My question is how to figure out why smtpd_relay_restrictions is being
used for local recipients.
(In the following, I've renamed the local domain name (which is listed
in mydestination) to example.com to prevent email harvesting.)
I upgraded a system from openSUSE 13.1 to 13.2 and got Postfix 2.11 as a
result. I noticed the introduction of smtpd_relay_restrictions, and
decided to set it. My first thought was to just set it to "reject" in
main.cf since originating email is supposed to use the submission port,
which can override smtpd_relay_restrictions in master.cf, but I ended up
setting it as follows just in case some software used port 25 instead of
587:
smtpd_relay_restrictions =
reject_non_fqdn_recipient
reject_unknown_recipient_domain
reject_unknown_sender_domain
permit_mynetworks
permit_tls_clientcerts
permit_sasl_authenticated
reject
I then noticed that Postfix was rejecting incoming mail from the
internet to f...@example.com with
554 5.7.1 <f...@example.com>: Recipient address rejected: Access denied
in the log. Since this was for a domain name listed in mydestination, I
presumed that smtpd_relay_restrictions was not being used, but
eventually I realized that it was. I determined this by changing that
final "reject" to "defer" and noticed that the reject turned into a 454.
My question is why did it use smtpd_relay_restrictions instead of
smtpd_recipient_restrictions for a local address?
I tried setting debug_peer_list to see if it would give me a clue, but
the log entries after the RCPT TO weren't that meaningful to me:
< example.org[1.1.1.1]: RCPT TO:<f...@example.com>
extract_addr: input: <f...@example.com>
smtpd_check_addr: addr=f...@example.com
send attr request = rewrite
send attr rule = local
send attr address = f...@example.com
private/rewrite socket: wanted attribute: flags
input attribute name: flags
input attribute value: 0
private/rewrite socket: wanted attribute: address
input attribute name: address
input attribute value: f...@example.com
private/rewrite socket: wanted attribute: (list terminator)
input attribute name: (end)
rewrite_clnt: local: f...@example.com -> f...@example.com
send attr request = resolve
send attr sender =
send attr address = f...@example.com
private/rewrite socket: wanted attribute: flags
input attribute name: flags
input attribute value: 0
private/rewrite socket: wanted attribute: transport
input attribute name: transport
input attribute value: relay
private/rewrite socket: wanted attribute: nexthop
input attribute name: nexthop
input attribute value: example.com
private/rewrite socket: wanted attribute: recipient
input attribute name: recipient
input attribute value: f...@example.com
private/rewrite socket: wanted attribute: flags
input attribute name: flags
input attribute value: 2048
private/rewrite socket: wanted attribute: (list terminator)
input attribute name: (end)
resolve_clnt: `' -> `f...@example.com' -> transp=`relay'
host=`example.com' rcpt=`f...@example.com' flags= class=relay
ctable_locate: install entry key f...@example.com
extract_addr: in: <f...@example.com>, result: f...@example.com
Clearly at the end it is saying "relay" but I don't know why.
local recipient_maps is set to its default value
(proxy:unix:passwd.byname $alias_maps in the postconf output), and foo
is in /etc/passwd. chroot is not in use.
Simply deleting the smtpd_relay_restrictions setting in main.cf restores
things to a working state, but I would like to understand what is going
wrong.
Suggestions?
