On 2016-04-07 2:47 PM, Noel Jones wrote:
On 4/7/2016 7:44 AM, John Allen wrote:
I am trying to work out what parameters to add to
/smtpd_relay_restrictions, /both in main.cf and master.cf.
1. We do not allow relaying by any means!
2. In-house users must be registered, use our domains and port 587
(submission) to send.
I use /check_sender_access/ with a table in the form
"example.com permit_sasl_authenticated, reject" to enforce
these rules (thanks to a Sebastian Nielsen for the idea) in the
submission section of master.cf.
3. We accept mail from the rest of the world on port 25 (smtp).
Currently in main.cf I have reject_unauth_destination as the only
parameter of smtpd_relay_restrictions.
In master.cf I have had to add permit_sasl_authenticated, reject to
the smtpd_relay_restrictions, this seems to be odd as I am using a
more "restrictive" version of this in recipient_ restrictions. If I
leave it blank/unset all mail on 587 gets rejected with "*/An error
occurred while sending mail. The mail server responded: /**/5.7.1
<j...@klam.ca>: Recipient address rejected: Access denied.
/**/Please check the message recipient "j...@klam.ca" and try again.
/*What would be a*//*/better/ set of parameter for both main.cf and
master.cf.
The postfix built-in open relay check can't see inside your
check_sender_access map, so it complains about missing relay
protection.
Adding a ,reject to the end of your smtpd_recipient_restrictions
should allow you to use an empty smtpd_relay_restrictions. This
will also insure that clients not using your domain as sender will
be rejected.
-o {smtpd_recipient_restrictions=check_sender_access
hash:/etc/postfix/maps/submission_access, reject}
-o smtpd_relay_restrictions=
It does not seem to be working as expected! To test this out I am using
the family's domain klam.ca and server imap/smtp.klam.ca. I setup a
fake user 'harry' whose email address was ha...@klam.biz. I set him up
on Thunderbird with imap/smtp.klam.biz. However, if I change Harry's
config under Thunderbird to use imap/smtp.klam.ca and try to send then I
get asked for Harry's authentication.
I asked for a password in both cases, this seems a little odd as
klam.biz is not in the check_sender_access table and I thought that if
the domain was not in the lookup table then the email would be rejected
before authentication would be attempted.
What am I missing? What am I doing wrong? What don't I understand (re
Postfix, my wife tells me all the other things I don't understand)?
