I set up a internal postfix + dovecot server running on Ubuntu 14.04.5 a few months ago. I used the guide at the following link in order to get it set up:
http://www.binarytides.com/install-postfix-dovecot-debian/ Just last week, I noticed that the server was accepting mail from basically anything (though relay was configured to be more restricted). I wanted it to act more like Microsoft Exchange 2010 where authenticated mail clients can connect and relay mail but unauthenticated clients are added to a "receive connector" (Exchange term) by IP address and cannot even successfully start sending SMTP commands unless they are in that list. I did some research and reconfigured the client, HELO, and relay restrictions. My application servers that use postfix to relay mail are still able to deliver the mail to both dovecot mailboxes and another domain hosted on Microsoft Exchange without issue, but now dovecot clients are not able to relay mail to Microsoft Exchange. Here is the exact error message that is received by the mail client: ------- Server error: '554 5.7.1 <client47.domain.com[10.10.10.47]:51423>: Client host rejected: Access denied' ------- I know that this error is caused by the smptd_client_restrictions parameter and not smptd_relay_restrictions. Is there a way I can whitelist clients that authenticated to dovecot via IMAP in postfix as well as other application servers that are currently whitelisted by IP address? I thought the permit_sasl_authenticated entry in smtpd_client_restrictions would have solved the issue, but it doesn't seem to. Here is postconf -n: ------- user@appserver4:~$ postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no config_directory = /etc/postfix debug_peer_level = 1 debug_peer_list = domain.com inet_interfaces = all inet_protocols = all lmtp_tls_security_level = none mailbox_size_limit = 0 mydestination = appserver4.subdomain.domain.com, localhost.domain.com, localhost, mail.domain.test myhostname = mail.domain.test mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 10.253.254.225 10.254.254.225 10.254.254.226 10.254.254.171 10.254.254.172 myorigin = /etc/mailname readme_directory = no recipient_delimiter = + relay_domains = domain.com relayhost = [exchangefe01.subdomain.domain.com] smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous smtp_sasl_type = cyrus smtp_tls_ciphers = medium smtp_tls_exclude_ciphers = aNULL, MD5, DES, ADH, RC4 smtp_tls_mandatory_ciphers = medium smtp_tls_mandatory_exclude_ciphers = aNULL, MD5, DES, ADH, RC4 smtp_tls_note_starttls_offer = yes smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1 smtp_tls_security_level = encrypt smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_use_tls = yes smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) smtpd_client_connection_rate_limit = 1000 smtpd_client_message_rate_limit = 1000 smtpd_client_new_tls_session_rate_limit = 1000 smtpd_client_port_logging = yes smtpd_client_recipient_rate_limit = 3000 smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname smtpd_recipient_limit = 3000 smtpd_reject_unlisted_sender = no smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unverified_recipient, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/ssl/certs/apps4_combined.pem smtpd_tls_ciphers = medium smtpd_tls_exclude_ciphers = aNULL, MD5, DES, ADH, RC4 smtpd_tls_key_file = /etc/ssl/private/apps4_key.pem smtpd_tls_loglevel = 1 smtpd_tls_mandatory_ciphers = medium smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5, DES, ADH, RC4 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1 smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1 smtpd_tls_received_header = yes smtpd_tls_req_ccert = no smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes strict_rfc821_envelopes = yes virtual_mailbox_domains = /etc/postfix/virtual_mailbox_domains virtual_transport = lmtp:unix:private/dovecot-lmtp
