On 3/13/2013 5:13 AM, Christian Rößner wrote:
>> he smtpd_relay_restrictions is intended for relay decisions
>> only[1]. In this case, that looks like it would be:
>>
>> authenticated_smtpd_relay_restrictions =
>> permit_sasl_authenticated
>> reject_unauth_destination
>>
>> (and I suggest plain old "reject", rather than
>> "reject_unauth_destination" on the submission service to prevent
>> outsiders from abusing it)
>>
>> and those two directives could be removed from
>> smtpd_recipient_restrictions.
>
>
> Is this one right now?
>
> master.cf:
> 193.239.107.42:submission
> inet n - - - - smtpd
> -o syslog_name=postfix:587
> -o milter_macro_daemon_name=ORIGINATING
> -o smtpd_banner=${smtpd_submission_banner}
> -o myhostname=mail.roessner-net.de
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_tls_cert_file=/etc/ssl/certs/mail.roessner-net.de.pem
> -o smtpd_tls_key_file=/etc/ssl/private/mail.roessner-net.de.key.pem
> -o smtpd_tls_CAfile=/etc/ssl/certs/SSL123_CA_Bundle.pem
> -o smtpd_tls_security_level=encrypt
> -o always_add_missing_headers=yes
> -o smtpd_relay_restrictions=${authenticated_smtpd_relay_restrictions}
> -o
> smtpd_recipient_restrictions=${authenticated_smtpd_recipient_restrictions}
> -o smtpd_reject_footer=
>
> main.cf:
> authenticated_smtpd_relay_restrictions =
> check_sender_access pcre:${map}/sender_access.pcre,
> check_recipient_access ${mapidx}/reject_srvint_net,
> reject_non_fqdn_recipient,
> permit_sasl_authenticated,
> reject_unauthenticated_sender_login_mismatch,
> reject
>
> authenticated_smtpd_recipient_restrictions =
> permit_sasl_authenticated,
> reject
The correct way would be to reverse these -- use the relay
restrictions for relay decisions only (sasl user = OK; anyone else,
reject).
>
> At least it works. I still do not understand the need of this new option :( I
> re-read things and see that using this new option is the preferred solution.
> But what was so bad with "old" smtpd_recipient_restrictions?
The intention is to make a safety net for relay decisions only, not
polluted with anti-spam or local policy controls that can
accidentally create an open relay. This is a good thing.
>
> Why dos this not work, if I set:
>
> authenticated_smtpd_relay_restrictions =
> check_sender_access pcre:${map}/sender_access.pcre,
> check_recipient_access ${mapidx}/reject_srvint_net,
> reject_non_fqdn_recipient,
> permit_sasl_authenticated,
> reject_unauthenticated_sender_login_mismatch,
> reject
>
> authenticated_smtpd_recipient_restrictions =
> reject_unauth_destination
>
> I would think that a user already got permission in the
> smtpd_relay_restrictions.
A "permit" from one smtpd_*_restrictions section does not pass to
the next section. For mail to be accepted, each
smtpd_*_restrictions section must evaluate to permit or OK.
-- Noel Jones
