No, authentication is always attempted. So even if theres no permit_sasl_authenticated in the rules stack, you can still authenticate (if SASL is enabled) and gain "authenticated" rights, which would then be no more than "guest" rights.
So to correctly try out the tables, you would need to try to send out a mail with a "fake" MAIL FROM and a "real" MAIL FROM. The "fake" MAIL FROM should get rejected even if you are authenticated. The "real" MAIL FROM should get accepted if you are authenticated, else it should get rejected as well. -----Ursprungligt meddelande----- Från: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] För John Allen Skickat: den 8 april 2016 21:27 Till: postfix-users@postfix.org Ämne: Re: smtp_relay_restrictions On 2016-04-07 2:47 PM, Noel Jones wrote: > On 4/7/2016 7:44 AM, John Allen wrote: >> I am trying to work out what parameters to add to >> /smtpd_relay_restrictions, /both in main.cf and master.cf. >> >> 1. We do not allow relaying by any means! >> 2. In-house users must be registered, use our domains and port 587 >> (submission) to send. >> I use /check_sender_access/ with a table in the form >> "example.com permit_sasl_authenticated, reject" to enforce >> these rules (thanks to a Sebastian Nielsen for the idea) in the >> submission section of master.cf. >> 3. We accept mail from the rest of the world on port 25 (smtp). >> >> Currently in main.cf I have reject_unauth_destination as the only >> parameter of smtpd_relay_restrictions. >> >> In master.cf I have had to add permit_sasl_authenticated, reject to >> the smtpd_relay_restrictions, this seems to be odd as I am using a >> more "restrictive" version of this in recipient_ restrictions. If I >> leave it blank/unset all mail on 587 gets rejected with "*/An error >> occurred while sending mail. The mail server responded: /**/5.7.1 >> <j...@klam.ca>: Recipient address rejected: Access denied. >> /**/Please check the message recipient "j...@klam.ca" and try again. >> >> /*What would be a*//*/better/ set of parameter for both main.cf and >> master.cf. > The postfix built-in open relay check can't see inside your > check_sender_access map, so it complains about missing relay > protection. > > Adding a ,reject to the end of your smtpd_recipient_restrictions > should allow you to use an empty smtpd_relay_restrictions. This will > also insure that clients not using your domain as sender will be > rejected. > > -o {smtpd_recipient_restrictions=check_sender_access > hash:/etc/postfix/maps/submission_access, reject} > -o smtpd_relay_restrictions= > It does not seem to be working as expected! To test this out I am using the family's domain klam.ca and server imap/smtp.klam.ca. I setup a fake user 'harry' whose email address was ha...@klam.biz. I set him up on Thunderbird with imap/smtp.klam.biz. However, if I change Harry's config under Thunderbird to use imap/smtp.klam.ca and try to send then I get asked for Harry's authentication. I asked for a password in both cases, this seems a little odd as klam.biz is not in the check_sender_access table and I thought that if the domain was not in the lookup table then the email would be rejected before authentication would be attempted. What am I missing? What am I doing wrong? What don't I understand (re Postfix, my wife tells me all the other things I don't understand)?
smime.p7s
Description: S/MIME Cryptographic Signature
