Re: relaying from localhost

[mouss]

Mike Robinson a écrit :
> Hi Magnus,
> 
> Thanks for replying. 
> 
>> If that is the case, why isn't mydestination empty? You have emptied
>> local_recipient_maps, but this means that all addresses are accepted
>> (and then possibly bounced, which is bad).
>>
> 
> Because I was getting messages in the logs like this, and 
> /var/spool/clientmqueue/ was filling up, even though I have an alias to a 
> real 
> email address set up for emails to root:
> 
> to=root, ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, 
> pri=30372, relay=[127.0.0.1] [127.0.0.1], dsn=4.1.1, stat=Deferred: 450 4.1.1 
> : Recipient address rejected: undeliverable address: mail 
> for server.domain loops back to myself
> 

maybe be because you forgot to put that domain under relay_domains.

>> Just make sure 127.0.0.1/32 (or 127.0.0.0/8) is listed in mynetworks.
> 
> I had tried that, and it doesn't work. If there is no server defined in 
> /etc/postfix/transport for the recipient's domain, it won't relay:
> 
> Jun  7 06:35:04 servername postgrey[2392]: action=pass, reason=client AWL, 
> client_name=localhost.localdomain, client_address=127.0.0.1, 
> sender=ad...@server.domain, recipient=exter...@email.address 
> Jun  7 06:35:04 servername postfix/smtp[28011]: 1F9033BE46: 
> to=, relay=external.relay.server[xxx.xxx.xxx.xxx]:25, 
> delay=0.3, delays=0.01/0.01/0.16/0.12, dsn=2.0.0, status=deliverable (250 
>  ok)
> Jun  7 06:35:07 spam1 postfix/smtpd[28007]: NOQUEUE: reject: RCPT from 
> localhost.localdomain[127.0.0.1]: 554 5.7.1 : Relay 
> access denied; from= to= 
> proto=ESMTP helo=
> 
> Here's postconf -n:
> 
> [snip]
> relay_domains = $transport_maps

oh no. do not "reuse" maps.

> sample_directory = /usr/share/doc/postfix-2.3.3/samples
> sendmail_path = /usr/sbin/sendmail
> setgid_group = postdrop
> smtpd_client_restrictions = check_client_access 
> hash:/etc/postfix/client_access, reject_rbl_client bl.spamcop.net, 
> reject_rbl_client dnsbl.njabl.org, reject_rbl_client cbl.abuseat.org
> smtpd_data_restrictions = reject_unauth_pipelining
> smtpd_helo_required = yes
> smtpd_helo_restrictions = check_helo_access hash:/etc/postfix/helo_access, 
> reject_invalid_hostname
> smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:6, 
> reject_non_fqdn_recipient, reject_unverified_recipient, 
> reject_unknown_recipient_domain, reject_unauth_destination

you don't have permit_mynetworks here. and btw, the order of your checks
is dubious.

smtpd_recipient_restrictions =
reject_non_fqdn_recipient
reject_unknown_recipient_domain
permit_mynetworks
reject_unauth_destination
reject_unverified_recipient
check_policy_service inet:127.0.0.1:6



> smtpd_sender_restrictions = check_sender_access 
> hash:/etc/postfix/sender_access, reject_non_fqdn_sender, 
> reject_unknown_sender_domain
> transport_maps = hash:/etc/postfix/transport
> virtual_alias_maps = hash:/etc/postfix/virtual
> 
> 

Re: relaying from localhost

[Mike Robinson]

On Sunday 07 June 2009 09:14:24 mouss wrote:

>
> maybe be because you forgot to put that domain under relay_domains.
>

Ah, right, yes. Thanks!

>
> you don't have permit_mynetworks here. and btw, the order of your checks
> is dubious.
>
> smtpd_recipient_restrictions =
>   reject_non_fqdn_recipient
>   reject_unknown_recipient_domain
>   permit_mynetworks
>   reject_unauth_destination
>   reject_unverified_recipient
>   check_policy_service inet:127.0.0.1:6
>

Dubious indeed. 

Thanks to you and Magnus for your help. Its working now. I'd be interested in 
knowing what's wrong with reusing the transport maps in the way that I have?

