First let me explain my setup. I'm using postfix 2.9.6 on Debian Wheezy. I do not allow AUTH on port 25, and force MUAs to use a submission service on port 587 instead. Debian comes with the following configuration in master.cf (commented by default):
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
I do not understand why permit_sasl_authenticated is in smtpd_client_restrictions. To allow relay access it has to also be added to smtpd_recipient_restrictions (or smtpd_relay_restrictions, for postfix >= 2.10), either in main.cf or preferably in an additional override for the submission service in master.cf:
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
Either way results in checking for authentication twice, and with delayed evaluation of restriction lists, both checks are done at the RCPT TO stage. Without relay access, AUTH clients could send to $mydestination, but the MTA on port 25 already allows that anyway. Without delayed evaluation, the smtpd wouldn't even have information about AUTH yet when it does the client checks.
Is there any benefit at all to having permit_sasl_authenticated in smtpd_client_restrictions, ever? What is the use case for this?
Best Answer
It's simply a clean way of overriding main.cf since usually smtpd_client_restrictions in main.cf isn't used, which is the same as saying by default it is set to smtpd_client_restrictions = permit.
You could achieve the same result by overriding smtpd_recipient_restrictions as you say in your question, in which case you wouldn't need the smtpd_client_restrictions statement, perhaps that might have an unnoticeable performance benefit but if there were other restrictions present in smtpd_recipient_restrictions in main.cf relevant to authenticated clients you would also have to add them to master.cf too and remember to keep them in sync with future edits.
Also from the debian packagers point of view, overriding smtpd_client_restrictions is a safer bet since it's much less likely it was doing anything in main.cf compared with smtpd_recipient_restrictions.