Not quit what I was looking for. What I was hoping for was if
example-x.com is not in the list of domains we accept email for quit,
reject without further processing.
I think my problem is I am *not* thinking, or rather that
"permit_sasl_authenticated" solves all problems!
Thanks for the input, after giving myself a swift kick - back to the
drawing board.
On 2016-04-08 11:37 AM, Sebastian Nielsen wrote:
No, authentication is always attempted.
So even if theres no permit_sasl_authenticated in the rules stack, you can still authenticate (if
SASL is enabled) and gain "authenticated" rights, which would then be no more than
"guest" rights.
So to correctly try out the tables, you would need to try to send out a mail with a
"fake" MAIL FROM and a "real" MAIL FROM.
The "fake" MAIL FROM should get rejected even if you are authenticated.
The "real" MAIL FROM should get accepted if you are authenticated, else it
should get rejected as well.
-----Ursprungligt meddelande-----
Från: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org]
För John Allen
Skickat: den 8 april 2016 21:27
Till: postfix-users@postfix.org
Ämne: Re: smtp_relay_restrictions
On 2016-04-07 2:47 PM, Noel Jones wrote:
On 4/7/2016 7:44 AM, John Allen wrote:
I am trying to work out what parameters to add to
/smtpd_relay_restrictions, /both in main.cf and master.cf.
1. We do not allow relaying by any means!
2. In-house users must be registered, use our domains and port 587
(submission) to send.
I use /check_sender_access/ with a table in the form
"example.com permit_sasl_authenticated, reject" to enforce
these rules (thanks to a Sebastian Nielsen for the idea) in the
submission section of master.cf.
3. We accept mail from the rest of the world on port 25 (smtp).
Currently in main.cf I have reject_unauth_destination as the only
parameter of smtpd_relay_restrictions.
In master.cf I have had to add permit_sasl_authenticated, reject to
the smtpd_relay_restrictions, this seems to be odd as I am using a
more "restrictive" version of this in recipient_ restrictions. If I
leave it blank/unset all mail on 587 gets rejected with "*/An error
occurred while sending mail. The mail server responded: /**/5.7.1
<j...@klam.ca>: Recipient address rejected: Access denied.
/**/Please check the message recipient "j...@klam.ca" and try again.
/*What would be a*//*/better/ set of parameter for both main.cf and
master.cf.
The postfix built-in open relay check can't see inside your
check_sender_access map, so it complains about missing relay
protection.
Adding a ,reject to the end of your smtpd_recipient_restrictions
should allow you to use an empty smtpd_relay_restrictions. This will
also insure that clients not using your domain as sender will be
rejected.
-o {smtpd_recipient_restrictions=check_sender_access
hash:/etc/postfix/maps/submission_access, reject}
-o smtpd_relay_restrictions=
It does not seem to be working as expected! To test this out I am using the
family's domain klam.ca and server imap/smtp.klam.ca. I setup a fake user
'harry' whose email address was ha...@klam.biz. I set him up on Thunderbird
with imap/smtp.klam.biz. However, if I change Harry's config under Thunderbird
to use imap/smtp.klam.ca and try to send then I get asked for Harry's
authentication.
I asked for a password in both cases, this seems a little odd as klam.biz is
not in the check_sender_access table and I thought that if the domain was not
in the lookup table then the email would be rejected before authentication
would be attempted.
What am I missing? What am I doing wrong? What don't I understand (re Postfix,
my wife tells me all the other things I don't understand)?