Thanks again.

Re: relaying from localhost

[Magnus Bäck]

On Sunday, June 07, 2009 at 10:28 CEST,
 Mike Robinson  wrote:

[...]

> I'd be interested in knowing what's wrong with reusing the transport
> maps in the way that I have?

What would happen if you'd add some other domain to your transport
table? Say, hotmail.com in order to resolve a delivery problem with
that particular domain?

-- 
Magnus Bäck
mag...@dsek.lth.se

Relay inbound mail to another server

[Ulrich Mierendorff]

Hi,

My email is handled by two servers A and B with different IPs.
If someone sends an email to my domain "example.com", it will be 
received by server A and then stored on that server.
If I send an email to someone else from {userna...@example.com, I will 
connect to server B that will then send this email.


On server B a postfix instance is running that handles the mail.

Everything I have described is working correctly, but I have a problem: 
If I want to send an email from {userna...@{example.com|localhost} to 
{userna...@{example.com|localhost}, it has to be relayed to server A, 
because this is my "inbox-server".
So the question is, how can I configure postfix on my server B so that 
it relays all inbound mail (mail sent to example.com/localhost) to server A?


Is this possible?

Kind regards,
Ulrich

Re: Relay inbound mail to another server

[Magnus Bäck]

On Sunday, June 07, 2009 at 16:12 CEST,
 Ulrich Mierendorff  wrote:

> My email is handled by two servers A and B with different IPs.
> If someone sends an email to my domain "example.com", it will be
> received by server A and then stored on that server.
> If I send an email to someone else from {userna...@example.com,
> I will connect to server B that will then send this email.
> 
> On server B a postfix instance is running that handles the mail.
> 
> Everything I have described is working correctly, but I have a problem:
> If I want to send an email from {userna...@{example.com|localhost} to
> {userna...@{example.com|localhost}, it has to be relayed to server A,
> because this is my "inbox-server".
> So the question is, how can I configure postfix on my server B so
> that it relays all inbound mail (mail sent to example.com/localhost)
> to server A?

Unless you have a funky internal DNS setup (like a NATed internal
network where server B cannot connect to server A via the latter's
external address) or a poor configuration on server B you don't have
to do anything. Server B will, just like all other computers in the
world that don't think they're the final destination for example.com,
make an MX lookup in DNS for example.com and then contact server A.

-- 
Magnus Bäck
mag...@dsek.lth.se

Re: Relay inbound mail to another server

[mouss]

Ulrich Mierendorff a écrit :
> Hi,
> 
> My email is handled by two servers A and B with different IPs.
> If someone sends an email to my domain "example.com", it will be
> received by server A and then stored on that server.
> If I send an email to someone else from {userna...@example.com, I will
> connect to server B that will then send this email.
> 
> On server B a postfix instance is running that handles the mail.
> 
> Everything I have described is working correctly, but I have a problem:
> If I want to send an email from {userna...@{example.com|localhost} to
> {userna...@{example.com|localhost}, it has to be relayed to server A,
> because this is my "inbox-server".
> So the question is, how can I configure postfix on my server B so that
> it relays all inbound mail (mail sent to example.com/localhost) to
> server A?
> 
> Is this possible?
> 

if you don't configure B to deliver mail for example.com, then it should
lookup DNS and pass the mail to A.

if at loss, you can still use transport_maps:

example.com relay:[serverA]
.example.comrelay:[serverA]
localhost   relay:[serverA]

Re: Relay inbound mail to another server

[Ulrich Mierendorff]

mouss wrote:

Ulrich Mierendorff a écrit :
  

Hi,

My email is handled by two servers A and B with different IPs.
If someone sends an email to my domain "example.com", it will be
received by server A and then stored on that server.
If I send an email to someone else from {userna...@example.com, I will
connect to server B that will then send this email.

On server B a postfix instance is running that handles the mail.

Everything I have described is working correctly, but I have a problem:
If I want to send an email from {userna...@{example.com|localhost} to
{userna...@{example.com|localhost}, it has to be relayed to server A,
because this is my "inbox-server".
So the question is, how can I configure postfix on my server B so that
it relays all inbound mail (mail sent to example.com/localhost) to
server A?

Is this possible?




if you don't configure B to deliver mail for example.com, then it should
lookup DNS and pass the mail to A.

if at loss, you can still use transport_maps:

example.com relay:[serverA]
.example.comrelay:[serverA]
localhost   relay:[serverA]
  

But how can I configure that?

My current configuration looks like this one:
...
myhostname = example.com
myorigin = /etc/mailname
mydomain = example.com
mydestination = $mydomain, localhost
relayhost =
relay_domains = $mydestination
mynetworks = 127.0.0.0/8
inet_interfaces = all
inet_protocols = ipv4
...

Kind regards,
Ulrich

Re: Relay inbound mail to another server

[Magnus Bäck]

On Sunday, June 07, 2009 at 17:02 CEST,
 Ulrich Mierendorff  wrote:

> mouss wrote:
>
> > if you don't configure B to deliver mail for example.com, then it
> > should lookup DNS and pass the mail to A.
> >
> > if at loss, you can still use transport_maps:
> >
> > example.com relay:[serverA]
> > .example.comrelay:[serverA]
> > localhost   relay:[serverA]
>
> But how can I configure that?

You mean transport_maps? See below for a complete example. But again,
if the server B configuration as well as your network setup is sane you
shouldn't have to do anything.

http://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall
(Ignore everything except transport_maps.)

> My current configuration looks like this one:
> ...
> myhostname = example.com
> myorigin = /etc/mailname
> mydomain = example.com
> mydestination = $mydomain, localhost

Is this server B? If so, why does it think it's the final destination
for example.com when that's server A's assignment?

[...]

-- 
Magnus Bäck
mag...@dsek.lth.se

Re: Relay inbound mail to another server

[Ulrich Mierendorff]

Magnus Bäck wrote:

On Sunday, June 07, 2009 at 17:02 CEST,
 Ulrich Mierendorff  wrote:

  

My current configuration looks like this one:
...
myhostname = example.com
myorigin = /etc/mailname
mydomain = example.com
mydestination = $mydomain, localhost



Is this server B? If so, why does it think it's the final destination
for example.com when that's server A's assignment

Yes it's server B.. So should I write
mydestination =
?
The log file then says something like

Jun  7 1:2:3 example postfix/smtp[123]: 456: to=, 
relay=mx0.example.com[ipA]:25, [...], status=bounced (host 
mx0.example.com[ipA] refused to talk to me: 550 Forged HELO: you are not 
example.com)


I think this is not a problem of server B's postfix configuration, or am 
I wrong? By the way: I do not have access to the configuration of server A.


I have also googled a bit, but could not find an explanation for this error.

Kind regards,
Ulrich

Re: Relay inbound mail to another server

[mouss]

Ulrich Mierendorff a écrit :
> Magnus Bäck wrote:
>> On Sunday, June 07, 2009 at 17:02 CEST,
>>  Ulrich Mierendorff  wrote:
>>
>>  
>>> My current configuration looks like this one:
>>> ...
>>> myhostname = example.com
>>> myorigin = /etc/mailname
>>> mydomain = example.com
>>> mydestination = $mydomain, localhost
>>> 
>>
>> Is this server B? If so, why does it think it's the final destination
>> for example.com when that's server A's assignment
> Yes it's server B.. So should I write
> mydestination =
> ?
> The log file then says something like
> 
> Jun  7 1:2:3 example postfix/smtp[123]: 456: to=,
> relay=mx0.example.com[ipA]:25, [...], status=bounced (host
> mx0.example.com[ipA] refused to talk to me: 550 Forged HELO: you are not
> example.com)
> 
> I think this is not a problem of server B's postfix configuration, or am
> I wrong? By the way: I do not have access to the configuration of server A.
> 

Then change the hostname of server B. why do you set
myhostname = example.com

try with something like

myhostname = joe.example.com

where joe.example.com resolves in DNS. Ideally it should resolve to the
public IP of server B.

> I have also googled a bit, but could not find an explanation for this
> error.
> 

server A has a check_helo_access that rejects inbound mail claiming to
be from "example.com". This is a common check. but you should get server
A to whitelist server B (to not perform such a check for server B).

