I have Postfix running inside a private LAN as an outgoing relay via
GMail (no incoming Internet connections).  I have two goals

1. Relay only to one specific domain
2. Accept relay from only one specific LAN client

So I configured the following (complete postconf -n appended below):

    myhostname = host.internal.lan
    mynetworks = 192.168.0.105
                 127.0.0.0/8
                 [::ffff:127.0.0.0]/104
                 [::1]/128
    relay_domains = mydomain.com
    relayhost = [smtp.gmail.com]:587
    smtpd_relay_restrictions = permit_mynetworks
                               reject_unauth_destination

This works for the first objective, and blocks relaying to any address
not in mydomain.com.

Dec 23 12:21:16 janus postfix/smtpd[9974]: connect from unknown[192.168.0.175] Dec 23 12:22:10 janus postfix/smtpd[9974]: NOQUEUE: reject: RCPT from unknown[192.168.0.175]: 554 5.7.1 <m...@me.com>: Relay access denied; from=<u...@host175.internal.lan> to=<m...@me.com> proto=SMTP helo=<host175.internal.lan>


I was also expecting the $mynetworks setting to allow relaying from
only that one specific host (.105) (as well as the local system) while
blocking relaying from any other LAN host.

What I actually see is that any host on the LAN is allowed to relay (I
tested from 192.168.0.175).  Here are the log entries:

Dec 23 12:24:01 janus postfix/smtpd[9974]: CC31BC0281: client=unknown[192.168.0.175]
    Dec 23 12:24:17 janus postfix/cleanup[9984]: CC31BC0281: message-id=<>
Dec 23 12:24:17 janus postfix/qmgr[9910]: CC31BC0281: from=<u...@host175.internal.lan>, size=225, nrcpt=1 (queue active) Dec 23 12:24:18 janus postfix/relay/smtp[9992]: CC31BC0281: to=<recipi...@mydomain.com>, relay=smtp.gmail.com[142.251.116.109]:587, delay=22, delays=21/0.03/0.69/0.53, dsn=2.0.0, status=sent (250 2.0.0 OK 1671827058 l14-20020a056870f14e00b0014b8347e1e3sm1987913oac.12 - gsmtp)
    Dec 23 12:24:18 janus postfix/qmgr[9910]: CC31BC0281: removed


I've studied the excellent documentation thoroughly, and even found
several how-to's on the web saying this is the way to restrict relaying
to a specific client.

What have I missed?

postconf -n output (slightly redacted):

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
compatibility_level = 2
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
inet_protocols = ipv4
mailbox_size_limit = 0
mydestination = $myhostname, host, localhost.internal.lan, localhost
myhostname = host.internal.lan
mynetworks = 192.168.0.105 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = $myhostname
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relay_domains = mydomain.com
relayhost = [smtp.gmail.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes

Reply via email to