On 1/16/24 19:46, Viktor Dukhovni via Postfix-users wrote:
The classification of input addresses into address classes as part of
transport resolution happens in trivial-rewrite(8). This is why
changing relay_domains in smtpd(8) is ineffective.
Ahhh. That explains everything.
It works correctly, as intended. It does not seem to make much sense to
restrict submission on port 587 for a subset of addresses that any
unauthenticated external sender can target. Your "restricted" users
could just send to port 25 instead!
Mails to local recipients are blocked for port 25. That seems sensible
to me for an edge mailserver.
I am trying to setup a channel for training the spam filter with known
spam/ham mails sent in from internal users. Setting up a different port
seems the cleaner approach in order to separate that from the external
mail traffic with regards to logging, firewall setup, monitoring, etc.
That said, if this is what you actually need, instead of trying to set
an empty list of relay domains, set an empty list of valid relay
recipients, which is checked in smtpd(8):
master.cf:
submission inet ... smtpd
-o { relay_recipient_maps = inline:{@=@} }
...
because just "@" is never going to be a lookup key for a relay recipient
address. While an empty key is even more strongly never used, and the
form "inline:{=}" is presently accepted, I expect this is not
intentional. It would have to be documented, otherwise, at some point,
Postfix might reject empty keys in inline table definitiions.
That is a somewhat funky solution. :)
I think I will go with a simple recipient restriction with local
addresses instead. That seems clearer and in case I kick the bucket my
poor colleague taking over will have an easier time figuring out how it
all works.
Thank you, Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
