started getting 550 #5.7.1 SPF unauthorized mail

[lists]

I have a simple 'mail list' where an alias 'ct...@sbt.net.au' sends email
to several recipients, that's been in use since long time.

today noticed one of these addresses started bouncing with '5.7.1 SPF
unauthorized mail' since just today:

what am I doing wrong ?

worked:

Aug 23 09:27:25 geko postfix/smtp[12957]: Untrusted TLS connection
established to asav.tpg.com.au[27.32.32.10]:25: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Aug 23 09:27:27 geko postfix/smtp[12957]: 3119E21C52F:
to=, relay=asav.tpg.com.au[27.32.32.10]:25, delay=1.9,
delays=0.03/0/0.73/1.2, dsn=2.0.0, status=sent (250 ok:  Message 199653922
accepted)

no longer:

Aug 25 09:22:29 geko postfix/smtp[19538]: Untrusted TLS connection
established to asav.tpg.com.au[27.32.32.10]:25: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

Aug 25 09:22:30 geko postfix/smtp[19538]: 61DA820053B:
to=, relay=asav.tpg.com.au[27.32.32.10]:25, delay=1.9,
delays=0.08/0.02/0.74/1, dsn=5.0.0, status=bounced (host
asav.tpg.com.au[27.32.32.10] said: 550 #5.7.1 SPF unauthorized mail is
prohibited. (in reply to DATA command))

Aug 25 09:39:17 geko postfix/smtp[26188]: Untrusted TLS connection
established to asav.tpg.com.au[27.32.32.10]:25: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

Aug 25 09:39:18 geko postfix/smtp[26188]: 5C7FE2004D9:
to=, relay=asav.tpg.com.au[27.32.32.10]:25, delay=0.64,
delays=0.05/0.01/0.26/0.33, dsn=5.0.0, status=bounced (host
asav.tpg.com.au[27.32.32.10] said: 550 #5.7.1 SPF unauthorized mail is
prohibited. (in reply to DATA command))

looking at the log is see:

# grep 4678220053B  /var/log/maillog

Aug 25 09:38:55 geko postfix/smtpd[21733]: 4678220053B:
client=mail-me3aus01on2049.outbound.protection.outlook.com[40.107.108.49]
Aug 25 09:38:55 geko postfix/cleanup[26173]: 4678220053B:
message-id=
Aug 25 09:38:56 geko opendkim[930]: 4678220053B: failed to parse
authentication-results: header field
Aug 25 09:38:56 geko opendkim[930]: 4678220053B: DKIM verification successful
Aug 25 09:38:56 geko opendmarc[908]: 4678220053B ignoring
Authentication-Results at 1 from geko.sbt.net.au
Aug 25 09:38:56 geko opendmarc[908]: 4678220053B: SPF(mailfrom):
tld.com.au pass
Aug 25 09:38:56 geko opendmarc[908]: 4678220053B: tld.com.au none
Aug 25 09:38:56 geko postfix/qmgr[23312]: 4678220053B:
from=, size=629054, nrcpt=8 (queue active)

Aug 25 09:39:17 geko amavis[23896]: (23896-16) Passed CLEAN
{RelayedOpenRelay}, [40.107.108.49]:3695 [40.107.108.49] 
-> , Queue-ID: 4678220053B, Message-ID:
,
mail_id: ecrv8dP6h0oa, Hits: -1.712, size: 629477, queued_as: 5C7FE2004D9,
4939 ms

Aug 25 09:39:17 geko postfix/smtp[26175]: 4678220053B:
to=, orig_to=,
relay=127.0.0.1[127.0.0.1]:10024, delay=22, delays=1.2/16/0.01/4.9,
dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250
2.0.0 Ok: queued as 5C7FE2004D9)

