The current Postfix (2.9) configuration is pretty straightforward: MX record points to the server running Postfix, Postfix delivers mail to the user's maildir. Users get their mail over IMAP via dovecot, and relay outbound mail through Postfix over TLS on port 465 with authentication. Here is the lightly-censored /etc/postfix/main.cf
:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
myorigin = /etc/mailname
mydomain = example.net
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
delay_warning_time = 4h
readme_directory = no
# SASL
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_sasl_auth_enable = yes
# Anti-spam
disable_vrfy_command = yes
smtpd_helo_required = yes
header_checks = regexp:/etc/postfix/header_checks
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
reject_unauth_destination,
check_helo_access pcre:/etc/postfix/helo_checks.pcre
check_policy_service unix:private/policy-spf
reject_rbl_client zen.spamhaus.org,
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/figaro.example.net.crt
smtpd_tls_key_file=/etc/ssl/private/figaro.example.net.key
smtpd_tls_CAfile=/etc/ssl/certs/sub.class1.server.ca.pem
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_timeout = 3600s
smtp_tls_note_starttls_offer = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# different EHLO response for localhost
# (we speed up roundcube by disabling STARTTLS)
smtpd_discard_ehlo_keyword_address_maps = hash:/etc/postfix/discard_ehlo
myhostname = figaro.example.net
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = figaro.example.net, localhost.example.net, example.net, localhost
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = .
inet_interfaces = all
home_mailbox = Maildir/
policy-spf_time_limit = 3600s
This has worked fairly well for some time but we're having issues with spam and have decided to contract with an external spam filtering service. How it works is we put their SMTP servers in our domain's MX records and they forward the (ostensibly) legitimate mail to our server.
But I'm having difficulty configuring Postfix in such a way that it:
- Relays mail from authenticated clients out to the rest of the 'net
- Accepts mail to local users only from the external mail filtering service
All other attempts at delivering or relaying should be rejected. The spam filtering service lists its outgoing IPs as DNS A records for a given host. Let's say, delivery.example.com. I created /etc/postfix/access
as follows (remembering to run postmap /etc/postfix/access
afterward):
delivery.example.com OK
And then modified /etc/postfix/main.cf
and replaced smtp_recipient_restrictions
with:
smtpd_client_restrictions =
hash:/etc/postfix/access
permit_sasl_authenticated
permit_mynetworks
reject
This works in that mail is accepted from delivery.example.com and is rejected from everywhere else, the problem is that relay access is denied for users trying to send mail out through the server from an ordinary mail client like Thunderbird:
Aug 29 13:37:36 figaro postfix/smtpd[24703]: connect from <censored>
Aug 29 13:37:37 figaro postfix/smtpd[24703]: Anonymous TLS connection established from <censored>: TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)
Aug 29 13:37:38 figaro postfix/smtpd[24703]: NOQUEUE: reject: RCPT from <censored>: 554 5.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[192.168.0.1]>
Aug 29 13:37:44 figaro postfix/smtpd[24703]: disconnect from <censored>
I would have thought (even after reading the docs) that permit_sasl_authenticated should have allowed users to send mail through the server, but that doesn't appear to work. (It does work under the current config above. And the server is not an open relay in either case.) Any suggestions?
The problem of your config revision is you replaced
smtpd_recipient_restrictions
(withsmtpd_client_restrictions
) rather than adding check_client_access hash:/etc/postfix/access tosmtpd_recipient_restrictions
. Here your postfix restriction after revisionWait... Where does the smtpd_recipient_acccess come from?
Based on how postfix apply restriction, the authenticated clients can bypass smtpd_client_restrictions but they rejected by smtpd_recipient_restrictions.
For the solution, I suggest you put
hash:/etc/postfix/access
with check_client_access on smtpd_recipient_restrictions. So, replace the current smtpd_client_restrictions with