On 06.11.24 13:05, Florian Piekert via Postfix-users wrote:
Following this idea, I would put
mua_recipient_restrictions = permit_sasl_authenticated,
check_sender_access
btree:/etc/postfix/restricted_senders,
reject
in main.cf
and instead in master.cf
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_tls_security_level=may
-o smtpd_tls_auth_only=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=$mua_recipient_restrictions
-o content_filter=smtp-amavis:[127.0.0.1]:10026
Without the
smtpd_sender_restrictions = check_sender_access
btree:$meta_directory/restricted_senders
in main.cf sending is again possible and doesn't work as intended.
you need check_sender_access before permit_sasl_authenticated
- otherwise all authenticated users are permitted to send mail to
protected addresses.
Or am I misunderstanding things/how it should work?
the "smtpd_sender_restrictions" and other options defined in main.cf apply
for all smtpd processes, including "smtp" service on port 22 and
"submission" service.
Those:
"-o smtpd_client_restrictions=..." and "-o smtpd_recipient_restrictions="
override settings from main.cf for particular service in master.cf
To use the same smtpd_recipient_restrictions for all smtp clients (remote servers
or clients) you can put single restrictions into main.cf.
To get back to your first problem, looking at your mail:
https://marc.info/?l=postfix-users&m=173083738628897&w=2
I still don't know why it did not work. You have aleady said you only have
your servers in $mynetworks. Did you have smtpd_recipient_restrictions
overridden in master.cf?
- If so, you can comment out those lines, I for example only override
smtpd_client_restrictions, smtpd_helo_restrictions and smtpd_relay_restrictions
in master.cf:
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_auth_only=yes
# -o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
- if not, what did your logs say?
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"One World. One Web. One Program." - Microsoft promotional advertisement
"Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