Aug 25 09:44:04 geko postfix/qmgr[23312]: 4678220053B: removed
#


# grep 5C7FE2004D9  /var/log/maillog

Aug 25 09:39:17 geko postfix/smtpd[26177]: 5C7FE2004D9:
client=localhost[127.0.0.1]
Aug 25 09:39:17 geko postfix/cleanup[26173]: 5C7FE2004D9:
message-id=
Aug 25 09:39:17 geko postfix/qmgr[23312]: 5C7FE2004D9:
from=, size=629970, nrcpt=1 (queue active)
Aug 25 09:39:17 geko amavis[23896]: (23896-16) Passed CLEAN
{RelayedOpenRelay}, [40.107.108.49]:3695 [40.107.108.49] 
-> , Queue-ID: 4678220053B, Message-ID:
,
mail_id: ecrv8dP6h0oa, Hits: -1.712, size: 629477, queued_as: 5C7FE2004D9,
4939 ms
Aug 25 09:39:17 geko postfix/smtp[26175]: 4678220053B:
to=, orig_to=,
relay=127.0.0.1[127.0.0.1]:10024, delay=22, delays=1.2/16/0.01/4.9,
dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250
2.0.0 Ok: queued as 5C7FE2004D9)
Aug 25 09:39:18 geko postfix/smtp[26188]: 5C7FE2004D9:
to=, relay=asav.tpg.com.au[27.32.32.10]:25, delay=0.64,
delays=0.05/0.01/0.26/0.33, dsn=5.0.0, status=bounced (host
asav.tpg.com.au[27.32.32.10] said: 550 #5.7.1 SPF unauthorized mail is
prohibited. (in reply to DATA command))
Aug 25 09:39:18 geko postfix/bounce[26219]: 5C7FE2004D9: sender
non-delivery notification: 0C96B21C52C
Aug 25 09:39:18 geko postfix/qmgr[23312]: 5C7FE2004D9: removed


mail_version = 3.7.2

Re: protecting internal email distribution lists

[Viktor Dukhovni]

On Wed, Aug 24, 2022 at 09:32:10PM +0300, Ivars Strazdins wrote:

> Sorry if I replied to the list twice, but Noel’s advice nailed it.
> "check_recipient_access=hash:/etc/postfix/protected_destinations" must
> be added to master.cf smtps and submission, then sending is not
> allowed.

More precisely:

master.cf:
submission inet ... smtpd
...
-o smtpd_recipient_restrictions=$submission_recipient_restrictions
...
submissions inet ... smtpd
...
-o smtpd_recipient_restrictions=$submission_recipient_restrictions
...

main.cf:
indexed = ${default_database_type}:${config_directory}/

submission_recipient_restrictions =
check_recipient_access ${indexed}protected_recipients

smtpd_restriction_classes = protected_list

protected_list = ...
check_sender_access ${indexed}list_senders,
reject

protected_recipients:
l...@example.comprotected_list

list_senders:
...

-- 
Viktor.

Re: protecting internal email distribution lists

[Ivars Strazdins]

Sorry if I replied to the list twice, but Noel’s advice nailed it.
"check_recipient_access=hash:/etc/postfix/protected_destinations" must be added 
to master.cf smtps and submission, then sending is not allowed.

Thanks!
Kind regards,
Ivars

> On 24 Aug 2022, at 20:15, Noel Jones  wrote:
> 
> Since this is done with smtp_recipient_restrictions, it will only work with 
> mail submitted via SMTP and not with mail sent through the sendmail(1) 
> command.
> 
> Also, you may have put overrides for smtp_recipient_restrictions in master.cf 
> for the submission or submissions (smtps) ports that will need to be adjusted.
> 
> 
> 
>  -- Noel Jones
> 
> 
> On 8/24/2022 11:03 AM, Ivars Strazdiņš wrote:
>> Hi Julio,
>> I tested and it did not work for local users, access is denied (sending not 
>> possible) only for external ones.
>> Mail is sent to l...@domain.com regardless if local sender address is in the 
>> insiders map or not.
>> I use lmtp for local mail delivery, could that be a problem?
>> With kind regards,
>> Ivars
>>> On 24 Aug 2022, at 17:12, julio covolato >> > wrote:
>>> 
>>> 
>>> Em 24/08/2022 10:08, Ivars Strazdins escreveu:
 Hello Postfix Experts,
 let’s say that domain.com  is Postfix $mydomain.
 I know that it is possible to protect /etc/postfix/protected_destinations 
 from external senders, as per 
 https://www.postfix.org/RESTRICTION_CLASS_README.html
 
 But is it possible to limit users from the same domain who can send mails 
 to an internal email distribution list?
 In other words, is it possible to setup Postfix so that
 us...@domain.com CAN send an email to /etc/postfix/protected_destinations
 us...@domain.com CANNOT send an email to l...@domain.com
 
 l...@domain.com is a simple Postfix alias.
 
 Thanks for your time,
 Ivars
>>> 
>>> Hi, yes, you can.
>>> 
>>> main.cf:
>>> 
>>> smtpd_restriction_classes = insiders_only
>>> insiders_only = check_sender_access hash:/etc/postfix/insiders, reject
>>> ...
>>> ...
>>> smtpd_recipient_restrictions = check_recipient_access 
>>> hash:/etc/postfix/protected_destinations
>>> ...
>>> ...
>>> 
>>> /etc/postfix/insiders:
>>> 
>>> us...@domain.com   OK
>>> anotheru...@domain.comOK
>>> 
>>> /etc/postfix/protected_destinations:
>>> 
>>> l...@domain.cominsiders_only
>>> li...@domain.cominsiders_only
>>> 
>>> $ postmap /etc/postfix/protected_destinations
>>> $ postmap /etc/postfix/insiders
>>> $ postfix reload
>>> 
>>> --
>>> _Engº Julio Cesar Covolato
>>>0v0
>>>   /(_)\  F: 55-11-99175-9260
>>>^ ^   PSI INTERNET
>>> --
> 

Re: protecting internal email distribution lists

[Noel Jones]

Since this is done with smtp_recipient_restrictions, it will only 
work with mail submitted via SMTP and not with mail sent through the 
sendmail(1) command.


Also, you may have put overrides for smtp_recipient_restrictions in 
master.cf for the submission or submissions (smtps) ports that will 
need to be adjusted.




  -- Noel Jones


On 8/24/2022 11:03 AM, Ivars Strazdiņš wrote:

Hi Julio,

I tested and it did not work for local users, access is denied 
(sending not possible) only for external ones.
Mail is sent to l...@domain.com regardless if local sender address 
is in the insiders map or not.

I use lmtp for local mail delivery, could that be a problem?
With kind regards,
Ivars

On 24 Aug 2022, at 17:12, julio covolato > wrote:



Em 24/08/2022 10:08, Ivars Strazdins escreveu:

Hello Postfix Experts,
let’s say that domain.com  is Postfix $mydomain.
I know that it is possible to protect 
/etc/postfix/protected_destinations from external senders, as per 
https://www.postfix.org/RESTRICTION_CLASS_README.html


But is it possible to limit users from the same domain who can 
send mails to an internal email distribution list?

In other words, is it possible to setup Postfix so that
us...@domain.com CAN send an email to 
/etc/postfix/protected_destinations

us...@domain.com CANNOT send an email to l...@domain.com

l...@domain.com is a simple Postfix alias.

Thanks for your time,
Ivars


Hi, yes, you can.

main.cf:

smtpd_restriction_classes = insiders_only
insiders_only = check_sender_access hash:/etc/postfix/insiders, reject
...
...
smtpd_recipient_restrictions = check_recipient_access 
hash:/etc/postfix/protected_destinations

    ...
    ...

/etc/postfix/insiders:

us...@domain.com   OK
anotheru...@domain.com    OK

/etc/postfix/protected_destinations:

l...@domain.com    insiders_only
li...@domain.com    insiders_only

$ postmap /etc/postfix/protected_destinations
$ postmap /etc/postfix/insiders
$ postfix reload

--
 _Engº Julio Cesar Covolato
0v0
   /(_)\  F: 55-11-99175-9260
^ ^   PSI INTERNET
--

Re: protecting internal email distribution lists

[Ivars Strazdiņš]

> On 24 Aug 2022, at 19:38, julio covolato  wrote:
> 
> 
> Em 24/08/2022 13:06, Jaroslaw Rafa escreveu:
>> Dnia 24.08.2022 o godz. 19:03:37 Ivars Strazdiņš pisze:
>>> I tested and it did not work for local users, access is denied (sending not 
>>> possible) only for external ones.
>>> Mail is sent to l...@domain.com  regardless if 
>>> local sender address is in the insiders map or not.
>>> I use lmtp for local mail delivery, could that be a problem?
>> But why can't you configure it in your mailing list manager? It's much
>> easier than trying to do it in Postfix...
> Becose postfix do the job properly, and we don't need to configure/maintain 
> an extra package for just one internal list.

