On 9/20/2018 12:29 PM, Fazzina, Angelo wrote: > Thanks for the clarification. I was afraid i would get the RTFM response to a > question i had, > which may be related. > MTA4 = RHEL 7.5 and PF 2.10.1 > MTA1-3 = RHEL 6.9 and PF 2.6.6 > > I did read a lot about the differences > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/pdf/Migration_Planning_Guide/Red_Hat_Enterprise_Linux-7-Migration_Planning_Guide-en-US.pdf > and noticed mention of this at a page 37 > > A new smtpd_relay_restrictions parameter has been added. By default this > enables permit_mynetworks, permit_sasl_authenticated, and > defer_unauth_destination. > This prevents open relay problems due to mistakes with spam filter rules in > smtpd_recipient_restrictions. > However, if your site has a complex mail relay policy configured under > smtpd_recipient_restrictions, some mail may be incorrectly > deferred. To correct this, either remove smtpd_relay_restrictions > configuration and usethe existing policy in smtpd_recipient_restrictions, > or copy the existing policy from smtpd_recipient_restrictions to > smtpd_relay_restrictions > > > MTA1-3 have this > smtpd_recipient_restrictions = check_recipient_access > hash:/etc/postfix/maps/block_to, permit_mynetworks, > permit_sasl_authenticated, reject_unauth_destination > and no smtpd_relay_restrictions in the file main.cf > > MTA4 has > smtpd_recipient_restrictions = reject_unauth_destination > smtpd_relay_restrictions = check_recipient_access > hash:/etc/postfix/maps/block_to, permit_mynetworks, > permit_sasl_authenticated, defer_unauth_destination
Assuming your block_to map is a list of recipients to always REJECT, a better recipe for MTA4 would be: smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/maps/block_to smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination The idea is smtpd_recipient_restrictions is general anti-UCE and other local controls, smtpd_relay_restrictions is to define which clients are allowed relay access. -- Noel Jones > > So i think i found the error. > My question is how to understand that paragragh so i know what to set > smtpd_recipient_restrictions > and > smtpd_relay_restrictions > to so mail flows the same way ? > > do i simply change > smtpd_recipient_restrictions = reject_unauth_destination > to > smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination > > I say this because all servers have > mynetworks = /etc/postfix/files/mynetwork > [root@mta2 files]# more mynetwork > # These are networks whose hosts are authorized to relay mail. > # Localhost > 127.0.0.0/8 > # UConn networks > 137.99.0.0/16 # UConn Public > > Thanks again. > > > -ANGELO FAZZINA > > ITS Service Manager: > Spam and Virus Prevention > Mass Mailing > G Suite/Gmail > > ang...@uconn.edu > University of Connecticut, ITS, SSG, Server Systems > 860-486-9075 > > -----Original Message----- > From: owner-postfix-us...@postfix.org <owner-postfix-us...@postfix.org> On > Behalf Of Viktor Dukhovni > Sent: Thursday, September 20, 2018 12:10 PM > To: Postfix users <postfix-users@postfix.org> > Subject: Re: Not sure if i have a DNS or Postfix issue ? > > > >> On Sep 20, 2018, at 11:37 AM, Fazzina, Angelo <angelo.fazz...@uconn.edu> >> wrote: >> >> User sends email to ling...@listserv.uconn.edu. >> [two of recipients are woodsan...@msn.com and jb...@albanylaw.edu] >> >> Listserv.uconn.edu relays the email to smtp.uconn.edu >> When smtp.uconn.edu resolves to MTA4 and not MTA1-3 we have an issue. >> >> I get these errors >> Sep 19 09:40:26 mta4 postfix/smtpd[22724]: 529981802840: reject: RCPT from >> MSB-P-Listserv.grove.ad.uconn.edu[137.99.30.25]: >> 554 5.7.1 <jb...@albanylaw.edu>: Relay access denied; >> from=<owner-ling...@listserv.uconn.edu> >> to=<jb...@albanylaw.edu> proto=ESMTP helo=<MSB-P-Listserv> >> >> Sep 19 09:40:25 mta4 postfix/smtpd[22724]: NOQUEUE: reject: RCPT from >> MSB-P-Listserv.grove.ad.uconn.edu[137.99.30.25]: >> 554 5.7.1 <woodsan...@msn.com>: Relay access denied; >> from=<owner-ling...@listserv.uconn.edu> >> to=<woodsan...@msn.com> proto=ESMTP helo=<MSB-P-Listserv> > > The Postfix configuration of mta4 is not suited to its use: > > * You're using it as an *outbound* relay to deliver email to list members. > * It is configured with access control rules that make sense on an *inbound* > relay, allowing only email to internal domains. > > This relay needs to permit all mail to external recipients from authorized > clients (perhaps all) on your network. How it determines whether a client > is authorized to relay outbound email is generally a site-specific issue. > > Clients can be allowed via CIDR table by IP address, or could be required > to authenticate with TLS client certs or SASL. Or with the server only > accepting mail on an internal network where all clients are trusted, it > could allow all clients, with the network topology doing the access control. >
