I am currently solving a problem where I was requested to block all outgoing mail (from our mail server) to all domain except few listed domains.
I configured smtpd_recipient_restrictions as smtpd_recipient_restrictions = check_recipient_access hash:/opt/zimbra/postfix/conf/recipient_domains, reject_unlisted_recipient, reject_invalid_helo_hostname, reject_non_fqdn_sender, reject Which seemed to work to a point - I wasn't able to send anything to anyone except domains listed in recipient_domains. However I can see in postfix logs that some users are still able to do that and I have absolutely no clue how is that possible. When I try to send some mail to domain which isn't allowed I get: RCPT TO:petr@bena.rocks 554 5.7.1 <petr@bena.rocks>: Recipient address rejected: Access denied In logs however, I see stuff like (I had to remove some sensitive data from logs): Jan 18 16:31:50 in-vx182 postfix/smtps/smtpd[11220]: 5BEA483E01: client=unknown[xx.xxx.xxx.xx], sasl_method=PLAIN, sasl_username=trimmed Jan 18 16:31:54 in-vx182 postfix/cleanup[26078]: 5BEA483E01: message-id=<p2myappo76e62il59s9dh0ky.1484737267...@email.android.com> Jan 18 16:34:22 in-vx182 postfix/qmgr[8429]: 5BEA483E01: from=<trimmed@our-domain>, size=300334, nrcpt=1 (queue active) Jan 18 16:34:22 in-vx182 postfix/smtp[29670]: 5BEA483E01: to=<trim...@gmail.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=153, delays=153/0/0/0.25, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as E0F4683DFA) Jan 18 16:34:22 in-vx182 postfix/qmgr[8429]: 5BEA483E01: removed Meaning the server allowed mail delivery to gmail, which isn't allowed in configuration. Why is that? Could it be because 'smtpd_relay_restrictions' contains 'permit_sasl_authenticated'? I don't really understand how that access control flow works here, which one has precedence, if relay_restrictions or recipient_restricitions. Also what if I wanted to require sasl and also whitelist? Right now it seems that once any of defined rules is passed, everything else is skipped (eg. user is authenticated over sasl so it doesn't care about domain whitelist)? Thank you
