On Thu, Mar 26, 2026 at 12:16:20PM +0000, Sad Clouds via Postfix-users wrote:
> It looks like there is no AUTH, but for some reason I can still submit > mail on port 25 in some cases. There are two cases I'm testing: The reason is that that's how the system is configured. > 1. When sending from [email protected] to [email protected] and this > domain is in virtual_mailbox_domains, then MUA submission on port 25 is > permitted. Is this normal and is there a way to disable submission > completely for port 25 and only use this port for mail relay? Accepting mail for your own domains on port 25 is not submission, the SMTP server cannot reasonably distinguish between an MTA sending inbound mail and an MUA doing the same thing. > 2. When sending from @example.com to @gmail.com, then MUA submission > fails with "relay access denied". Good. That's what you want. > So in this context, does "relay" refer to submission It refers to attempts to deliver to an external domain. > and how does Postfix differentiate between MTAs and MUAs? It doesn't, not its job. It distinguishes between inbound (recipient in your domains) and outbound (recipient in other domains) mail. > I want to stop MUAs from using port 25 completely, You can't. I can fire up "mutt" on my mail server and send you mail from an MUA, or Postfix and send you mail from an MTA. There's no reasonable way to tell these apart. > since I have different set of options and restrictions for submission. You do that on ports 465 and 587 that allow outbound mail. Port 25 is for *everyone* who can make the TCP connection. > As requested by Victor, below are the extra details: > > mynetworks = 127.0.0.0/8 [::1]/128 Loopback only, fine. > smtpd_recipient_restrictions = permit_mynetworks reject_unauth_pipelining > reject_non_fqdn_recipient reject_unknown_recipient_domain > reject_unverified_recipient > smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination Inbound mail is permitted to all on port 25. There's no discernible difference between MUAs and MTAs, they use the same protocol. > # postconf -Mf > smtp inet n - n - 1 postscreen > smtpd pass - - n - - smtpd Just main.cf settings in effect here. > # Mail log when sending to @example.com > <mail.info>Mar 26 11:25:29 vmsrv-node1 postfix/postscreen[5221]: CONNECT from > [10.0.0.6]:35424 to [10.0.5.51]:25 > <mail.info>Mar 26 11:25:29 vmsrv-node1 postfix/postscreen[5221]: PASS OLD > [10.0.0.6]:35424 > <mail.info>Mar 26 11:25:29 vmsrv-node1 postfix/smtpd[2870]: connect from > rp4-8g.home.lan[10.0.0.6] > <mail.info>Mar 26 11:25:29 vmsrv-node1 postfix/cleanup[2856]: 20423DF2DC: > message-id=<[email protected]> > <mail.info>Mar 26 11:25:29 vmsrv-node1 postfix/qmgr[3000]: 20423DF2DC: > from=<[email protected]>, size=270, nrcpt=1 (queue active) > <mail.err>Mar 26 11:25:29 vmsrv-node1 dovecot: lmtp(4794): Error: SSL context > initialization failed, disabling SSL: Couldn't initialize SSL server context: > Can't load SSL certificate (ssl_server_cert_file setting): The certificate is > empty As expected. The problem is just your confusion, what you're asking for is not sensible. -- Viktor. 🇺🇦 Слава Україні! _______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
