On 1/18/2017 5:11 AM, Petr Bena wrote: > I am currently solving a problem where I was requested to block all > outgoing mail (from our mail server) to all domain except few listed > domains. > > I configured smtpd_recipient_restrictions as > > smtpd_recipient_restrictions = check_recipient_access > hash:/opt/zimbra/postfix/conf/recipient_domains, > reject_unlisted_recipient, reject_invalid_helo_hostname, > reject_non_fqdn_sender, reject
That looks reasonable, but you should post "postconf -nf" rather than random main.cf snippings. > In logs however, I see stuff like (I had to remove some sensitive data > from logs): > > Jan 18 16:31:50 in-vx182 postfix/smtps/smtpd[11220]: 5BEA483E01: > client=unknown[xx.xxx.xxx.xx], sasl_method=PLAIN, sasl_username=trimmed > Jan 18 16:34:22 in-vx182 postfix/smtp[29670]: 5BEA483E01: > to=<trim...@gmail.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=153, > delays=153/0/0/0.25, dsn=2.0.0, status=sent (250 2.0.0 from > MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as E0F4683DFA) > > Meaning the server allowed mail delivery to gmail, which isn't allowed > in configuration. Why is that? Could it be because > 'smtpd_relay_restrictions' contains 'permit_sasl_authenticated'? More likely you have some restriction overrides defined in master.cf for smtps and submission. > I don't really understand how that access control flow works here, which > one has precedence, if relay_restrictions or recipient_restricitions. > Also what if I wanted to require sasl and also whitelist? Right now it > seems that once any of defined rules is passed, everything else is > skipped (eg. user is authenticated over sasl so it doesn't care about > domain whitelist)? Mail must pass all smtpd_*_restrictions sections to be accepted; mail rejected in any section is never accepted. It is certainly possible to require sasl auth and still use a recipient whitelist. Specific services such as smtps or submission may have their own restrictions defined in master.cf. If you need more help, please show "postconf -nf" and "postconf -Mf" -- Noel Jones
