Viktor and I are in agreement here. The smtpd_relay_restrictions should be kept as simple as possible to prevent accidents.
It's too easy to make a mistake in a check_*_access table and inadvertently create an open relay. That's why smtpd_relay_restrictions was invented. It's fine to have a policy to restrict the domain used in outgoing mail, but that policy does not belong in smtpd_relay_restrictions. The whole purpose of smtpd_relay_restrictions is to avoid the historically user-error-prone lookup tables and make the simplest possible yes/no relay decision. -- Noel Jones On 3/9/2015 12:53 PM, Sebastian Nielsen wrote: > I have noticed some automated open relay testing services do "fail" > a domain if it rejects a relay too early (eg in MAIL FROM). > > And you are a bit wrong with IP adress lookup. Yes, > check_sender_access do not itself lookup IPs. > But the rules I listed, will effectively "expand" to the rule: > > smtpd_relay_restrictions = permit_mynetworks, reject, > reject_unauth_destination > > for any mail having a FROM ending in <YOUR_DOMAIN> or the IP literal > of your mailserver, effectively preventing anyone from using your > domain as MAIL FROM, regardless of internal or external mail, if the > client is not inside "mynetworks", so the IP lookup are made by the > rule lookup engine. > > If the FROM is "incorrect", then the relay rule "expands" to: > smtpd_relay_restrictions = reject_unauth_destination > effectively preventing *anyone* relaying, but allowing anyone to > send mail that is destined for the mail server itself. > > Eg, only valid FROM is allowed to relay, in *addition* to have a > acceptable client IP. > So how are the rules "fragile"? Either the relay is only accepted > inside "mynetworks" or it is never accepted, eg theres no > possibility for the server to become a open relay since theres > nothing in check_sender_access that would PERMIT the mail before > reject_unauth_destination unless > the client is inside mynetworks. > > > -----Ursprungligt meddelande----- From: Viktor Dukhovni > Sent: Monday, March 09, 2015 6:40 PM > To: postfix-users@postfix.org > Subject: Re: smtpd_relay_restrictions in Postfix 2.11.3 on openSUSE > 13.2 causes mail to local domain to be rejected > > On Mon, Mar 09, 2015 at 05:56:20PM +0100, Sebastian Nielsen wrote: > >> I would instead suggest setting the relay access to: >> >> check_sender_access hash:/etc/postfix/relay_auth, >> reject_unauth_destination >> >> where /etc/postfix/relay_auth is: >> <YOUR_DOMAIN> permit_mynetworks, reject >> [<EXTERNAL_IP_OF_SMTP_SERVER>] permit_mynetworks, reject > > Those are NOT relay control rules, they are anti-spoofing rules at > best. They do not belong in relay restrictions. > > Sender based rules are too fragile in relay controls. And of course > nothing in Postfix will do IP address lookups with check_sender_access. > > Any such rules (written with more care) can instead go in > smtpd_sender_restrictions. > > smtpd_sender_restrictions = > check_sender_access <some-table-for-your-domains> > <rules for other senders> > > Keep the relay restrictions *simple*, just avoid being > an open relay. Other policy controls go elsewhere. >