Thanks Julio for saying it better than I could do. 
Kind regards,
Ivars

Re: protecting internal email distribution lists

[julio covolato]

Em 24/08/2022 13:06, Jaroslaw Rafa escreveu:

Dnia 24.08.2022 o godz. 19:03:37 Ivars Strazdiņš pisze:

I tested and it did not work for local users, access is denied (sending not 
possible) only for external ones.
Mail is sent to l...@domain.com  regardless if local 
sender address is in the insiders map or not.
I use lmtp for local mail delivery, could that be a problem?

But why can't you configure it in your mailing list manager? It's much
easier than trying to do it in Postfix...
Becose postfix do the job properly, and we don't need to 
configure/maintain an extra package for just one internal list.


--
_Engº Julio Cesar Covolato
   0v0   
  /(_)\  F: 55-11-99175-9260
   ^ ^   PSI INTERNET
--

Re: protecting internal email distribution lists

[Jaroslaw Rafa]

Dnia 24.08.2022 o godz. 19:03:37 Ivars Strazdiņš pisze:
> 
> I tested and it did not work for local users, access is denied (sending not 
> possible) only for external ones.
> Mail is sent to l...@domain.com  regardless if local 
> sender address is in the insiders map or not.
> I use lmtp for local mail delivery, could that be a problem?

But why can't you configure it in your mailing list manager? It's much
easier than trying to do it in Postfix...
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."

Re: protecting internal email distribution lists

[Ivars Strazdiņš]

Hi Julio,

I tested and it did not work for local users, access is denied (sending not 
possible) only for external ones.
Mail is sent to l...@domain.com  regardless if local 
sender address is in the insiders map or not.
I use lmtp for local mail delivery, could that be a problem?
With kind regards,
Ivars

> On 24 Aug 2022, at 17:12, julio covolato  wrote:
> 
> 
> Em 24/08/2022 10:08, Ivars Strazdins escreveu:
>> Hello Postfix Experts,
>> let’s say that domain.com  is Postfix $mydomain.
>> I know that it is possible to protect /etc/postfix/protected_destinations 
>> from external senders, as per 
>> https://www.postfix.org/RESTRICTION_CLASS_README.html 
>> 
>> 
>> But is it possible to limit users from the same domain who can send mails to 
>> an internal email distribution list?
>> In other words, is it possible to setup Postfix so that
>> us...@domain.com  CAN send an email to 
>> /etc/postfix/protected_destinations 
>> us...@domain.com  CANNOT send an email to 
>> l...@domain.com 
>> 
>> l...@domain.com  is a simple Postfix alias.
>> 
>> Thanks for your time,
>> Ivars
> Hi, yes, you can.
> 
> main.cf:
> 
> smtpd_restriction_classes = insiders_only
> insiders_only = check_sender_access hash:/etc/postfix/insiders, reject
> ...
> ...
> smtpd_recipient_restrictions = check_recipient_access 
> hash:/etc/postfix/protected_destinations
> ...
> ...
> 
> /etc/postfix/insiders:
> 
> us...@domain.com    OK
> anotheru...@domain.com OK
> 
> /etc/postfix/protected_destinations:
> 
> l...@domain.com insiders_only
> li...@domain.com insiders_only
> 
> $ postmap /etc/postfix/protected_destinations
> $ postmap /etc/postfix/insiders
> $ postfix reload
> 
> --
> _Engº Julio Cesar Covolato
>0v0
>   /(_)\  F: 55-11-99175-9260
>^ ^   PSI INTERNET
> --

Re: protecting internal email distribution lists

[Viktor Dukhovni]

On Wed, Aug 24, 2022 at 04:08:29PM +0300, Ivars Strazdins wrote:

> I know that it is possible to protect l...@domain.com from external
> senders, as per https://www.postfix.org/RESTRICTION_CLASS_README.html
> 
> But is it possible to limit users from the same domain who can send
> mails to an internal email distribution list?
>
> In other words, is it possible to setup Postfix so that
> us...@domain.com CAN send an email to l...@domain.com,
> us...@domain.com CANNOT send an email to l...@domain.com

Yes, but only against accidents, not against sophisticated users
determined to send mail to the list.

Just make sure that the rules restricting access to the list precede
the rules that allow in general (e.g. permit_mynetworks, ...).

Use "smtpd_relay_restrictions" to prevent open-relay abuse, and
then in "smtpd_recipient_restrictions" enforce the list-specific
rules early.

  main.cf:
indexed = ${default_database_type}:${config_directory}/

smtpd_relay_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination

smtpd_restriction_classes = list_access

list_access =
check_sender_access ${indexed}list-sender,
reject

smtpd_recipient_restrictions =
check_recipient_access ${indexed}rcpt-access,
...

  rcpt-access:
l...@example.comlist_access

  list-sender:
# List the permitted senders
us...@example.com   OK

-- 
Viktor.

Re: protecting internal email distribution lists

[julio covolato]

Em 24/08/2022 10:08, Ivars Strazdins escreveu:

Hello Postfix Experts,
let’s say that domain.com  is Postfix $mydomain.
I know that it is possible to protect 
/etc/postfix/protected_destinations from external senders, as per 
https://www.postfix.org/RESTRICTION_CLASS_README.html


But is it possible to limit users from the same domain who can send 
mails to an internal email distribution list?

In other words, is it possible to setup Postfix so that
us...@domain.com CAN send an email to /etc/postfix/protected_destinations
us...@domain.com CANNOT send an email to l...@domain.com

l...@domain.com is a simple Postfix alias.

Thanks for your time,
Ivars


Hi, yes, you can.

main.cf:

smtpd_restriction_classes = insiders_only
insiders_only = check_sender_access hash:/etc/postfix/insiders, reject
...
...
smtpd_recipient_restrictions = check_recipient_access 
hash:/etc/postfix/protected_destinations

    ...
    ...

/etc/postfix/insiders:

us...@domain.com   OK
anotheru...@domain.com    OK

/etc/postfix/protected_destinations:

l...@domain.com    insiders_only
li...@domain.com    insiders_only

$ postmap /etc/postfix/protected_destinations
$ postmap /etc/postfix/insiders
$ postfix reload

--
_Engº Julio Cesar Covolato
   0v0
  /(_)\  F: 55-11-99175-9260
   ^ ^   PSI INTERNET
--

Re: protecting internal email distribution lists

[Jaroslaw Rafa]

Dnia 24.08.2022 o godz. 16:08:29 Ivars Strazdins pisze:
> Hello Postfix Experts,
> let’s say that domain.com is Postfix $mydomain.
> I know that it is possible to protect l...@domain.com 
>  from external senders, as per 
> https://www.postfix.org/RESTRICTION_CLASS_README.html 
> 
> 
> But is it possible to limit users from the same domain who can send mails to 
> an internal email distribution list?
> In other words, is it possible to setup Postfix so that
> us...@domain.com  CAN send an email to 
> l...@domain.com 
> us...@domain.com  CANNOT send an email to 
> l...@domain.com 
> 
> l...@domain.com  is a simple Postfix alias.

I think this is the job for the mailing list manager software, not for
Postfix.
Mailing list managers (eg. Mailman) usually have extnsive configuration
options to do this.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."

warning: cannot connect to service private/smtpd

[Brad Chandler]

On about two or three occasions in the last couple of weeks, I started getting 
lots of errors like the ones below. There are five relays and they have all had 
the same basic config for several years, but I've never seen this happen 
before. The only thing I had changed recently was updating the ssl cert. The 
first time it happened, all five relays were affected. I think the most recent 
event only affected one relay. These are VMs that relay mail into and out of 
our network, filtering it through Puremessage. A review of the VM resource 
usage during the last event didn't show abnormally high memory or cpu usage. 
I've searched through the logs just before it happens, but I don't see anything 
that triggers it. The OS is RHEL 7.9.

