On 2024-07-22 at 12:16:26 UTC-0400 (Mon, 22 Jul 2024 11:16:26 -0500) Chris Wopat via Postfix-users <m...@falz.net> is rumored to have said:
> On Mon, Jul 22, 2024 at 10:45 AM Bill Cole via Postfix-users > <postfix-users@postfix.org> wrote: >> Yes. Anything in master.cf after a "-o" is just a service-specific exception >> to the configuration set in main.cf. So, you could add it to the smtpd line >> in master.cf or to main.cf. > > ack. probably not the fix i want here but good to know. Right. What you want is for your legitimate users to have unrestricted relaying. So this main.cf line is a problem: smtpd_recipient_restrictions = check_client_access cidr:/etc/postfix/access, permit_sasl_authenticated, reject_unauth_destination If you don't have explicit OK results in that access table for the client IP and the client doesn't do SASL authentication, this will reject your mail. I didn't see (in the postfinger output you provided) any other reason your configuration would reject any mail. If you are not using SASL then you can replace the above with: smtpd_recipient_restrictions = check_client_access cidr:/etc/postfix/access, reject However that's just logical cleanup, it does not change the fact that you must have an explicit OK for the client address in that access map. You could also replace the check_client_access map with permit_mynetworks if you were to put all of that table into mynetworks. >> Non-sequitur. Surely you must have some record of what domains you relay TO >> (i.e. who your customers are,) it's just a matter of hooking that into a >> Postfix map. It need not be a static list, it can be LDAP or an SQL >> database. If you don't restrict the domains that you will retail TO, you >> will find your server abused and widely blocked. There may be a way to make >> Postfix relay for any domain that points an MX record to it, as can be done >> in Sendmail, but it is in advisable. > > We outbound relay only, per your next point That clarifies the situation greatly. I believe that both Matus and Wietse answers were also looking at this as an inbound relay problem. >> That's for outbound relay, relaying FROM customers. Authentication would be >> a better way to control that, but if you believe that your customers' >> networks are always trustworthy, IP-based is reasonable. After all, it's >> almost universal for people to use permit_mynetworks. > > Yes this is what we are doing. We have no interest in getting in the > middle of creating per user authentication and handling that entire > layer. We are happy and have not had issues with any spam issues with > whitelisting IPs upon their requests. > > Anyhow, this is what we're trying to solve - it works well on 587, > just not 25. and did work with what appears to be the same config on > postfix 2.10. > > I'm clearly missing something in our config for this and just trying > to figure out what it is. Take a closer look at the access map. At present, it is the only mechanism I see which will permit mail to be accepted on port 25, a job which it is not doing. If you are not using SASL authentication, it would also be a good idea to remove the configuration parameters supporting it. I don't believe those settings are part of the problem here, but they obfuscate the issue. -- Bill Cole _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
