I've uploaded a non-production release with smtpd_relay_restrictions support. For a preview of the documentation, see:
http://www.porcupine.org/postfix-mirror/SMTPD_ACCESS_README.html http://www.porcupine.org/postfix-mirror/postconf.5.html#smtpd_relay_restrictions http://www.porcupine.org/postfix-mirror/postconf.5.html#smtpd_recipient_restrictions This being a critical feature, I have put in multiple safety nets to ensure compatibility for sites that upgrade. The text below is taken from the RELEASE_NOTES file. Once the documentation bugs are fixed, and the safety nets are found to work, this should be ready for production use. Wietse [text from RELEASE_NOTES] This version introduces the smtpd_relay_restrictions feature for mail relay control. The built-in default value is: smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination With Postfix versions before 2.10, the rules for relay permission and spam blocking were often intermingled under smtpd_recipient_restrictions, resulting in error-prone configuration. As of Postfix 2.10, relay permission rules are preferably implemented with smtpd_relay_restrictions, so that a permissive spam blocking policy under smtpd_recipient_restrictions will no longer result in a permissive mail relay policy. As usual, this new feature is introduced with safety nets to prevent surprises when a site upgrades from an earlier Postfix release. 1 - FORWARD COMPATIBILITY SAFETY NET: the Postfix installation procedure adds an explicit smtpd_relay_restrictions entry to main.cf when there is none: smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated permit_auth_destination defer If your site has a complex mail relay policy under smtpd_recipient_restrictions, this safety net will defer mail that the built-in smtpd_relay_restrictions setting would bounce. To fix, either set smtpd_relay_restrictions empty, or copy the relay authorization policy from smtpd_recipient_restrictions. Otherwise, setting smtpd_relay_restrictions by hand to the default policy will suffice. 2 - BACKWARDS COMPATIBILITY SAFETY NET: sites that migrate from Postfix versions before 2.10 can set smtpd_relay_restrictions to the empty value, and use smtpd_recipient_restrictions exactly as they used it before.
