At the moment, our Postfix + Dovecot mail system has two types of users: those with a full account and those with only a forwarder.
Users with a full account are in the virtual_aliases table pointing to the local mailbox (e.g. [email protected] --> compuchip/
, I'm not sure that's strictly necessary btw) and have some aliases (e.g. [email protected] --> compuchip
).
Users with a forwarder have their personal account in the aliases table, and potentially aliases as well (e.g. [email protected] --> [email protected]
) as well as [email protected] --> compuchip
).
Because I'm forwarding a lot of spam to the last group of users we often get blacklisted and I want to shut this down. I decided that if users want to send and receive external mail I should just give them a mailbox. But if possible I would like that everyone can continue to be reached from "inside". Let me describe that more accurately:
if a user has a mailbox (the virtual aliases eventually resolve to a local destination) email from anyone should be accepted
if the user does not (all of their aliases point at other aliases or external domains) I only want to accept (and therefore relay) email originating from within my domain ([email protected])
I have DKIM / SPF / DMARC setup, could I do something with that? I think that forwarding nonlocal mail to a nonlocal recipient will fail SPF if I disable SRS, could I just configure it to reject email in those cases?