You didn't answer the all-important question about what IP postfix sees for mail arriving from the Xeams server, nor did you provide the requested logging.
I'll assume postfix sees the Xeams IP. That's bad; it prevents postfix from making any decisions about the source of the mail. The solution is to remove the Xeams IP from mynetworks, and get rid of the silly 'reject' at the end of your restrictions. Something like: mynetworks = !ip.of.xe.ams lo.ca.ln.et/mask 127.0.0.1 and your restrictions should look like (remove your smtpd_client_restrictions entry) smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination -- Noel Jones On 1/20/2017 10:53 AM, SH Development wrote: > Postfix I assumed got it’s valid users from the same place Dovecot is getting > it, the mySQL database. > > In the postconf -n I posted, it may not have shown the mynetworks as I have > gone from trying different things to leaving it at default. It was probably > at default when I generated it. I have tried making mynetworks local host > only which results in client unauthorized errors when receiving mail. Any > change I’ve made to mynetworks has resulted in incoming mail being rejected. > I’m sure I’m missing something here. > > All incoming mail from the outside world flows through Xeams. All outgoing > mail from our users goes through Dovecot and Postfix. > > On the repeated “reject”, are you saying that this is unnecessary? My > understanding was in setting it that way was that directives are matched from > the beginning of the line and by having a final “reject” it would catch any > anomalies that might make it through the first tests. > > Not an expert by any means just following some advice I probably received at > one time. > > Jeff > > >> On Jan 20, 2017, at 9:05 AM, Noel Jones <njo...@megan.vbhcs.org> wrote: >> >> On 1/19/2017 11:49 PM, SH Development wrote: >>> I have a server running Xeams for spam filtering, and another server >>> running Postfix 2.6.6. Both servers are on the same network behind a >>> firewall. Haven’t had any problems until recently when Xeams tech support >>> pointed out that my Xeams server is showing as an open relay, but my >>> Postfix server is not. They are telling me it’s because my Postfix server >>> config is broken by not rejecting invalid user addresses passed through >>> from Xeams. >>> >>> Sure enough, if I telnet from any machine on the same network as the >>> Postfix server, it accepts email to any user, real or not. However, from >>> any other machine outside that network, it rejects invalid addresses it as >>> it should. I have tried some variations with the mynetworks but that seems >>> to break other things. >>> >>> I need to close this hole up. I don’t think it’s been abused as of yet, >>> but it’s only a matter of time. >>> >> >> You'll need describe your mail flow and the problem in more detail, >> including logs of the unwanted behavior. >> >> Does postfix have a list of valid user? >> >> I don't see where you've defined mynetworks. >> >> Does all internet mail flow through your Xeams server? Does postfix >> see that mail as coming from the local network (rather than from the >> original IP)? >> >>>> smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated >>>> reject_unauth_destination reject >> >> The final "reject" here and repeated in the other >> smtpd_*_restrictions prevents postfix from accepting *any* mail not >> authenticated or not from mynetworks. >> >> >> >> >> -- Noel Jones >> >>> Attached is the postconf -n output. >>> >>> alias_database = hash:/etc/aliases >>> alias_maps = hash:/etc/aliases >>> broken_sasl_auth_clients = yes >>> command_directory = /usr/sbin >>> config_directory = /etc/postfix >>> daemon_directory = /usr/libexec/postfix >>> data_directory = /var/lib/postfix >>> debug_peer_level = 2 >>> html_directory = no >>> inet_interfaces = all >>> inet_protocols = ipv4 >>> mail_owner = postfix >>> mailq_path = /usr/bin/mailq.postfix >>> manpage_directory = /usr/share/man >>> message_size_limit = 30720000 >>> mydestination = $myhostname, localhost, localhost.localdomain >>> mydomain = starionhost.net >>> myhostname = mail.starionhost.net >>> newaliases_path = /usr/bin/newaliases.postfix >>> proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps >>> $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains >>> $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps >>> $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks >>> $virtual_mailbox_limit_maps >>> queue_directory = /var/spool/postfix >>> readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES >>> sample_directory = /usr/share/doc/postfix-2.6.6/samples >>> sendmail_path = /usr/sbin/sendmail.postfix >>> setgid_group = postdrop >>> smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated >>> reject_unauth_destination reject >>> smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated >>> reject_unauth_destination reject >>> smtpd_sasl_auth_enable = yes >>> smtpd_sasl_authenticated_header = yes >>> smtpd_sasl_path = private/auth >>> smtpd_sasl_type = dovecot >>> smtpd_tls_CAfile = /etc/pki/tls/cert.pem >>> smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem >>> smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem >>> smtpd_use_tls = yes >>> unknown_local_recipient_reject_code = 550 >>> virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, >>> mysql:/etc/postfix/mysql-virtual_email2email.cf >>> virtual_gid_maps = static:5000 >>> virtual_mailbox_base = /home/vmail >>> virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf >>> virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf >>> virtual_transport = dovecot >>> virtual_uid_maps = static:5000 >>> >>> Jeff >>> >>> >