Re: Relay inbound mail to another server

[Ulrich Mierendorff]

mouss wrote:

Ulrich Mierendorff a écrit :
 

Magnus Bäck wrote:
   

On Sunday, June 07, 2009 at 17:02 CEST,
 Ulrich Mierendorff  wrote:

 
 

My current configuration looks like this one:
...
myhostname = example.com
myorigin = /etc/mailname
mydomain = example.com
mydestination = $mydomain, localhost


Is this server B? If so, why does it think it's the final destination
for example.com when that's server A's assignment
  

Yes it's server B.. So should I write
mydestination =
?
The log file then says something like

Jun  7 1:2:3 example postfix/smtp[123]: 456: to=,
relay=mx0.example.com[ipA]:25, [...], status=bounced (host
mx0.example.com[ipA] refused to talk to me: 550 Forged HELO: you are not
example.com)

I think this is not a problem of server B's postfix configuration, or am
I wrong? By the way: I do not have access to the configuration of 
server A.





Then change the hostname of server B. why do you set
myhostname = example.com

try with something like

myhostname = joe.example.com

where joe.example.com resolves in DNS. Ideally it should resolve to the
public IP of server B.
  

Well, example.com is the domain for serverB.
DNS configuration is like this
example.com
A-record -> IP of server B
MX-record -> IP of server A

Reverse DNS for IP of server B -> example.com

(IPs are public IPs)

I do not see, how joe.example.com could solve the problem.
 

I have also googled a bit, but could not find an explanation for this
error.




server A has a check_helo_access that rejects inbound mail claiming to
be from "example.com". This is a common check. but you should get server
A to whitelist server B (to not perform such a check for server B).
  

I think that will not be possible.

Re: Relay inbound mail to another server

[Magnus Bäck]

On Sunday, June 07, 2009 at 21:46 CEST,
 Ulrich Mierendorff  wrote:

> mouss wrote:
>
> > Then change the hostname of server B. why do you set
> > myhostname = example.com
> >
> > try with something like
> >
> > myhostname = joe.example.com
> >
> > where joe.example.com resolves in DNS. Ideally it should resolve to
> > the public IP of server B.
>
> Well, example.com is the domain for serverB.
> DNS configuration is like this
> example.com
> A-record -> IP of server B
> MX-record -> IP of server A
> 
> Reverse DNS for IP of server B -> example.com

I wouldn't recommend having hostname == domain name, but we can work
around that.

> (IPs are public IPs)
> 
> I do not see, how joe.example.com could solve the problem.

Because the HELO restriction on server A probably wouldn't trigger (that
depends on some configuration details on server A). The point of that
restriction is to make sure hosts from the outside don't say "HELO
example.com", but that restriction must of course not be applied to
inside hosts.

> > server A has a check_helo_access that rejects inbound mail claiming
> > to be from "example.com". This is a common check. but you should get
> > server A to whitelist server B (to not perform such a check for
> > server B).
>
> I think that will not be possible.

Come on, work with us here. If you're saying "that's impossible" that
least you can do is give us a good reason for it.

-- 
Magnus Bäck
mag...@dsek.lth.se

Re: Relay inbound mail to another server

[Ulrich Mierendorff]

Magnus Bäck wrote:

On Sunday, June 07, 2009 at 21:46 CEST,
 Ulrich Mierendorff  wrote:

  

mouss wrote:



Then change the hostname of server B. why do you set
myhostname = example.com

try with something like

myhostname = joe.example.com

where joe.example.com resolves in DNS. Ideally it should resolve to
the public IP of server B.
  

Well, example.com is the domain for serverB.
DNS configuration is like this
example.com
A-record -> IP of server B
MX-record -> IP of server A

Reverse DNS for IP of server B -> example.com



I wouldn't recommend having hostname == domain name, but we can work
around that.

  

(IPs are public IPs)

I do not see, how joe.example.com could solve the problem.



Because the HELO restriction on server A probably wouldn't trigger (that
depends on some configuration details on server A). The point of that
restriction is to make sure hosts from the outside don't say "HELO
example.com", but that restriction must of course not be applied to
inside hosts.
  
