I think I got it. The ordering is critical. Thanks
smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/relay_domains # This will allow clients missing PTR records the ability to relay locally reject_unknown_reverse_client_hostname # Reject all other clients missing PTR records from sending externally reject_unknown_recipient_domain reject_non_fqdn_sender reject_non_fqdn_helo_hostname reject_invalid_helo_hostname reject_unknown_helo_hostname reject_unlisted_recipient permit_mynetworks # Permit all other mail traffic both internally and externally reject_unauth_destination /etc/postfix/relay_domains mydomain.com OK myotherdomain.com OK On Wed, Jan 23, 2013 at 11:21 AM, Tom Tucker <tktuc...@gmail.com> wrote: > > Stan, > Thanks for the response. This does work, however these clients are also > able to send to domains outside my environment. Let me try to clarify my > scenario. > > Client: With PTR record = Full relay (internal & external domains) > Client: No PTR record = Relay for internal domains only > > Is it possible to configure Postfix to support this type configuration? > > > > > > > On Wed, Jan 23, 2013 at 5:38 AM, Stan Hoeppner <s...@hardwarefreak.com>wrote: > >> On 1/22/2013 8:52 PM, Tom Tucker wrote: >> > I am struggling with a configuration that might be impossible. >> Hopefully >> > the list can help guide me. >> > >> > I want to allow internal systems the ability to relay emails to my >> domains >> > even though they might get caught with >> > 'reject_unknown_reverse_client_hostname'. Possible? If yes, I am >> unsure >> > how to configure smtpd_sender_restrictions and >> smtpd_recipient_restrictions >> > to support such. >> > >> > >> > Current non-working configuration for this scenario >> > ------------------------------------------------------------------------ >> > smtpd_sender_restrictions = permit_mynetworks, >> > reject_unknown_sender_domain, reject_non_fqdn_sender >> > >> > smtpd_recipient_restrictions = reject_unknown_reverse_client_hostname, >> > reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname, >> > reject_unauth_destination, reject_non_fqdn_recipient, >> > reject_unknown_recipient_domain, reject_unverified_recipient >> >> Don't specify the separate restriction classes. Put everything under >> smtpd_recipient_restrictions. This way you can manipulate the precise >> order of your restrictions. Remember, "first match wins". If you >> specify them separately you must put all permit actions at the start of >> each class section. Ergo each would need to start each with >> "permit_mynetworks". Here's an example of the EURR method. There is no >> client, sender, or helo restriction section, only this: >> >> smtpd_recipient_restrictions = >> permit_mynetworks >> reject_unauth_destination >> reject_unknown_reverse_client_hostname >> reject_non_fqdn_sender >> reject_non_fqdn_helo_hostname >> reject_invalid_helo_hostname >> reject_unknown_helo_hostname >> reject_unlisted_recipient >> ... >> >> Using this method, permit_mynetworks will match your local hosts before >> reject_unknown_reverse_client_hostname matches. First match wins, and >> you only have one class, so this solves your problem. >> >> -- >> Stan >> >> >> >> >> >