On 7/5/2013 9:51 AM, Larry Stone wrote:
> On Fri, 5 Jul 2013, W T Riker wrote:
>
>> Indeed this is using port 587. I did not realize that that in itself was
>> sufficient to prevent relaying from non-authenticated clients. Thanks.
>
> It doesn't. If 587 is configured the same as 25, it will behave just
> like port 25. There is nothing special about port 587 other than how
> YOU configure it to be different.
>
> They key to understanding Postfix restrictions is they evaluate in
> order and the first to return a result other than DUNNO is what wins.
> A permit_xxxx restrictions generally returns PERMIT or DUNNO. A
> reject_xxxx restriction generally returns REJECT or DUNNO. So if you
> have permit_sasl_authernticated as the first test in a group of
> restrictions (e.g. smtpd_recipient_restrictions), if the user is SASL
> authenticated, it returns PERMIT and the mail is accepted and, if not
> destined locally, relayed. All remaining tests in that group of
> restrictions are then skipped. If the user is not SASL authenticated,
> it returns DUNNO and goes on to the next restriction in that group. If
> that next restriction is reject_unauth_destination (which in case it's
> not clear to you is the restriction that prevents relaying), an
> unauthenticated user will not be permitted to relay.
>
> So in short, a restriction group that permits authenticated users to
> send anywhere and unauthenticated users to only send to domains for
> which Postfix is configure to accept mail would be:
> permit_sasl_authenticated, reject_unauth_destination. However, don't
> just do what we suggest; make sure you understand it and that it is
> doing what YOU want.
>
> -- Larry Stone
> lston...@stonejongleux.com
>
Thanks for that explanation. I think I understand the way it works now
so I modified my restrictions a bit. Does this order pass the sniff test?
smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
reject_non_fqdn_sender,
reject_unlisted_recipient,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_invalid_helo_hostname,
reject_unknown_sender_domain,
reject_unknown_recipient_domain
