Postfix allow SASL-authenticated users to send from any IP address

I understand that I need SMTP on port 25 to receive email, but I do not want this to be a relay port.
Instead I would port 587 to be used for registered (SASL-authenticated) users to relay email from any IP address, through my server, and to any email server (e.g. GMail, Yahoo).

I have set up Postfix to receive email, and authenticate users, but I am utterly confused about the difference between port 25 and 587, and how to use one for receiving and one for relaying.

Here is the relevant part of my main.cf currently.

myhostname = mx.example.com
mydomain = example.com
#myorigin = $mydomain
mydestination = localhost localhost.localdomain
mynetworks_style = host

smtpd_sender_restrictions = reject_unknown_sender_domain

smtpd_relay_restrictions = permit_mynetworks, 
        permit_sasl_authenticated,
        reject_unauth_destination

smtpd_recipient_restrictions = permit_mynetworks, 
        permit_sasl_authenticated,
        # reject_unauth_destination is not needed here if the mail
        # relay policy is specified under smtpd_relay_restrictions
        # (available with Postfix 2.10 and later).
        reject_unauth_destination
        reject_rbl_client zen.spamhaus.org,
        reject_rhsbl_reverse_client dbl.spamhaus.org,
        reject_rhsbl_helo dbl.spamhaus.org,
        reject_rhsbl_sender dbl.spamhaus.org

And master.cf.

smtp      inet  n       -       -       -       -       smtpd
#smtp      inet  n       -       -       -       1       postscreen
#smtpd     pass  -       -       -       -       -       smtpd
#dnsblog   unix  -       -       -       -       0       dnsblog
#tlsproxy  unix  -       -       -       -       0       tlsproxy
submission inet n - - - - smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_sender_restrictions=reject_sender_login_mismatch

Unfortunately I get this error when trying to send on port 587 with my mail client from a different IP address.

NOQUEUE: reject: RCPT from unknown[XXX.XXX.XXX.XXX]: 553 5.7.1 <test@example.com>: Sender address rejected: not owned by user test@example.com; from=<test@example.com> to=<test@domain.tld> proto=ESMTP helo=<[192.168.1.3]>

smtp inet n - n - - smtpd submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING

Best Answer

Per-port configuration is done in master.cf, not main.cf. The default Postfix configuration files already have good example settings, they just need to be uncommented. Port 587 is labelled as the submission port there (port 25 is of course smtp).

Your settings could be somewhat simplified. In main.cf, specify the default policy (for port 25) only as recipient_restrictions, nothing more than that is necessary:

smtpd_recipient_restrictions =
    permit_mynetworks
    reject_unverified_recipient
    reject_rbl_client zen.spamhaus.org
    reject_rbl_......
    permit_auth_destination
    reject

In master.cf, override it by removing the previously set restrictions and allowing unrestricted relaying for authenticated users:

Best Answer

Related Solutions

Issue with sending mails from thunderbird via postfix

Postfix forwarding issue

Related Topic