On Thu, Dec 12, 2019 at 12:10:07AM +0000, Jason R Cowart wrote:
> We're moving to a configuration that will leverage the check_sasl_access
> option to allow only those granted access to authenticate from outside the
> local network and relay mail.
Your submission users should be using port 587, not 25, which avoids the
need to craft access control rules that simultaneously work for both
types of traffic.
> This are mostly working (at least amongst the list of users allowed to
> send--we'll evaluate the types of things we're hoping to block
> separately). However for approximately 5% of that "allowed"
> population we see the server rejecting the message, with log entries
> like (address X'd out):
Your rules reject the recipient.
> 2019-12-11T14:59:50.732563-08:00 smtp5 postfix/smtpd[3564]: NOQUEUE:
> reject: RCPT from c-71-63-145-202.hsd1.or.comcast.net[71.63.145.202]:
> 554 5.7.1 <x...@stanford.edu>: Recipient address rejected: Access
> denied; from=<x...@stanford.edu> to=<x...@stanford.edu> proto=ESMTP
> helo=<HP08E4FF>
>
> OLD:
>
> smtpd_recipient_restrictions =
> check_client_access cidr:/etc/postfix/access/restricted-local-only.cidr,
This short-circuits after finding an SASL authenticated user.
> check_recipient_access hash:/etc/postfix/access/recipient,
> permit_sasl_authenticated,
> permit_mynetworks,
> reject_unknown_recipient_domain,
> reject_non_fqdn_recipient,
> reject_unauth_destination,
> reject
>
> NEW:
>
> smtpd_relay_restrictions =
> check_sasl_access hash:/etc/postfix/access/sasl-users-list,
> permit_mynetworks,
> reject_unauth_destination,
> reject
This permits relaying by SASL authenticated users, but they're
still subject to the recipient restrictions below:
> smtpd_recipient_restrictions =
> check_client_access cidr:/etc/postfix/access/restricted-local-only.cidr,
> check_recipient_access hash:/etc/postfix/access/recipient,
> reject_unknown_recipient_domain,
> reject_non_fqdn_recipient
> We've also tried PERMIT rather than OK, without effect.
Both rulesets have to pass, but on port 587, you'd override all
the access control rules setting most empty, with just:
mua_relay_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject
> It's worth noting that in making this change we moved from Postfix 2.9.6 to
> 3.1.12.
>
> Any thoughts? Thanks in advance.
Each of the top-level bult-in restriction classes (client, helo, sender,
recipient, data, end_of_data) must pass for the message to be accepted.
A PERMIT/OK only short-circuits processing in one class of restrictions.
--
Viktor.
