I have Postfix running inside a private LAN as an outgoing relay via
GMail (no incoming Internet connections). I have two goals
1. Relay only to one specific domain
2. Accept relay from only one specific LAN client
So I configured the following (complete postconf -n appended below):
myhostname = host.internal.lan
mynetworks = 192.168.0.105
127.0.0.0/8
[::ffff:127.0.0.0]/104
[::1]/128
relay_domains = mydomain.com
relayhost = [smtp.gmail.com]:587
smtpd_relay_restrictions = permit_mynetworks
reject_unauth_destination
This works for the first objective, and blocks relaying to any address
not in mydomain.com.
Dec 23 12:21:16 janus postfix/smtpd[9974]: connect from
unknown[192.168.0.175]
Dec 23 12:22:10 janus postfix/smtpd[9974]: NOQUEUE: reject: RCPT
from unknown[192.168.0.175]: 554 5.7.1 <m...@me.com>: Relay access denied;
from=<u...@host175.internal.lan> to=<m...@me.com> proto=SMTP
helo=<host175.internal.lan>
I was also expecting the $mynetworks setting to allow relaying from
only that one specific host (.105) (as well as the local system) while
blocking relaying from any other LAN host.
What I actually see is that any host on the LAN is allowed to relay (I
tested from 192.168.0.175). Here are the log entries:
Dec 23 12:24:01 janus postfix/smtpd[9974]: CC31BC0281:
client=unknown[192.168.0.175]
Dec 23 12:24:17 janus postfix/cleanup[9984]: CC31BC0281: message-id=<>
Dec 23 12:24:17 janus postfix/qmgr[9910]: CC31BC0281:
from=<u...@host175.internal.lan>, size=225, nrcpt=1 (queue active)
Dec 23 12:24:18 janus postfix/relay/smtp[9992]: CC31BC0281:
to=<recipi...@mydomain.com>, relay=smtp.gmail.com[142.251.116.109]:587,
delay=22, delays=21/0.03/0.69/0.53, dsn=2.0.0, status=sent (250 2.0.0 OK
1671827058 l14-20020a056870f14e00b0014b8347e1e3sm1987913oac.12 - gsmtp)
Dec 23 12:24:18 janus postfix/qmgr[9910]: CC31BC0281: removed
I've studied the excellent documentation thoroughly, and even found
several how-to's on the web saying this is the way to restrict relaying
to a specific client.
What have I missed?
postconf -n output (slightly redacted):
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
compatibility_level = 2
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
inet_protocols = ipv4
mailbox_size_limit = 0
mydestination = $myhostname, host, localhost.internal.lan, localhost
myhostname = host.internal.lan
mynetworks = 192.168.0.105 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = $myhostname
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relay_domains = mydomain.com
relayhost = [smtp.gmail.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes