I think I got it. The ordering is critical. Thanks
smtpd_recipient_restrictions =
check_recipient_access hash:/etc/postfix/relay_domains # This will
allow clients missing PTR records the ability to relay locally
reject_unknown_reverse_client_hostname # Reject all other clients
missing PTR records from sending externally
reject_unknown_recipient_domain
reject_non_fqdn_sender
reject_non_fqdn_helo_hostname
reject_invalid_helo_hostname
reject_unknown_helo_hostname
reject_unlisted_recipient
permit_mynetworks # Permit all other mail traffic both internally
and externally
reject_unauth_destination
/etc/postfix/relay_domains
mydomain.com OK
myotherdomain.com OK
On Wed, Jan 23, 2013 at 11:21 AM, Tom Tucker <[email protected]> wrote:
>
> Stan,
> Thanks for the response. This does work, however these clients are also
> able to send to domains outside my environment. Let me try to clarify my
> scenario.
>
> Client: With PTR record = Full relay (internal & external domains)
> Client: No PTR record = Relay for internal domains only
>
> Is it possible to configure Postfix to support this type configuration?
>
>
>
>
>
>
> On Wed, Jan 23, 2013 at 5:38 AM, Stan Hoeppner <[email protected]>wrote:
>
>> On 1/22/2013 8:52 PM, Tom Tucker wrote:
>> > I am struggling with a configuration that might be impossible.
>> Hopefully
>> > the list can help guide me.
>> >
>> > I want to allow internal systems the ability to relay emails to my
>> domains
>> > even though they might get caught with
>> > 'reject_unknown_reverse_client_hostname'. Possible? If yes, I am
>> unsure
>> > how to configure smtpd_sender_restrictions and
>> smtpd_recipient_restrictions
>> > to support such.
>> >
>> >
>> > Current non-working configuration for this scenario
>> > ------------------------------------------------------------------------
>> > smtpd_sender_restrictions = permit_mynetworks,
>> > reject_unknown_sender_domain, reject_non_fqdn_sender
>> >
>> > smtpd_recipient_restrictions = reject_unknown_reverse_client_hostname,
>> > reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname,
>> > reject_unauth_destination, reject_non_fqdn_recipient,
>> > reject_unknown_recipient_domain, reject_unverified_recipient
>>
>> Don't specify the separate restriction classes. Put everything under
>> smtpd_recipient_restrictions. This way you can manipulate the precise
>> order of your restrictions. Remember, "first match wins". If you
>> specify them separately you must put all permit actions at the start of
>> each class section. Ergo each would need to start each with
>> "permit_mynetworks". Here's an example of the EURR method. There is no
>> client, sender, or helo restriction section, only this:
>>
>> smtpd_recipient_restrictions =
>> permit_mynetworks
>> reject_unauth_destination
>> reject_unknown_reverse_client_hostname
>> reject_non_fqdn_sender
>> reject_non_fqdn_helo_hostname
>> reject_invalid_helo_hostname
>> reject_unknown_helo_hostname
>> reject_unlisted_recipient
>> ...
>>
>> Using this method, permit_mynetworks will match your local hosts before
>> reject_unknown_reverse_client_hostname matches. First match wins, and
>> you only have one class, so this solves your problem.
>>
>> --
>> Stan
>>
>>
>>
>>
>>
>
