I'm running a relay server for my internal network, and trying to
construct a smtpd_recipient_restrictions list that will accomplish the
following:
- if the client is in mynetworks
- and it passes a check_policy_service test
- then allow the message
- otherwise, reject the message
However, with the following setting:
smtpd_recipient_restrictions = permit_mynetworks,
check_policy_service unix:private/mypolicy, reject_unauth_destination
it seems that the permit_mynetworks finds the allowed client, returns
a "permit", and the check does not progress any further. It works as
expected if I remove permit_mynetworks, but I was hoping to filter out
IP addresses before calling the policy script, which seems more
efficient.
Is there a way to accomplish what I am looking to do?
PS. I'm also a bit concerned with the warnings about:
specify check_policy_service AFTER reject_unauth_destination or
else your system can become an open relay.
but if I put the policy check after reject_unauth_destination, the
policy never gets called.
--------------- postconf -n ------------
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost
mynetworks = 192.168.1.0/24
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_recipient_restrictions = permit_mynetworks, check_policy_service
unix:private/mypolicy, reject_unauth_destination
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual
