On 7/5/2013 9:51 AM, Larry Stone wrote: > On Fri, 5 Jul 2013, W T Riker wrote: > >> Indeed this is using port 587. I did not realize that that in itself was >> sufficient to prevent relaying from non-authenticated clients. Thanks. > > It doesn't. If 587 is configured the same as 25, it will behave just > like port 25. There is nothing special about port 587 other than how > YOU configure it to be different. > > They key to understanding Postfix restrictions is they evaluate in > order and the first to return a result other than DUNNO is what wins. > A permit_xxxx restrictions generally returns PERMIT or DUNNO. A > reject_xxxx restriction generally returns REJECT or DUNNO. So if you > have permit_sasl_authernticated as the first test in a group of > restrictions (e.g. smtpd_recipient_restrictions), if the user is SASL > authenticated, it returns PERMIT and the mail is accepted and, if not > destined locally, relayed. All remaining tests in that group of > restrictions are then skipped. If the user is not SASL authenticated, > it returns DUNNO and goes on to the next restriction in that group. If > that next restriction is reject_unauth_destination (which in case it's > not clear to you is the restriction that prevents relaying), an > unauthenticated user will not be permitted to relay. > > So in short, a restriction group that permits authenticated users to > send anywhere and unauthenticated users to only send to domains for > which Postfix is configure to accept mail would be: > permit_sasl_authenticated, reject_unauth_destination. However, don't > just do what we suggest; make sure you understand it and that it is > doing what YOU want. > > -- Larry Stone > lston...@stonejongleux.com > Thanks for that explanation. I think I understand the way it works now so I modified my restrictions a bit. Does this order pass the sniff test?
smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unlisted_recipient, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_invalid_helo_hostname, reject_unknown_sender_domain, reject_unknown_recipient_domain