Hmm, ok, that's interesting. I will try to use a another hostname and 
report if this works. Maybe it helps.

server A has a check_helo_access that rejects inbound mail claiming
to be from "example.com". This is a common check. but you should get
server A to whitelist server B (to not perform such a check for
server B).
  

I think that will not be possible.



Come on, work with us here. If you're saying "that's impossible" that
least you can do is give us a good reason for it.
  

Sorry, I should have told you, that I do not administrate the server A.

Kind regards,
Ulrich

Re: Relay inbound mail to another server

[mouss]

Ulrich Mierendorff a écrit :
> mouss wrote:
>> Ulrich Mierendorff a écrit :
>>  
>>> Magnus Bäck wrote:
>>>   
 On Sunday, June 07, 2009 at 17:02 CEST,
  Ulrich Mierendorff  wrote:

  
 
> My current configuration looks like this one:
> ...
> myhostname = example.com
> myorigin = /etc/mailname
> mydomain = example.com
> mydestination = $mydomain, localhost
> 
 Is this server B? If so, why does it think it's the final destination
 for example.com when that's server A's assignment
   
>>> Yes it's server B.. So should I write
>>> mydestination =
>>> ?
>>> The log file then says something like
>>>
>>> Jun  7 1:2:3 example postfix/smtp[123]: 456: to=,
>>> relay=mx0.example.com[ipA]:25, [...], status=bounced (host
>>> mx0.example.com[ipA] refused to talk to me: 550 Forged HELO: you are not
>>> example.com)
>>>
>>> I think this is not a problem of server B's postfix configuration, or am
>>> I wrong? By the way: I do not have access to the configuration of
>>> server A.
>>>
>>> 
>>
>> Then change the hostname of server B. why do you set
>> myhostname = example.com
>>
>> try with something like
>>
>> myhostname = joe.example.com
>>
>> where joe.example.com resolves in DNS. Ideally it should resolve to the
>> public IP of server B.
>>   
> Well, example.com is the domain for serverB.
> DNS configuration is like this
> example.com
> A-record -> IP of server B
> MX-record -> IP of server A
> 
> Reverse DNS for IP of server B -> example.com

we don't really care for the reverse dns here. we are about getting a
hostname that is accepted. There is no requirement that such a hostname
be the reverse dns of any IP at all.


> 
> (IPs are public IPs)
> 
> I do not see, how joe.example.com could solve the problem.

it will solve the problem because server A will not reject the mail.
but if joe.example.com does not resolve in DNS, then other servers may
reject your mail.

so use a name that resolves (ideally to the IP of server B). if server B
has other names, use one of these (but try to avoid www.example.com,
web.example.com, ... etc). otherwise, you'll need to add a name to DNS.


PS. if you prefer, you can change the helo without changing the
hostname, you can use:

smtp_helo_hostname = joe.example.com

but you'd better to chaneg myhostname as well. As Magnus said, it is not
a very good idea to set this to a "domain name". besides the fact that
you need more care to get it working correctly, any spam
incidents/accidents may get you blocklisted (many snowshow spammers love
such names...)


>>  
>>> I have also googled a bit, but could not find an explanation for this
>>> error.
>>>
>>> 
>>
>> server A has a check_helo_access that rejects inbound mail claiming to
>> be from "example.com". This is a common check. but you should get server
>> A to whitelist server B (to not perform such a check for server B).
>>   
> I think that will not be possible.
> 

That would however be the right way: server A is misconfigured since it
rejects mail from server B, claiming that server B is not "example.com",
but DNS shows that server B is.

otherwise, change your helo as suggested. if you don't, there is nothing
we can do for you, except recommending that you find an external relay...

