I think I got it.  The ordering is critical.  Thanks

smtpd_recipient_restrictions =
        check_recipient_access hash:/etc/postfix/relay_domains  # This will
allow clients missing PTR records the ability to relay locally
        reject_unknown_reverse_client_hostname   # Reject all other clients
missing PTR records from sending externally
        reject_unknown_recipient_domain
        reject_non_fqdn_sender
        reject_non_fqdn_helo_hostname
        reject_invalid_helo_hostname
        reject_unknown_helo_hostname
        reject_unlisted_recipient
        permit_mynetworks  # Permit all other mail traffic both internally
and externally
        reject_unauth_destination


/etc/postfix/relay_domains
mydomain.com        OK
myotherdomain.com OK



On Wed, Jan 23, 2013 at 11:21 AM, Tom Tucker <tktuc...@gmail.com> wrote:

>
> Stan,
> Thanks for the response.  This does work, however these clients are also
> able to send to domains outside my environment.  Let me try to clarify my
> scenario.
>
> Client: With PTR record = Full relay (internal & external domains)
> Client: No PTR record   = Relay for internal domains only
>
> Is it possible to configure Postfix to support this type configuration?
>
>
>
>
>
>
> On Wed, Jan 23, 2013 at 5:38 AM, Stan Hoeppner <s...@hardwarefreak.com>wrote:
>
>> On 1/22/2013 8:52 PM, Tom Tucker wrote:
>> > I am struggling with a configuration that might be impossible.
>>  Hopefully
>> > the list can help guide me.
>> >
>> > I want to allow internal systems the ability to relay emails to my
>> domains
>> > even though they might get caught with
>> > 'reject_unknown_reverse_client_hostname'.  Possible?   If yes, I am
>> unsure
>> > how to configure smtpd_sender_restrictions and
>> smtpd_recipient_restrictions
>> > to support such.
>> >
>> >
>> > Current non-working configuration for this scenario
>> > ------------------------------------------------------------------------
>> > smtpd_sender_restrictions = permit_mynetworks,
>> > reject_unknown_sender_domain, reject_non_fqdn_sender
>> >
>> > smtpd_recipient_restrictions =  reject_unknown_reverse_client_hostname,
>> > reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname,
>> > reject_unauth_destination, reject_non_fqdn_recipient,
>> > reject_unknown_recipient_domain, reject_unverified_recipient
>>
>> Don't specify the separate restriction classes.  Put everything under
>> smtpd_recipient_restrictions.  This way you can manipulate the precise
>> order of your restrictions.  Remember, "first match wins".  If you
>> specify them separately you must put all permit actions at the start of
>> each class section.  Ergo each would need to start each with
>> "permit_mynetworks".  Here's an example of the EURR method.  There is no
>> client, sender, or helo restriction section, only this:
>>
>> smtpd_recipient_restrictions =
>>         permit_mynetworks
>>         reject_unauth_destination
>>         reject_unknown_reverse_client_hostname
>>         reject_non_fqdn_sender
>>         reject_non_fqdn_helo_hostname
>>         reject_invalid_helo_hostname
>>         reject_unknown_helo_hostname
>>         reject_unlisted_recipient
>>         ...
>>
>> Using this method, permit_mynetworks will match your local hosts before
>> reject_unknown_reverse_client_hostname matches.  First match wins, and
>> you only have one class, so this solves your problem.
>>
>> --
>> Stan
>>
>>
>>
>>
>>
>

Reply via email to