On Fri, 5 Jul 2013, W T Riker wrote:
Indeed this is using port 587. I did not realize that that in itself was sufficient to prevent relaying from non-authenticated clients. Thanks.
It doesn't. If 587 is configured the same as 25, it will behave just like port 25. There is nothing special about port 587 other than how YOU configure it to be different.
They key to understanding Postfix restrictions is they evaluate in order and the first to return a result other than DUNNO is what wins. A permit_xxxx restrictions generally returns PERMIT or DUNNO. A reject_xxxx restriction generally returns REJECT or DUNNO. So if you have permit_sasl_authernticated as the first test in a group of restrictions (e.g. smtpd_recipient_restrictions), if the user is SASL authenticated, it returns PERMIT and the mail is accepted and, if not destined locally, relayed. All remaining tests in that group of restrictions are then skipped. If the user is not SASL authenticated, it returns DUNNO and goes on to the next restriction in that group. If that next restriction is reject_unauth_destination (which in case it's not clear to you is the restriction that prevents relaying), an unauthenticated user will not be permitted to relay.
So in short, a restriction group that permits authenticated users to send anywhere and unauthenticated users to only send to domains for which Postfix is configure to accept mail would be: permit_sasl_authenticated, reject_unauth_destination. However, don't just do what we suggest; make sure you understand it and that it is doing what YOU want.
-- Larry Stone lston...@stonejongleux.com
