[juodumas]

Good day,

Why does postfix accept mail to 'RCPT TO: <Postmaster>' on submission
port, even when smtpd_recipient_restrictions are set to
permit_sasl_authenticated,reject? It's postfix-2.11.0 on Ubuntu
trusty. Excerpt from chat session and configs below.

$ openssl s_client -connect mail.my-domain.com:587 -starttls smtp -quiet
250 DSN
EHLO localhost
250-mail.my-domain.com
250-PIPELINING
250-SIZE 104857600
250-ETRN
250-AUTH PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM: <m...@example.com>
250 2.1.0 Ok
RCPT TO: <postmas...@my-domain.com>
554 5.7.1 <postmas...@my-domain.com>: Recipient address rejected: Access denied
RCPT TO: <Postmaster>
250 2.1.5 Ok

$ postconf -n
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
content_filter = amavisfeed:[127.0.0.1]:10024
default_database_type = cdb
disable_vrfy_command = yes
mailbox_size_limit = 0
message_size_limit = 104857600
mydestination = localhost.localdomain localhost
myhostname = mail.my-domain.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = mail.my-domain.com
postscreen_dnsbl_action = drop
postscreen_dnsbl_sites = swl.spamhaus.org*-5 
list.dnswl.org=127.0.[2..14].[2..3]*-5 zen.spamhaus.org*2 
bl.spameatingmonkey.net*2 bl.mailspike.net*2 bl.spamcop.net truncate.gbudb.net 
psbl.surriel.com rbl.megarbl.net
postscreen_dnsbl_threshold = 5
postscreen_dnsbl_whitelist_threshold = -1
postscreen_greet_action = enforce
receive_override_options = no_address_mappings
relay_domains =
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_client_restrictions = reject_unknown_reverse_client_hostname
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_helo_hostname warn_if_reject 
reject_unknown_helo_hostname
smtpd_recipient_restrictions = permit_mynetworks 
reject_unknown_recipient_domain reject_non_fqdn_recipient 
reject_unauth_destination
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated 
reject_unauth_destination
smtpd_sender_restrictions = reject_unknown_sender_domain
smtpd_tls_cert_file = /etc/ssl/local/mail.my-domain.com.bundle.crt
smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
smtpd_tls_key_file = /etc/ssl/private/mail.my-domain.com.key
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtpd_tls_protocols = !SSLv2 !SSLv3
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
strict_rfc821_envelopes = yes
tls_ssl_options = NO_COMPRESSION
virtual_alias_maps = cdb:/etc/postfix/virtual
virtual_mailbox_domains = my-domain.com my-domain-2.com
virtual_transport = lmtp:unix:private/dovecot-lmtp

$ postconf -Mf
smtp       inet  n       -       -       -       1       postscreen
smtpd      pass  -       -       -       -       -       smtpd
dnsblog    unix  -       -       -       -       0       dnsblog
submission inet  n       -       -       -       -       smtpd
    -o syslog_name=postfix/submission
    -o smtpd_tls_security_level=encrypt
    -o smtpd_tls_mandatory_ciphers=high
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_sasl_type=dovecot
    -o smtpd_sasl_path=private/auth
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_data_restrictions=
    -o smtpd_end_of_data_restrictions=
    -o smtpd_recipient_restrictions=
    -o 
smtpd_relay_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
pickup     unix  n       -       -       60      1       pickup
cleanup    unix  n       -       -       -       0       cleanup
qmgr       unix  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       -       1000?   1       tlsmgr
rewrite    unix  -       -       -       -       -       trivial-rewrite
bounce     unix  -       -       -       -       0       bounce
defer      unix  -       -       -       -       0       bounce
trace      unix  -       -       -       -       0       bounce
verify     unix  -       -       -       -       1       verify
flush      unix  n       -       -       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       -       -       -       smtp
relay      unix  -       -       -       -       -       smtp
showq      unix  n       -       -       -       -       showq
error      unix  -       -       -       -       -       error
retry      unix  -       -       -       -       -       error
discard    unix  -       -       -       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       -       -       -       lmtp
anvil      unix  -       -       -       -       1       anvil
scache     unix  -       -       -       -       1       scache
amavisfeed unix  -       -       n       -       2       lmtp
    -o lmtp_data_done_timeout=1200
    -o lmtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20
127.0.0.1:10025 inet n   -       n       -       -       smtpd
    -o content_filter=
    -o 
receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_data_restrictions=
    -o smtpd_end_of_data_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_relay_restrictions=
    -o mynetworks=127.0.0.0/8
    -o smtpd_authorized_xforward_hosts=127.0.0.0/8
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o local_header_rewrite_clients=

-- 
juodumas