On Thu, May 13, 2021 at 03:39:41PM -0400, Alex wrote:
> > This was rejected by "reject_unauth_destination".
>
> Thank you so much. I had included my smtpd_recipient_restrictions
> earlier in this thread, but should have been more complete. This is
> the multi-instance postfix you helped me configure some time ago. Mail
> is first processed by this postfix-117 instance, sent to amavisd, then
> forwarded to postfix-out where it's sent to the recipient.
One would expect to find anti-relay policies only at the input stage,
with the downstream output instance(s) accepting all mail sent by the
upstream instance(s).
Is the below the configuration of the input or output instance?
> mydestination =
> relay_domains = $mydestination, example.com, nnnhelp.zendesk.com
Addresses in "relay_domains" would typically be accepted. Is
"nnnhelp.zendesk.com" verbatim the domain that's getting refused?
> smtpd_client_restrictions =
> permit_mynetworks,
> check_client_access ${indexed}client_checks,
> check_reverse_client_hostname_access
> pcre:$config_directory/fqrdns-042715a.pcre,
> check_reverse_client_hostname_access
> pcre:$config_directory/reverse_client_hostname_access.pcre,
> check_client_access cidr:$config_directory/client_access_blocklist
>
> smtpd_helo_restrictions =
> permit_mynetworks
> check_helo_access ${indexed}helo_checks
> check_helo_access pcre:$config_directory/helo_checks.pcre permit
Probably not where the problem lies.
> smtpd_recipient_restrictions =
> reject_non_fqdn_recipient,
> reject_non_fqdn_sender,
> reject_unlisted_recipient,
> reject_unknown_recipient_domain,
> permit_mynetworks,
> reject_unauth_destination,
This should not reject domains listed in $relay_domains. Any
relevant overrides in master.cf? (See "postconf -Mf" output).
> reject_rhsbl_reverse_client dbl.spamhaus.org,
> reject_rhsbl_sender dbl.spamhaus.org,
> reject_rhsbl_helo dbl.spamhaus.org,
> reject_rhsbl_sender uri.mykey.invaluement.com,
> check_helo_access pcre:$config_directory/helo_checks.pcre,
> check_helo_access ${indexed}helo_checks,
> reject_non_fqdn_helo_hostname,
> reject_invalid_helo_hostname,
> check_policy_service unix:private/policy-spf,
> check_policy_service inet:127.0.0.1:2501,
> check_recipient_access pcre:$config_directory/recipient_checks,
> check_recipient_access pcre:$config_directory/nnnhelp-zendesk,
> permit
> smtpd_sender_restrictions =
> permit_mynetworks,
> check_sender_access ${indexed}sender_checks,
> check_sender_access pcre:$config_directory/sender_checks.pcre,
> check_sender_access ${indexed}spamsources,
> check_sender_ns_access ${indexed}blacklist_ns.cf,
> reject_unknown_sender_domain
> /etc/postfix-117/nnnhelp-zendesk:
> /example\.com$/ permit
Use of a PCRE table for relay control is a bad idea. The above matches
more domains than you actually intended. The "relay_domains" setting
should be enough. [ I assume it is not actually "example.com"... ]
What is your (built-in default?) setting of "smtpd_relay_restrictions"?
> /etc/postfix-out/transport:
> example.com smtp:example-com.mail.protection.outlook.com
--
Viktor.
