<added a subject to my previous message, sorry about the noise>
juodu...@gmail.com wrote:
> Good day,
>
> Why does postfix accept mail to 'RCPT TO: <Postmaster>' on submission
> port, even when smtpd_recipient_restrictions are set to
> permit_sasl_authenticated,reject? It's postfix-2.11.0 on Ubuntu
> trusty. Excerpt from chat session and configs below.
>
> $ openssl s_client -connect mail.my-domain.com:587 -starttls smtp -quiet
> 250 DSN
> EHLO localhost
> 250-mail.my-domain.com
> 250-PIPELINING
> 250-SIZE 104857600
> 250-ETRN
> 250-AUTH PLAIN
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN
> MAIL FROM: <m...@example.com>
> 250 2.1.0 Ok
> RCPT TO: <postmas...@my-domain.com>
> 554 5.7.1 <postmas...@my-domain.com>: Recipient address rejected: Access
> denied
> RCPT TO: <Postmaster>
> 250 2.1.5 Ok
>
> $ postconf -n
> alias_maps = hash:/etc/aliases
> append_dot_mydomain = no
> biff = no
> config_directory = /etc/postfix
> content_filter = amavisfeed:[127.0.0.1]:10024
> default_database_type = cdb
> disable_vrfy_command = yes
> mailbox_size_limit = 0
> message_size_limit = 104857600
> mydestination = localhost.localdomain localhost
> myhostname = mail.my-domain.com
> mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
> myorigin = mail.my-domain.com
> postscreen_dnsbl_action = drop
> postscreen_dnsbl_sites = swl.spamhaus.org*-5
> list.dnswl.org=127.0.[2..14].[2..3]*-5 zen.spamhaus.org*2
> bl.spameatingmonkey.net*2 bl.mailspike.net*2 bl.spamcop.net
> truncate.gbudb.net psbl.surriel.com rbl.megarbl.net
> postscreen_dnsbl_threshold = 5
> postscreen_dnsbl_whitelist_threshold = -1
> postscreen_greet_action = enforce
> receive_override_options = no_address_mappings
> relay_domains =
> smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> smtpd_client_restrictions = reject_unknown_reverse_client_hostname
> smtpd_data_restrictions = reject_unauth_pipelining
> smtpd_helo_required = yes
> smtpd_helo_restrictions = reject_invalid_helo_hostname warn_if_reject
> reject_unknown_helo_hostname
> smtpd_recipient_restrictions = permit_mynetworks
> reject_unknown_recipient_domain reject_non_fqdn_recipient
> reject_unauth_destination
> smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
> reject_unauth_destination
> smtpd_sender_restrictions = reject_unknown_sender_domain
> smtpd_tls_cert_file = /etc/ssl/local/mail.my-domain.com.bundle.crt
> smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
> smtpd_tls_key_file = /etc/ssl/private/mail.my-domain.com.key
> smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
> smtpd_tls_protocols = !SSLv2 !SSLv3
> smtpd_tls_security_level = may
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> strict_rfc821_envelopes = yes
> tls_ssl_options = NO_COMPRESSION
> virtual_alias_maps = cdb:/etc/postfix/virtual
> virtual_mailbox_domains = my-domain.com my-domain-2.com
> virtual_transport = lmtp:unix:private/dovecot-lmtp
>
> $ postconf -Mf
> smtp inet n - - - 1 postscreen
> smtpd pass - - - - - smtpd
> dnsblog unix - - - - 0 dnsblog
> submission inet n - - - - smtpd
> -o syslog_name=postfix/submission
> -o smtpd_tls_security_level=encrypt
> -o smtpd_tls_mandatory_ciphers=high
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_sasl_type=dovecot
> -o smtpd_sasl_path=private/auth
> -o smtpd_client_restrictions=
> -o smtpd_helo_restrictions=
> -o smtpd_sender_restrictions=
> -o smtpd_data_restrictions=
> -o smtpd_end_of_data_restrictions=
> -o smtpd_recipient_restrictions=
> -o
> smtpd_relay_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
> pickup unix n - - 60 1 pickup
> cleanup unix n - - - 0 cleanup
> qmgr unix n - n 300 1 qmgr
> tlsmgr unix - - - 1000? 1 tlsmgr
> rewrite unix - - - - - trivial-rewrite
> bounce unix - - - - 0 bounce
> defer unix - - - - 0 bounce
> trace unix - - - - 0 bounce
> verify unix - - - - 1 verify
> flush unix n - - 1000? 0 flush
> proxymap unix - - n - - proxymap
> proxywrite unix - - n - 1 proxymap
> smtp unix - - - - - smtp
> relay unix - - - - - smtp
> showq unix n - - - - showq
> error unix - - - - - error
> retry unix - - - - - error
> discard unix - - - - - discard
> local unix - n n - - local
> virtual unix - n n - - virtual
> lmtp unix - - - - - lmtp
> anvil unix - - - - 1 anvil
> scache unix - - - - 1 scache
> amavisfeed unix - - n - 2 lmtp
> -o lmtp_data_done_timeout=1200
> -o lmtp_send_xforward_command=yes
> -o disable_dns_lookups=yes
> -o max_use=20
> 127.0.0.1:10025 inet n - n - - smtpd
> -o content_filter=
> -o
> receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters
> -o smtpd_client_restrictions=
> -o smtpd_helo_restrictions=
> -o smtpd_sender_restrictions=
> -o smtpd_data_restrictions=
> -o smtpd_end_of_data_restrictions=
> -o smtpd_recipient_restrictions=permit_mynetworks,reject
> -o smtpd_relay_restrictions=
> -o mynetworks=127.0.0.0/8
> -o smtpd_authorized_xforward_hosts=127.0.0.0/8
> -o smtpd_error_sleep_time=0
> -o smtpd_soft_error_limit=1001
> -o smtpd_hard_error_limit=1000
> -o smtpd_client_connection_count_limit=0
> -o smtpd_client_connection_rate_limit=0
> -o local_header_rewrite_clients=
--
juodumas
