On 4/7/2016 7:44 AM, John Allen wrote:
> I am trying to work out what parameters to add to
> /smtpd_relay_restrictions, /both in main.cf and master.cf.
>
> 1. We do not allow relaying by any means!
> 2. In-house users must be registered, use our domains and port 587
> (submission) to send.
> I use /check_sender_access/ with a table in the form
> "example.com permit_sasl_authenticated, reject" to enforce
> these rules (thanks to a Sebastian Nielsen for the idea) in the
> submission section of master.cf.
> 3. We accept mail from the rest of the world on port 25 (smtp).
>
> Currently in main.cf I have reject_unauth_destination as the only
> parameter of smtpd_relay_restrictions.
>
> In master.cf I have had to add permit_sasl_authenticated, reject to
> the smtpd_relay_restrictions, this seems to be odd as I am using a
> more "restrictive" version of this in recipient_ restrictions. If I
> leave it blank/unset all mail on 587 gets rejected with "*/An error
> occurred while sending mail. The mail server responded: /**/5.7.1
> <j...@klam.ca>: Recipient address rejected: Access denied.
> /**/Please check the message recipient "j...@klam.ca" and try again.
>
> /*What would be a*//*/better/ set of parameter for both main.cf and
> master.cf.
The postfix built-in open relay check can't see inside your
check_sender_access map, so it complains about missing relay
protection.
Adding a ,reject to the end of your smtpd_recipient_restrictions
should allow you to use an empty smtpd_relay_restrictions. This
will also insure that clients not using your domain as sender will
be rejected.
-o {smtpd_recipient_restrictions=check_sender_access
hash:/etc/postfix/maps/submission_access, reject}
-o smtpd_relay_restrictions=
-- Noel Jones
