Postfix: sender-dependent-relay and mail for host

postfix

I'd like to extend my configuration of postfix to be able to receive mail for my domian.

Currently, I've set up postfix as a smarthost which accepts mail after authentication and forwards it, dependent on the sender, to different servers (like gmail). That works well so far. I'd like to extend the configuration such that mail for my domain (mydomain.com) is accepted, too, but without the need for authentication (Everybody should be allow to send mail to users on that domain). The smarthost capability should remain. Postfix should hence take these 2 tasks:

  1. Act as a smarthost and forward mail with arbitrary receipients after sucessful client authentication
  2. Receive mail from arbitrary senders without authentication buth with receipient on local domain

The current configuration (main.cf) is appended below. I think what I need to do is to change parameters of 'smtpd_client_restrictions' and 'smtpd_receipient_restrictions', but I'm not sure about that. If someone could confirm this, that already would help me a lot.

main.cf:

    [...]
    myhostname = mydomain.com
    mynetworks = 127.0.0.0/8
    mydestination = mydomain.com localhost localhost.mydomain.com
    canonical_maps = regexp:/etc/postfix/canonical-redirect
    home_mailbox = Mail/

    # POSTFIX SERVER AUTHENTICATION
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_security_options = noplaintext, noanonymous
    smtpd_sasl_type = dovecot
    smtpd_sasl_path = private/auth
    smtpd_client_restrictions = permit_sasl_authenticated, reject
    smtpd_recipient_restrictions = permit_sasl_authenticated, reject
    smtpd_tls_security_level = encrypt

    # SENDER DEPENDENT RELAYs
    # relays
    smtp_sender_dependent_authentication = yes
    sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
    # auth
    smtp_sasl_auth_enable = yes
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
    smtp_sasl_mechanism_filter = GSSAPI, DIGEST-MD5, CRAM-MD5, login, plain
    smtp_tls_security_level = encrypt
    smtp_sasl_security_options = noplaintext, noanonymous
    smtp_sasl_tls_security_options = noplaintext, noanonymous

    #TLS
    smtpd_tls_cert_file=/etc/ssl/cert.pem
    smtpd_tls_key_file=/etc/ssl/cert.key
    [...]

  • Edit: According to the comment of NickW, I modified the permissions to 

    smtpd_client_restrictions = 
smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unknown_recipient_domain, permit

For my understanding, this rule would first allow all mail from authenticated users, deny mail for recipients which aren't on mydomain and finally permit these mails. Is this correct so far?

However, postfix then complains about 'fatal parameter "smtpd_recipient_restrictions": specify at least one working instance of: check_relay_domains, reject_unauth_destination, reject, defer or defer_if_permit'.
If I put a 'reject' AFTER the 'permit', postfix shows only a warning ('restriction 'reject' after 'permit' is ignored'), but the error isn't showing up…

Best Answer

Because you've set mydomain.com in mydestination, then you can put permit_auth_destination in your restricition.

smtpd_recipient_restrictions = permit_sasl_authenticated, permit_auth_destination, reject

As NickW say, smtpd_client_restrictions was redundant. You can delete that line.

Related Topic