Aug 15 14:40:35 mx03 postfix/master[1553]: warning: service "smtpd" 
(private/smtpd) has reached its process limit "375": new clients may experience 
noticeable delays
Aug 15 14:40:35 mx03 postfix/master[1553]: warning: to avoid this condition, 
increase the process count in master.cf or reduce the service time per client
Aug 15 14:40:35 mx03 postfix/master[1553]: warning: see 
http://www.postfix.org/STRESS_README.html for examples of stress-adapting 
configuration settings
Aug 15 14:42:30 mx03 postfix/postscreen[1723]: warning: timeout sending 
connection to service private/smtpd
Aug 15 14:43:16 mx03 postfix/postscreen[1723]: warning: cannot connect to 
service private/smtpd: Resource temporarily unavailable #This one is repeated 
many times.

Aug 15 18:51:24 mx03 postfix/smtpd[13552]: fatal: watchdog timeout
Aug 15 18:51:25 mx03 postfix/master[1553]: warning: process 
/usr/libexec/postfix/smtpd pid 13552 exit status 1

Aug 15 23:51:26 mx03 postfix/master[1553]: warning: /usr/libexec/postfix/smtpd: 
bad command startup -- throttling

postconf -n

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = pmx:[127.0.0.1]:10025
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd 
$daemon_directory/$process_name $process_id & sleep 5
default_destination_concurrency_limit = 40
default_process_limit = 375
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks

html_directory = no
inet_interfaces = all
inet_protocols = all
lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3
lmtp_tls_protocols = !SSLv2, !SSLv3
local_destination_concurrency_limit = 4
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 2500
mydestination = $myhostname, localhost.$mydomain, localhost
mynetworks = 10.0.0.0/8, 127.0.0.0/8, 192.42.4.0/24
mynetworks_style = host
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
postscreen_access_list = permit_mynetworks, 
cidr:/etc/postfix/postscreen_access.cidr
postscreen_blacklist_action = drop
postscreen_cache_cleanup_interval = 0
postscreen_cache_map = memcache:/etc/postfix/postscreen_cache
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = b.barracudacentral.org*2
postscreen_dnsbl_threshold = 2
postscreen_greet_action = enforce
postscreen_helo_required = yes
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
recipient_delimiter = +
relay_domains = /etc/postfix/relaydomains
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sender_bcc_maps = hash:/etc/postfix/sender_bcc
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_fallback_relay = mx05
smtp_tls_CAfile = $smtpd_tls_CAfile
smtp_tls_cert_file = $smtpd_tls_cert_file
smtp_tls_ciphers = medium
smtp_tls_exclude_ciphers = EXPORT, LOW, MD5, aDSS, kECDHe, kECDHr, kDHd, kDHr, 
SEED, IDEA, RC2
smtp_tls_key_file = $smtpd_tls_key_file
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = may
smtpd_banner = $myhostname ESMTP
smtpd_client_restrictions = check_policy_service inet:localhost:4466
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_helo_access 
hash:/etc/postfix/helo_checks
smtpd_recipient_restrictions = check_sender_access 
hash:/etc/postfix/valid_users, check_recipient_access 
hash:/etc/postfix/recipient_access, reject_unknown_sender_domain, 
reject_unknown_recipient_domain, reject_non_fqdn_sender, 
reject_non_fqdn_recipient, permit_mynetworks, reject_invalid_helo_hostname, 
reject_non_fqdn_helo_hostname, reject_unauth_destination
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/access, 
check_client_access cidr:/etc/postfix/enforced_inbound_tls.cidr
smtpd_tls_CAfile = /etc/pki/tls/certs/fullchain.pem
smtpd_tls_cert_file = /opt/ssl/relay.crt
smtpd_tls_ciphers = medium
smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
smtpd_tls_eec

protecting internal email distribution lists

[Ivars Strazdins]

Hello Postfix Experts,
let’s say that domain.com is Postfix $mydomain.
I know that it is possible to protect l...@domain.com  
from external senders, as per 
https://www.postfix.org/RESTRICTION_CLASS_README.html 


But is it possible to limit users from the same domain who can send mails to an 
internal email distribution list?
In other words, is it possible to setup Postfix so that
us...@domain.com  CAN send an email to l...@domain.com 

us...@domain.com  CANNOT send an email to 
l...@domain.com 

l...@domain.com  is a simple Postfix alias.

Thanks for your time,
Ivars