On Mon, Jan 21, 2019 at 10:21:07PM -0800, Stephen McHenry wrote: > The two config parameters that seem most relevant to the problem are listed > below: > (from postconf -n) > > smtpd_recipient_restrictions = > permit_mynetworks, > permit_sasl_authenticated, > permit_auth_destination,
Though it does not explain the purported open relay issue, "permit_auth_destination" here makes no sense. I think you should delete it. Anything it does not permit is sure to be blocked below, so it is simpler to just move "reject_unauth_destination" here (multiple back-to-back conditional rejects "commute" and a conditional permit followed by the opposite reject is equivalent to that permit followed by an unconditional "reject"). So this is effectively your last rule. > reject_non_fqdn_sender, > reject_non_fqdn_recipient, > reject_unknown_sender_domain, > reject_unknown_recipient_domain, > reject_unauth_destination, With the "permit_auth_destination" above, nothing ever gets past this point. So all the rules below are then pointless. > reject_unlisted_recipient, > reject_unauth_destination, > check_recipient_access regexp:/etc/postfix/recipient_checks.regexp, > check_recipient_access hash:/etc/postfix/recipient_checks, > reject_unauth_pipelining, > reject_invalid_hostname, > reject_non_fqdn_hostname, > reject_rbl_client domain-name, > permit > (and from postconf -d) > > smtpd_relay_restrictions = > permit_mynetworks, > permit_sasl_authenticated, > defer_unauth_destination I charitably assume you're posting "postconf -d" because you don't specify this at all in main.cf. It is best to not let the default stand in this case, and to replace "defer_unauth_destination" with "reject_unauth_destination". With that default in place, relaying can only happen: 1. From clients in "mynetworks" 2. From SASL authenticated accounts 3. To domains listed in mydestination, relay_domains, virtual_mailbox_domains, virtual_alias_domains. So if mail from 3rd parties is being routed to 3rd parties, one of these three is the problem. The 3rd can be an issue if something in your system is resending mail based on "To/Cc" headers, rather than the message envelope. Check for misconfigured message processing code. Finally, make sure that the "open relay" messages are actually coming in via SMTP. There's always web forms, and the like. > What's really confounding me is that it seems to be (properly) rejecting > all relay email except those that have mydomain.com in their from address. > Adding to that confusion is that this same set of config parameters used to > work fine on the old system, so I've also been looking at relevant defaults > that changed. Unfortunately, I'm coming up dry at this point. > > Any help or pointers would be greatly appreciated. 1. You should check master.cf, and especially its "submission" entry for any poorly configured rules. 2. You should post the *full* output of "postconf -nf" with no reformatting of the output even to change line breaks. 3. You should post logs that show Postfix accepting and delivering an instance of unauthorized relaying. 4. Make sure you don't have any compromised SASL accounts 5. Make sure that "mynetworks" is not misconfigured. 6. Make sure that master.cf overrides (postconf -Mf?) are not breaking relay control for either port 25, or submission, ... -- Viktor.