On 10/18/2013 12:14 PM, francis picabia wrote: > I did have some PERMIT lines in /etc/postfix-internal/recipient_access > which didn't belong there. However, with all PERMIT cases removed > and postmap run on the file, I see a new log entry of "Relay access denied"
"Relay access denied" is the response given by either reject_unauth_destination or defer_unauth_destination. In the configuration you posted, the only place I saw either was in smtpd_relay_restrictions. Furthermore, it was a 454 deferral, presumably from defer_unauth_destination. So the client made it through all your checks without authentication, then was deferred by the safety net. previously posted: > smtpd_recipient_restrictions = reject_unlisted_recipient, > reject_unknown_recipient_domain, check_recipient_access > hash:/etc/postfix-internal/recipient_access, > permit_sasl_authenticated, permit_mynetworks, reject The only way an unauthenticated, not-mynetworks client can make it through the above is if the check_recipient_access map returns OK. Otherwise they get a generic 550 "Access denied" from the final reject. You have a lurking open relay problem, but are saved by the smtpd_relay_restrictions safety net. Fix the problem before it gets to the safety net. > smtpd_client_restrictions = check_sender_access > hash:/etc/postfix-internal/localdomain, check_client_access > hash:/etc/postfix-internal/access > > localdomain: > > example.com OK > us...@example.com 550 Account compromised > > I believe at the time I found that first OK line was required for > all other accounts to be able to deliver. It shouldn't be necessary to OK your domain as sender. Maybe that's the culprit, but I don't see it in the config you posted. This probably isn't related, but consider setting -o mynetworks=127.0.0.1 on the master.cf submission and smtps entries. It's customary for those services to require AUTH regardless of where the client is located. Also not really related, but this is kind of a no-op: > smtpd_sender_restrictions = permit_sasl_authenticated, > permit_mynetworks, reject_unknown_sender_domain, check_sender_access > hash:/etc/postfix-internal/localdomain, check_client_access > hash:/etc/postfix-internal/access On an outgoing-only server, the only restriction that makes any sense after permit_mynetworks, permit_sasl_authenticated is reject. Either you're authorized or not. -- Noel Jones