Re: Allowing relay from IP subnet

Mon, 04 Mar 2013 07:53:19 -0800 

On Mon, Mar 04, 2013 at 03:03:03PM +0100, Andy Smith wrote:

> debug_peer_list = 192.168.16.19 192.168.16.141

If this were your configuration, logs for connections from these
clients would be verbose. Are they?

> imap_submit_cred_file = /Library/Server/Mail/Config/postfix/submit.cred

This is an Apple-specific customization, make sure it is appropriate
for your site.

> mynetworks = 127.0.0.0/8, [::1]/128, 192.168.16.0/24

This is generally sufficient to permit hosts in 192.168.16.0/24 to
relay, with no further non-default settings.

> smtpd_client_restrictions =
>       permit_mynetworks
>       permit_sasl_authenticated
>       permit

This is pointless, it is equivalent to the default:

        smtpd_client_restrictions =

Just remove this setting from main.cf.

> smtpd_recipient_restrictions =
>       permit_mynetworks,
>       reject_unauth_destination

This is the default setting, just remove this from main.cf (don't
set it empty, rather don't assign any value at all, e.g. comment
it out).

> smtpd_tls_ciphers = medium
> tls_random_source = dev:/dev/urandom

These are harmless, but pointless unless you enable TLS via
"-o ..." options in master.cf.

> smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL

You should not customize cipher exclusion for no reason. The
defaults work better.

Are there any "smtpd -o ..." options in master.cf?

> use_sacl_cache = yes

Apple-specific, find out what it does.

> Mar  4 12:33:52 server.domain.com postfix/smtpd[7340]: connect from
> unknown[192.168.16.19]
> Mar  4 12:33:52 server.domain.com postfix/smtpd[7340]: NOQUEUE:
> reject: RCPT from unknown[192.168.16.19]: 554 5.7.1
> <[email protected]>: Relay access denied; from=<[email protected]>
> to=<[email protected]> proto=ESMTP helo=<iMac-de-Ana-Bru-2.domain.com>
> Mar  4 12:33:52 server.domain.com postfix/smtpd[7340]: disconnect
> from unknown[192.168.16.19]

No evidence of debug logging, likely your Postfix is not using
the main.cf file you're showing.

> I'm left with the understanding
> that smtpd_client_restrictions = permit_mynetworks
> permit_sasl_authenticated permit should be sufficient but it doesnt
> work.

This setting has no effect at all.

> I also tried adding the smtpd_recipient_restrictions config
> line as this wasn't present initially, but this made no difference.

This is the default, and permits clients in mynetworks. So likely
your server is using a different main.cf file.

-- 
        Viktor.

Reply via email to