Based on the standard configuration given in https://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall the parent_domain_matches_subdomains = debug_peer_list, smtpd_access_maps
should help in rejecting mails from subdomains. Say if I have a single line in my access maps which allows only my domain emails in access maps it will make the matter worse by matching sub domains with that line too, isn't it.
1 Answer
The example does not reject mail from subdomains, but mail for subdomains.
Lines 1-10: - - and accept mail from outside for "[email protected]" but not for "[email protected]". The magic is in lines 4-5.
The parent_domain_matches_subdomains
is:
A list of Postfix features where the pattern "
example.com
" also matches subdomains of example.com, instead of requiring an explicit ".example.com
" pattern. This is planned backwards compatibility: eventually, all Postfix features are expected to require explicit ".example.com" style patterns when you really want to match subdomains.
By default (postconf -d | grep parent_
) there are much more backwards compatible features:
parent_domain_matches_subdomains =
debug_peer_list,
fast_flush_domains,
mynetworks,
permit_mx_backup_networks,
qmqpd_authorized_clients,
relay_domains,
smtpd_access_maps`
This example is limiting them to debug_peer_list smtpd_access_maps
, removing many including the relay_domains
that is meaningful in that situation. If you wish to also remove the smtpd_access_maps
just do it. It is an example.