On Fri, May 31, 2013 at 11:15:05AM -0400, James Zee wrote: > On Fri, May 31, 2013 at 8:09 AM, /dev/rob0 <r...@gmx.co.uk> wrote: > > On Fri, May 31, 2013 at 12:43:51AM -0400, James Zee wrote: snip > > Also, you really should separate submission from your inbound > > port 25. I only allow relaying on the submission port. As such > > I define separate smtpd_*_restrictions for the submission port, > > to wit: > > > > [ master.cf ] > > > > submission inet n - n - - smtpd > > -o smtpd_tls_auth_only=yes -o smtpd_sasl_auth_enable=yes
These two options are not set globally, but only for submission. > > -o smtpd_recipient_restrictions= This one is unset, to override the main.cf default. > > -o smtpd_relay_restrictions=$submission_relay_restrictions And this one is set to a non-standard name which is defined in the main.cf file. > > -o milter_macro_daemon_name=ORIGINATING > > -o syslog_name=postfix/submission > > > > (Also unset any other restrictions which are in use on port 25.) If you had any other smtpd_*_restrictions set in main.cf, they should be unset here just as was shown for smtpd_recipient_restrictions. > Thanks for the tip. This is a good idea that I just attempted to > implement based on some reading / research. > > Forgive the lack of knowledge in this particular field -- like your > postscreen readme indicated, I'm attempting to walk before I run. :) > Any gentle guidance on things to improve in this master.cf snippet > would be definitely appreciated and humbly accepted. > > -->8-- > > submission inet n - - - - smtpd Your chroot issues are between you and the Debian maintainer. I will have no part of it, thank you. :) > -o syslog_name=postfix/submission > -o smtpd_tls_security_level=encrypt You did not override the main.cf settings I showed you above. > smtps inet n - - - - smtpd > -o syslog_name=postfix/smtps smtps is deprecated, and was never actually finalized as a protocol. Only old (and highly vulnerable) Microsoft clients need it, being unable to STARTTLS in submission. Those clients are not worth supporting. Tell your users to download Thunderbird. > --8<-- > > Look good? It was not what I said. snip > >> reject_unauth_destination > > > > smtpd_relay_restrictions has this, so it's not needed here. > > OTOH perhaps you did need the permit_* restrictions you have > > omitted; everything here will also be applied to your own > > users: very wrong! > > Can you please clarify? Every smtpd_* postconf(5) setting you define in main.cf applies to every smtpd(8) instance you invoke from master.cf except where the master.cf command line explicitly overrides those settings. Did you test relaying with the settings in the OP? I'm guessing you did not. > I omitted permit_* restrictions because I didn't think that they > were necessary if a message passed all of the reject restrictions. > Should I be explicitly defining a permit? If so, where and why? If you define an optional restriction stage (and with smtpd_relay_restrictions in Postix(sic)[1] 2.10 and later, smtpd_recipient_restrictions is optional), it is evaluated for every connection to every smtpd, unless as I mentioned a few times above, overridden in the master.cf command line. SMTPD_ACCESS_README.html#lists explains how this works. For a message to be accepted, every restriction stage must evaluate to a permit action. You have your permit_* restrictions in smtpd_relay_restrictions, but not in smtpd_recipient_restrictions. Therefore, relaying is forbidden by smtpd_recipient_restrictions. [1] Wietse, this is a typo in the man page at the end of postconf.5.html#smtpd_relay_restrictions -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: