I want to achieve the following with Postfix:
- Run all emails through a black list
- Allow any clients sending to a list of domains
- Allow some clients sending to any domain
This is what I have: (postfix is on 10.0.8.0 and some of the senders are 10.0.8.0 and 10.0.9.0)
mynetworks_style = subnet
smtpd_recipient_restrictions = check_recipient_access sqlite:/etc/postfix/access-bl.query, check_client_access hash:/etc/postfix/trusted_clients, check_recipie
nt_access hash:/etc/postfix/local_domains, reject_unauth_destination, permit
So, right now the black list works. File /etc/postfix/trusted_clients
contains who can send anywhere (3), file /etc/postfix/local_domains
contains where you can send (2).
Those two are fine, they return properly.
My problem is getting all three working together. Not sure if it's an ordering issue.
Currently sending a test from 10.0.9.17 and I get Relay access denied
. If I add:
mynetworks = 10.0.8.0/24 10.0.9.0/24
then anyone can send anywhere, so #2 is not working.
Postfix version is 2.10 on Ubuntu 14.04.
Any ideas?
Output of postconf | grep restrictions
:
smtpd_client_restrictions =
smtpd_data_restrictions =
smtpd_end_of_data_restrictions =
smtpd_etrn_restrictions =
smtpd_helo_restrictions =
smtpd_recipient_restrictions = check_recipient_access sqlite:/etc/postfix/access-bl.query, check_client_access hash:/etc/postfix/trusted_clients, check_recipient_access hash:/etc/postfix/local_domains, reject_unauth_destination, permit_mynetworks
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination
smtpd_sender_restrictions =
Best Answer
In postfix 2.10, new parameter
smtpd_relay_restrictions
was introduced. This restriction will evaluated BEFOREsmtpd_recipient_restrictions
.Snippet from official documentation
Therefore, any client outside
mynetworks
will getRelay Access Denied
because this ruledefer_unauth_destination
.One of the solution is move your restriction (2) and (3) in
smtpd_relay_restrictions
.Note:
smtpd_relay_restrictions
orsmtpd_recipient_restrictions
. No need to repeat it both place.smtpd_relay_restrictions
is intended to place where you putrelay rule, whilesmtpd_recipient_restrictions
is placeholder for spam blacklisting (for example reject_non_fqdn_sender).