization which manages several domains, rents for a subset of those domains an external anti-spam service, to which the MX-records of those domains point to.

Those service’s servers receive the email, filter it, and forward them to the organization’s own mail server. This server also receives mail directly for domains which do not use the external anti-spam service.

Sometimes a domain is transferred from “directly receiving mail“, to “using the external service“. A domain which initially is not filtered gets transferred to the external system, by changing its MX-records to the external anti-spam service.

Now, spammers are smart guys actually, and they tend to remember the domain and its initial MX records pointing to the organization mail servers. As the anti-spam service forwards mail to that server, it keeps accepting mail for that domain. So that smart spammer will try sending its spam directly to the organization’s mail server, hence avoiding the anti-spam service.

To counter this, we want to restrict access to the organizations server. We could to that purely by the IP address of the SMTP sender, but this restriction should only match those specific domains which are filtered by the external anti-spam service, in such a way that only the mail servers of this service can forward mail to the organization’s mail server, whilst the latter still can directly receive all mail from other domains.

To resolve this problem, we need a way to configure our mail server (running Postfix MTA in this case), in such a way that all mail for a specific domain, which is filtered by the external anti-spam service, can only be sent from that’s service specific mail servers’ ip addresses, and without restricting the other domains.

We can implement this with Postfix’ restriction classes:

• /etc/postfix/main.cf:

  smtpd_recipient_restrictions =
        recipient_access hash:/etc/postfix/mailscan_domains
  smtpd_restriction_classes = mailscan_only
  mailscan_only =
        check_client_access hash:/etc/postfix/mailscan_client_ip, reject

• /etc/postfix/mailscan_domains:

  this.domain     mailscan_only
  that.domain     mailscan_only

• /etc/postfix/mailscan_client_ip:

  x.y.z.a      OK
  c.d.f.g      OK

We tell Postfix to put a restriction on the smtp receiver (smtpd_recipient_restrictions), and configure this rectriction with a hash table, which lists the domains who are filtered through the extrenal service and which assigns a specific “action” to them (/etc/postfix/mailscan_domains).

This action is not the typical OK or REJECT, but a rectriction class (smtpd_restriction_classes = mailscan_only), which contains another restriction on its own: checking the smtp sender’s ip address (check_client_access), which must match the ip address of one of the external anti-spam service’s addresses (/etc/postfix/mailscan_client_ip).

Postfix will now check the domain to which a mail is being received, and in the case where it is a domain being filtered externally, it will check that it effectively comes from a server of that service. If not, the mail is not accepted.