I'm running a relay server for my internal network, and trying to construct a smtpd_recipient_restrictions list that will accomplish the following: - if the client is in mynetworks - and it passes a check_policy_service test - then allow the message - otherwise, reject the message
However, with the following setting: smtpd_recipient_restrictions = permit_mynetworks, check_policy_service unix:private/mypolicy, reject_unauth_destination it seems that the permit_mynetworks finds the allowed client, returns a "permit", and the check does not progress any further. It works as expected if I remove permit_mynetworks, but I was hoping to filter out IP addresses before calling the policy script, which seems more efficient. Is there a way to accomplish what I am looking to do? PS. I'm also a bit concerned with the warnings about: specify check_policy_service AFTER reject_unauth_destination or else your system can become an open relay. but if I put the policy check after reject_unauth_destination, the policy never gets called. --------------- postconf -n ------------ alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix debug_peer_level = 2 html_directory = no inet_interfaces = all mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = $myhostname, localhost.$mydomain, localhost mynetworks = 192.168.1.0/24 myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES sample_directory = /usr/share/doc/postfix-2.3.3/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_recipient_restrictions = permit_mynetworks, check_policy_service unix:private/mypolicy, reject_unauth_destination unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/etc/postfix/virtual