On Fri, Dec 23, 2022 at 01:14:26PM -0800, Jim Garrison <j...@jhmg.net> wrote:
> I have Postfix running inside a private LAN as an outgoing relay via
> GMail (no incoming Internet connections). I have two goals
>
> 1. Relay only to one specific domain
> 2. Accept relay from only one specific LAN client
>
> So I configured the following (complete postconf -n appended below):
>
> myhostname = host.internal.lan
> mynetworks = 192.168.0.105
> 127.0.0.0/8
> [::ffff:127.0.0.0]/104
> [::1]/128
> relay_domains = mydomain.com
> relayhost = [smtp.gmail.com]:587
> smtpd_relay_restrictions = permit_mynetworks
> reject_unauth_destination
>
> This works for the first objective, and blocks relaying to any address
> not in mydomain.com.
>
> Dec 23 12:21:16 janus postfix/smtpd[9974]: connect from
> unknown[192.168.0.175]
> Dec 23 12:22:10 janus postfix/smtpd[9974]: NOQUEUE: reject: RCPT from
> unknown[192.168.0.175]: 554 5.7.1 <m...@me.com>: Relay access denied;
> from=<u...@host175.internal.lan> to=<m...@me.com> proto=SMTP
> helo=<host175.internal.lan>
>
>
> I was also expecting the $mynetworks setting to allow relaying from
> only that one specific host (.105) (as well as the local system) while
> blocking relaying from any other LAN host.
>
> What I actually see is that any host on the LAN is allowed to relay (I
> tested from 192.168.0.175). Here are the log entries:
>
> Dec 23 12:24:01 janus postfix/smtpd[9974]: CC31BC0281:
> client=unknown[192.168.0.175]
> Dec 23 12:24:17 janus postfix/cleanup[9984]: CC31BC0281: message-id=<>
> Dec 23 12:24:17 janus postfix/qmgr[9910]: CC31BC0281:
> from=<u...@host175.internal.lan>, size=225, nrcpt=1 (queue active)
> Dec 23 12:24:18 janus postfix/relay/smtp[9992]: CC31BC0281:
> to=<recipi...@mydomain.com>, relay=smtp.gmail.com[142.251.116.109]:587,
> delay=22, delays=21/0.03/0.69/0.53, dsn=2.0.0, status=sent (250 2.0.0 OK
> 1671827058 l14-20020a056870f14e00b0014b8347e1e3sm1987913oac.12 - gsmtp)
> Dec 23 12:24:18 janus postfix/qmgr[9910]: CC31BC0281: removed
>
>
> I've studied the excellent documentation thoroughly, and even found
> several how-to's on the web saying this is the way to restrict relaying
> to a specific client.
>
> What have I missed?
>
> postconf -n output (slightly redacted):
>
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases
> append_dot_mydomain = no
> biff = no
> compatibility_level = 2
> html_directory = /usr/share/doc/postfix/html
> inet_interfaces = all
> inet_protocols = ipv4
Not relevant to your problem, but the above says that
only ipv4 is used but your config includes ipv6
addresses. You might want to delete it (and default to
"all"), or remove the ipv6 addresses from your config.
> mailbox_size_limit = 0
> mydestination = $myhostname, host, localhost.internal.lan, localhost
> myhostname = host.internal.lan
> mynetworks = 192.168.0.105 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
> myorigin = $myhostname
> readme_directory = /usr/share/doc/postfix
> recipient_delimiter = +
> relay_domains = mydomain.com
> relayhost = [smtp.gmail.com]:587
> smtp_sasl_auth_enable = yes
> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
> smtp_sasl_security_options =
> smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
You probably don't need smtp_tls_CAfile (but I could be wrong).
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> smtp_use_tls = yes
> smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
> smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination
This is the problem. You need to add "reject" to the
end of smtpd_relay_restrictions. Without it, it
implicitly ends with "permit".
In http://www.postfix.org/SMTPD_ACCESS_README.html),
it says:
Each restriction list is evaluated from left to right
until some restriction produces a result of PERMIT,
REJECT or DEFER (try again later). The end of each
list is equivalent to a PERMIT result.
I recommend always having "permit" or "reject" at the
end of all smtpd_*_restrictions parameters. Even if
it's just to make the implicit "permit" explicit and
visible.
> smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
> smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_database isn't needed (since Postfix 2.11)
> smtpd_use_tls = yes
It's not important, but smtpd_use_tls (and smtp_use_tls)
are obsolete and could be replaced with:
smtpd_tls_security_level = may
smtp_tls_security_level = may
cheers,
raf
