> he smtpd_relay_restrictions is intended for relay decisions
> only[1]. In this case, that looks like it would be:
>
> authenticated_smtpd_relay_restrictions =
> permit_sasl_authenticated
> reject_unauth_destination
>
> (and I suggest plain old "reject", rather than
> "reject_unauth_destination" on the submission service to prevent
> outsiders from abusing it)
>
> and those two directives could be removed from
> smtpd_recipient_restrictions.
Is this one right now?
master.cf:
193.239.107.42:submission
inet n - - - - smtpd
-o syslog_name=postfix:587
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_banner=${smtpd_submission_banner}
-o myhostname=mail.roessner-net.de
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_cert_file=/etc/ssl/certs/mail.roessner-net.de.pem
-o smtpd_tls_key_file=/etc/ssl/private/mail.roessner-net.de.key.pem
-o smtpd_tls_CAfile=/etc/ssl/certs/SSL123_CA_Bundle.pem
-o smtpd_tls_security_level=encrypt
-o always_add_missing_headers=yes
-o smtpd_relay_restrictions=${authenticated_smtpd_relay_restrictions}
-o
smtpd_recipient_restrictions=${authenticated_smtpd_recipient_restrictions}
-o smtpd_reject_footer=
main.cf:
authenticated_smtpd_relay_restrictions =
check_sender_access pcre:${map}/sender_access.pcre,
check_recipient_access ${mapidx}/reject_srvint_net,
reject_non_fqdn_recipient,
permit_sasl_authenticated,
reject_unauthenticated_sender_login_mismatch,
reject
authenticated_smtpd_recipient_restrictions =
permit_sasl_authenticated,
reject
At least it works. I still do not understand the need of this new option :( I
re-read things and see that using this new option is the preferred solution.
But what was so bad with "old" smtpd_recipient_restrictions?
Why dos this not work, if I set:
authenticated_smtpd_relay_restrictions =
check_sender_access pcre:${map}/sender_access.pcre,
check_recipient_access ${mapidx}/reject_srvint_net,
reject_non_fqdn_recipient,
permit_sasl_authenticated,
reject_unauthenticated_sender_login_mismatch,
reject
authenticated_smtpd_recipient_restrictions =
reject_unauth_destination
I would think that a user already got permission in the
smtpd_relay_restrictions.
So for me this is still some what confusing :)
Kind regards
-Christian Rößner
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Joerg Heidrich
