Thanks Victor. Ok, so I:
- removed .$mydomain from $mydestination
- have set relay_domains = $mydestination, $mynetworks
- have set parent_domain_matches_subdomains to it's default
- have added permit_mx_backup to smtpd_recipient_restrictions
- set permit_mx_backup_networks = $mynetworks
but I'm still unable to have email accepted for MX'ed hosts or those
hosts listed in my transport file due to "Relay access denied." Which,
of these, or any other parameters, should I focus on to correct the
denial? I've attached a fresh postconf -n for a more detailed & updated
picture.
Regards,
-Eric
Victor Duchovni wrote:
On Fri, May 01, 2009 at 01:54:03PM -0400, Eric Cunningham wrote:
I think I've found a/the fix for re-enabling the original behavior of my
transport maps and MX relaying. I added .$mydomain to mydestination in
main.cf. This is in addition to $mydomain which was already in
mydestination.
$mydomain vs. .$mydomain is subtle but apparently important.
Postfix will never search for ".example.com" domains in the
$mydestination list, so this change has no effect. Perhaps in making
this change you also triggered other changes that solved the problem.
Now, in fact, if you don't set "relay_domains" explicitly, as a matter
of regrettable backwards compatibility requirements, the value of
$relay_domains defaults to to "$mydestination" and in the context of
"$relay_domains", ".example.com" keys do come into play given an
appropriate setting of parent_domain_matches_subdomains.
The right solution is to set relay_domains explicitly and correctly,
rather than rely on side-effects from $mydestination.
Secondly, it appears that you have changed the default value of
parent_domain_matches_subdomains. You should review this parameter
and make sure you understand its impact.
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases, ldap:ldap
anvil_rate_time_unit = 60s
append_dot_mydomain = yes
body_checks = pcre:/etc/postfix/access/body_access
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what]
blocked using $rbl_domain${rbl_reason?; $rbl_reason}. Contact
<postmas...@whoi.edu> if this is in error.
header_checks = pcre:/etc/postfix/access/header_access
html_directory = /usr/share/doc/postfix/html
mailbox_size_limit = 0
message_size_limit = 104857600
mydestination = $myhostname, $mydomain, postal1.$mydomain, outbox.$mydomain,
mail.$mydomain, localhost.$mydomain, localhost.localdomain, localhost,
beachcomberscompanion.net, whoi.net, oceansites.org, interridge.org
myhostname = postal1.whoi.edu
mynetworks = 128.128.0.0/16, 127.0.0.0/8, 199.92.168.150, 172.16.8.0/24
myorigin = $mydomain
parent_domain_matches_subdomains =
permit_mx_backup_networks = $mynetworks
rbl_reply_maps = hash:/etc/postfix/access/dnsbl_replies
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relay_domains = $mydestination, $mynetworks
relayhost =
relocated_maps = hash:/etc/postfix/relocated
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_connection_rate_limit = 60
smtpd_client_message_rate_limit = 250
smtpd_client_new_tls_session_rate_limit = 60
smtpd_client_recipient_rate_limit = 300
smtpd_client_restrictions = check_client_access
hash:/etc/postfix/access/connect_client_access
smtpd_error_sleep_time = 5s
smtpd_etrn_restrictions = permit_mynetworks, reject
smtpd_hard_error_limit = 20
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,
check_recipient_access pcre:/etc/postfix/access/final_recipient_access,
reject_unauth_pipelining, check_helo_access
pcre:/etc/postfix/access/final_helo_access, check_client_access
hash:/etc/postfix/access/final_client_access, check_sender_access
pcre:/etc/postfix/access/final_sender_access, permit_mynetworks,
permit_auth_destination, permit_mx_backup,
reject_unknown_sender_domain, reject_unauth_destination,
check_helo_access pcre:/etc/postfix/access/suspect_helo,
reject_rbl_client autospam.whoi.edu, reject_rhsbl_sender
dsn.rfc-ignorant.org, reject_rbl_client zen.spamhaus.org,
reject_rbl_client dnsbl.ahbl.org, reject_rbl_client
http.dnsbl.sorbs.net, reject_rbl_client socks.dnsbl.sorbs.net,
reject_rbl_client misc.dnsbl.sorbs.net, reject_rbl_client
web.dnsbl.sorbs.net, reject_rbl_client dul.dnsbl.sorbs.net,
reject_rbl_client list.dsbl.org, reject_rbl_client bl.spamcop.net,
reject_rbl_client cbl.abuseat.org, reject_rbl_client
combined.njabl.org, reject_rbl_client bhnc.njabl.org
smtpd_restriction_classes = require_reverse_dns
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_soft_error_limit = 10
smtpd_tls_CAfile = /etc/postfix/tls/DigiCertCA.crt
smtpd_tls_cert_file = /etc/postfix/tls/star_whoi_edu.crt
smtpd_tls_key_file = /etc/postfix/tls/private.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_domains = $virtual_alias_maps
virtual_alias_maps = hash:/etc/postfix/virtual, ldap:vldap