Re: Relay inbound mail to another server

[Ulrich Mierendorff]

mouss wrote:

Ulrich Mierendorff a écrit :
 

mouss wrote:
   

Ulrich Mierendorff a écrit :
 
 

Magnus Bäck wrote:
 

On Sunday, June 07, 2009 at 17:02 CEST,
 Ulrich Mierendorff  wrote:

 
 

My current configuration looks like this one:
...
myhostname = example.com
myorigin = /etc/mailname
mydomain = example.com
mydestination = $mydomain, localhost


Is this server B? If so, why does it think it's the final destination
for example.com when that's server A's assignment


Yes it's server B.. So should I write
mydestination =
?
The log file then says something like

Jun  7 1:2:3 example postfix/smtp[123]: 456: to=,
relay=mx0.example.com[ipA]:25, [...], status=bounced (host
mx0.example.com[ipA] refused to talk to me: 550 Forged HELO: you 
are not

example.com)

I think this is not a problem of server B's postfix configuration, 
or am

I wrong? By the way: I do not have access to the configuration of
server A.



Then change the hostname of server B. why do you set
myhostname = example.com

try with something like

myhostname = joe.example.com

where joe.example.com resolves in DNS. Ideally it should resolve to the
public IP of server B.


Well, example.com is the domain for serverB.
DNS configuration is like this
example.com
A-record -> IP of server B
MX-record -> IP of server A

Reverse DNS for IP of server B -> example.com



we don't really care for the reverse dns here. we are about getting a
hostname that is accepted. There is no requirement that such a hostname
be the reverse dns of any IP at all.

 

(IPs are public IPs)

I do not see, how joe.example.com could solve the problem.



it will solve the problem because server A will not reject the mail.
but if joe.example.com does not resolve in DNS, then other servers may
reject your mail.

so use a name that resolves (ideally to the IP of server B). if server B
has other names, use one of these (but try to avoid www.example.com,
web.example.com, ... etc). otherwise, you'll need to add a name to DNS.
  
Ok, I am now using ex1.example.com as myhostname and it works perfectly. 
Mouss, Magnus, thank you so much!

But I do not understand one thing: Do I also have to add ex1 to DNS?

Kind regards,
Ulrich

Illegal mix of collations error

[Simon]

Hi There,

We have postfix storing its transport and alias data in mysql, but we are
getting this error (which has just appeared out of knowwhere - yes well, OK,
not knowwhere, but we dont know where!)

# cat /etc/postfix/mysql-transport.cf
user = mail-in1
password = **
dbname = postfix
table = transport
hosts = 210.48.XX.XXX
select_field = transport
where_field = domain

Here is the error:

Jun  8 07:15:19 mail-in1 postfix/trivial-rewrite[23183]: warning: mysql
query failed: Illegal mix of collations (latin1_swedish_ci,IMPLICIT) and
(utf8_general_ci,COERCIBLE) for operation '='
Jun  8 07:15:19 mail-in1 postfix/trivial-rewrite[23183]: fatal:
mysql:/etc/postfix/mysql-transport.cf(0,lock|fold_fix): table lookup problem

I have googled and have not really found a solution to this issue... can
anyone assist please?

THanks

SImon

Re: Illegal mix of collations error

[Darren Pilgrim]

Simon wrote:
Jun  8 07:15:19 mail-in1 postfix/trivial-rewrite[23183]: warning: mysql 
query failed: Illegal mix of collations (latin1_swedish_ci,IMPLICIT) and 
(utf8_general_ci,COERCIBLE) for operation '='
Jun  8 07:15:19 mail-in1 postfix/trivial-rewrite[23183]: fatal: 
mysql:/etc/postfix/mysql-transport.cf 
(0,lock|fold_fix): table lookup problem


I have googled and have not really found a solution to this issue... can 
anyone assist please?


This is usually due to comparing a string literal to a function return 
or a table with collation set to something other than latin1_swedish_ci 
(what it should be for email addresses).  Email addresses are always 
latin1 case-insensitive.  This URL will give you some useful hints:


http://www.google.com/search?q=Illegal+mix+of+collations+site%3Amysql.com

Short answer: change the collation on your table or force collation on 
your string literal(s).

Re: Relay inbound mail to another server

[mouss]

Ulrich Mierendorff a écrit :
> [snip]
> Ok, I am now using ex1.example.com as myhostname and it works perfectly.
> Mouss, Magnus, thank you so much!
> But I do not understand one thing: Do I also have to add ex1 to DNS?
> 

yes. and make it resolve to the (public) IP of server B.

