We're moving to a configuration that will leverage the check_sasl_access option
to allow only those granted access to authenticate from outside the local
network and relay mail.
This are mostly working (at least amongst the list of users allowed to
send--we'll evaluate the types of things we're hoping to block separately).
However for approximately 5% of that "allowed" population we see the server
rejecting the message, with log entries like (address X'd out):
2019-12-11T14:59:50.732563-08:00 smtp5 postfix/smtpd[3564]: NOQUEUE: reject:
RCPT from c-71-63-145-202.hsd1.or.comcast.net[71.63.145.202]: 554 5.7.1
<x...@stanford.edu>: Recipient address rejected: Access denied;
from=<x...@stanford.edu> to=<x...@stanford.edu> proto=ESMTP helo=<HP08E4FF>
Here are the portions of main.cf that have changed:
OLD:
smtpd_recipient_restrictions =
check_client_access cidr:/etc/postfix/access/restricted-local-only.cidr,
check_recipient_access hash:/etc/postfix/access/recipient,
permit_sasl_authenticated,
permit_mynetworks,
reject_unknown_recipient_domain,
reject_non_fqdn_recipient,
reject_unauth_destination,
reject
NEW:
smtpd_relay_restrictions =
check_sasl_access hash:/etc/postfix/access/sasl-users-list,
permit_mynetworks,
reject_unauth_destination,
reject
smtpd_recipient_restrictions =
check_client_access cidr:/etc/postfix/access/restricted-local-only.cidr,
check_recipient_access hash:/etc/postfix/access/recipient,
reject_unknown_recipient_domain,
reject_non_fqdn_recipient
Where /etc/postfix/access/sasl-users-list is populated like:
username1 OK
username2 OK
We've also tried PERMIT rather than OK, without effect.
It's worth noting that in making this change we moved from Postfix 2.9.6 to
3.1.12.
Any thoughts? Thanks in advance.
Jason Cowart
University IT
Stanford University
