On 23/2/2018 9:00 μμ, Bill Cole wrote:
The restriction lists in Postfix are run in a fixed logical order (client, helo, sender, relay, recipient, data, end_of_data) and 'OK' from an early restriction list (smtpd_client_restrictions) *DOES NOT*prevent 'REJECT' by a later restriction list (smtpd_recipient_restrictions.) OK only terminates a single restriction list, not the whole set of lists, so in this case the transaction is exiting the smtpd_client_restrictions list with OK at "check_client_access cidr:/etc/postfix/non-tls-clients.cidr" but it still must pass through smtpd_recipient_restrictions, where it is rejected by "reject_unauth_destination" because you are not the final destination for the recipient domain nor do you have the recipient domain in $relay_domains.
Thank you all for your feedback and especially Bill for the detailed explanation.
The solution was as simple as adding permit_mynetworks to smtpd_recipient_restrictions. Since client connectivity is controlled by smtpd_client_restrictions, in this scenario there is no reason to not allow relay access to all mynetwork.
Best Regards, Nick
