Hi, > > > This was rejected by "reject_unauth_destination". > > > > Thank you so much. I had included my smtpd_recipient_restrictions > > earlier in this thread, but should have been more complete. This is > > the multi-instance postfix you helped me configure some time ago. Mail > > is first processed by this postfix-117 instance, sent to amavisd, then > > forwarded to postfix-out where it's sent to the recipient. > > One would expect to find anti-relay policies only at the input stage, > with the downstream output instance(s) accepting all mail sent by the > upstream instance(s). > > Is the below the configuration of the input or output instance?
This is from the input instance. > > mydestination = > > relay_domains = $mydestination, example.com, nnnhelp.zendesk.com > > Addresses in "relay_domains" would typically be accepted. Is > "nnnhelp.zendesk.com" verbatim the domain that's getting refused? I'm sorry for all the obfuscation. Here is the real info: May 12 23:01:18 xavier postfix-117/smtpd[3481869]: NOQUEUE: reject: RCPT from mail-mw2nam10lp2104.outbound.protection.outlook.com[104.47.55.104]: 554 5.7.1 <members...@smartmlshelp.zendesk.com>: Relay access denied; from=<> to=<members...@smartmlshelp.zendesk.com> proto=ESMTP helo=<NAM10-MW2-obe.outbound.protection.outlook.com> I believe I solved this part by adding smartmlshelp.zendesk.com to relay_domains. We've created an outbound O365 connector to route outbound mail through our servers before being delivered to their final destination - I believe this is effectively relaying mail from outbound.protection.outlook.com: May 12 23:04:00 xavier postfix-117/smtpd[3482092]: NOQUEUE: reject: RCPT from mail-mw2nam12lp2048.outbound.protection.outlook.com[104.47.66.48]: 554 5.7.1 <u...@gmail.com>: Relay access denied; from=<u...@smartmls.com> to=<u...@gmail.com> proto=ESMTP helo=<NAM12-MW2-obe.outbound.protection.outlook.com> This outbound connector process is described here (option 3): https://docs.microsoft.com/en-us/Exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-microsoft-365-or-office-365 > > smtpd_recipient_restrictions = > > reject_non_fqdn_recipient, > > reject_non_fqdn_sender, > > reject_unlisted_recipient, > > reject_unknown_recipient_domain, > > permit_mynetworks, > > reject_unauth_destination, > > This should not reject domains listed in $relay_domains. Any > relevant overrides in master.cf? (See "postconf -Mf" output). # postconf -c /etc/postfix-117 -Mf policy-spf unix - n n - - spawn user=nobody argv=/usr/libexec/postfix/policyd-spf smtp inet n - n - - smtpd pickup unix n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr unix n - n 300 1 qmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp -o syslog_name=postfix/$service_name showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache postlog unix-dgram n - n - 1 postlogd > > /etc/postfix-117/nnnhelp-zendesk: > > /example\.com$/ permit > > Use of a PCRE table for relay control is a bad idea. The above matches > more domains than you actually intended. The "relay_domains" setting > should be enough. [ I assume it is not actually "example.com"... ] I've tried with cdb (my default db) but unsure how to do wildcards. /etc/postfix-117/smartmls-com # cat smartmls /smartmls.com/ permit j...@smartmls.com permit # postmap smartmls # postmap -c /etc/postfix-117 -q j...@smartmls.com cdb:/etc/postfix-117/smartmls permit > What is your (built-in default?) setting of "smtpd_relay_restrictions"? # postconf -c /etc/postfix-117 smtpd_relay_restrictions smtpd_relay_restrictions = ${{$compatibility_level} < {1} ? {} : {permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination}}