Otherwise, your mail may be blocked (even if most sites won't today,
they may do in the future).

Re: smtpd_client_restrictions: "permit_mynetworks" additionally necessary!?

[meyer-jordan]

Hi Noel!

> Your error report is inconsistent with how postfix works, 
> which usually means the actual configuration isn't what you 
> think it is.
> 
> Please post "postconf -n" output, master.cf contents, and log 
> entries from the non-working system.  It's best if you post 
> unaltered entries, if you must alter entries, do so coherently.

Thank you for your answer!

You are right with your demands, of course!

Nevertheless it seems to be too costly to analyze a complete configuration for 
this limited problem, I think. - I would be happy about a hint where I should 
have to look for - please don't bother for 
a complete solution.


So I'll try to explain more easy:

official-IP --- postfix-server --- internal-IP (internal subnet) --- router --- 
other-internal-IP (other internal subnet)
 |___ client with 
trouble   | client without trouble

I want to send mail via submission port with SMTP Auth (with SASL backend) only.

I've to add "permit_mynetworks" into master.cf at submission entry or to remove 
my internal private subnet (192.168.1.0/24) from $mynetworks in main.cf to 
avoid "554 5.7.1 : 
Client host rejected: Access denied; from= [...]" while sending attempts from 
internal subnet clients.

Sending from external clients and further internal subnets (which aren't 
directly connected to the internal NIC and not in $mynetworks) runs without 
problems.


Postfix 2.3.8
With this submission smtpd_client_restrictions entry I'm not able to send mails 
to postfix from internal subnet clients (subnet which is directly connected to 
the internal postfix server NIC) - with 
Postfix 2.0.18 it worked:

master.cf
[...]
submission inet n - - - - smtpd
  [...]
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  [...]
-


Thanks,
   Hasso

Re: smtpd_client_restrictions: "permit_mynetworks" additionally necessary!?

[Noel Jones]

meyer-jor...@t-online.de wrote:

Hi Noel!

Your error report is inconsistent with how postfix works, 
which usually means the actual configuration isn't what you 
think it is.


Please post "postconf -n" output, master.cf contents, and log 
entries from the non-working system.  It's best if you post 
unaltered entries, if you must alter entries, do so coherently.


Thank you for your answer!

You are right with your demands, of course!

Nevertheless it seems to be too costly to analyze a complete configuration for this limited problem, I think. - I would be happy about a hint where I should have to look for - please don't bother for 
a complete solution.



So I'll try to explain more easy:

official-IP --- postfix-server --- internal-IP (internal subnet) --- router --- 
other-internal-IP (other internal subnet)
 |___ client with 
trouble   | client without trouble

I want to send mail via submission port with SMTP Auth (with SASL backend) only.

I've to add "permit_mynetworks" into master.cf at submission entry or to remove my internal private subnet (192.168.1.0/24) from $mynetworks in main.cf to avoid "554 5.7.1 : 
Client host rejected: Access denied; from= [...]" while sending attempts from internal subnet clients.




Your problem report is inconsistent with how postfix works.
Postfix works as documented.  Differences from prior versions 
are carefully listed in the RELEASE_NOTES.


Likely your error can be spotted quickly if you post the 
requested information.


Postfix is documented here:
http://www.postfix.org/documentation.html

Without proper evidence, we're reduced to guessing.  My best 
guess based on the information provided is that either the 
reported configuration doesn't match the actual configuration, 
or the reported behavior doesn't match the actual behavior.


Here's a wild guess.  Don't change the default setting of
smtpd_delay_reject = yes

Any further help will require evidence of postfix's 
configuration and behavior as requested.


  -- Noel Jones


Sending from external clients and further internal subnets (which aren't 
directly connected to the internal NIC and not in $mynetworks) runs without 
problems.


Postfix 2.3.8
With this submission smtpd_client_restrictions entry I'm not able to send mails to postfix from internal subnet clients (subnet which is directly connected to the internal postfix server NIC) - with 
Postfix 2.0.18 it worked:


master.cf
[...]
submission inet n - - - - smtpd
  [...]
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  [...]
-


Thanks,
   Hasso