Restrict users to local domain

SebS

Howdy,

do you guys have any best practice idea how to achieve this?

I have a bunch of user accounts that are only used for internal monitoring across on-premise and remote servers. Since it’s unavoidable to have account names and at times even credentials in config files, I want to restrict these users to only send to their own domain (any other user @example.com). I do not want anyone to be able to use these for spam if shit happens (never been the case, but wanna make sure).

How would you go about it, is there a way to achieve this via UI, do I need custom rspamd configurations and if so, does anyone have a working snippet to share?

thanks in advance,
S.

esackbauer

SebS that are only used for internal monitoring

What do you mean, are those accounts sending test mails, or are they notification mail sent to users of your domain?

SebS

Sorry for not being precise enough, I really need a vacation - 2 more days to get through ;-)

The accounts are sending status and/or warning mails (e.g. backup failed / resources running low and whatnot) to other accounts on the same domain.

So basically something like “backup-health@eample.com” sends to “monitoring@example.com” (or a couple other mailboxes used by different teams).

esackbauer

However, if those users have secure and long passwords which are not stored anywhere, how could they ever be leaked?
Its much much more likely that you will have something else compromised (like one of your regular users).

I would not create users for them (no user created, no user can be leaked), just allow relaying for these servers. add the IP address of the sending servers to the “Forwarding Hosts”. and instruct these servers to send notification mails on Port 25 without authentication and optionally with STARTTLS. You can select any mail address as sender as you like (from your domain)
This is how I do it.
Restricting further to allow to send to the local domain only I find to restrictive. Sometimes I have users outside my domain which should get notification mails, e.g. my Nextcloud users share a file or directory with someone else on a different mail server.