[pfx] Re: relay_domains override for smtpd
On 1/16/24 19:46, Viktor Dukhovni via Postfix-users wrote: The classification of input addresses into address classes as part of transport resolution happens in trivial-rewrite(8). This is why changing relay_domains in smtpd(8) is ineffective. Ahhh. That explains everything. It works correctly, as intended. It does not seem to make much sense to restrict submission on port 587 for a subset of addresses that any unauthenticated external sender can target. Your "restricted" users could just send to port 25 instead! Mails to local recipients are blocked for port 25. That seems sensible to me for an edge mailserver. I am trying to setup a channel for training the spam filter with known spam/ham mails sent in from internal users. Setting up a different port seems the cleaner approach in order to separate that from the external mail traffic with regards to logging, firewall setup, monitoring, etc. That said, if this is what you actually need, instead of trying to set an empty list of relay domains, set an empty list of valid relay recipients, which is checked in smtpd(8): master.cf: submission inet ... smtpd -o { relay_recipient_maps = inline:{@=@} } ... because just "@" is never going to be a lookup key for a relay recipient address. While an empty key is even more strongly never used, and the form "inline:{=}" is presently accepted, I expect this is not intentional. It would have to be documented, otherwise, at some point, Postfix might reject empty keys in inline table definitiions. That is a somewhat funky solution. :) I think I will go with a simple recipient restriction with local addresses instead. That seems clearer and in case I kick the bucket my poor colleague taking over will have an easier time figuring out how it all works. Thank you, Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: relay_domains override for smtpd
On Tue, Jan 16, 2024 at 06:12:58PM +0100, Marc Dierksen via Postfix-users wrote: > I am running Postfix 3.5.23 on Debian 11 as an edge mailserver that accepts > mails on port 25 for a list of domains defined as relay_domains in the > main.cf. > > I am currently trying to setup a second smtpd process on port 587 that > accepts mails only for local recipients. > > If I set relay_domains to empty in the main.cf it works as expected. The classification of input addresses into address classes as part of transport resolution happens in trivial-rewrite(8). This is why changing relay_domains in smtpd(8) is ineffective. > So it seems to me the '-o relay_domains=' parameter for smtpd does not work > correctly. It works correctly, as intended. It does not seem to make much sense to restrict submission on port 587 for a subset of addresses that any unauthenticated external sender can target. Your "restricted" users could just send to port 25 instead! That said, if this is what you actually need, instead of trying to set an empty list of relay domains, set an empty list of valid relay recipients, which is checked in smtpd(8): master.cf: submission inet ... smtpd -o { relay_recipient_maps = inline:{@=@} } ... because just "@" is never going to be a lookup key for a relay recipient address. While an empty key is even more strongly never used, and the form "inline:{=}" is presently accepted, I expect this is not intentional. It would have to be documented, otherwise, at some point, Postfix might reject empty keys in inline table definitiions. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: relay_domains override for smtpd
Marc Dierksen via Postfix-users: > Salutations, > > I am running Postfix 3.5.23 on Debian 11 as an edge mailserver that > accepts mails on port 25 for a list of domains defined as relay_domains > in the main.cf. > > I am currently trying to setup a second smtpd process on port 587 that > accepts mails only for local recipients. > > I have added the following entry to the master.cf: > > 587inet n - y - - smtpd > -o relay_domains= > -o content_filter= > -o > receive_override_options=no_unknown_recipient_checks,no_address_mappings,no_header_body_checks,no_milters > -o smtpd_helo_restrictions= > -o smtpd_client_restrictions= > -o smtpd_sender_restrictions= > -o smtpd_relay_restrictions= > -o > smtpd_recipient_restrictions=permit_mynetworks,reject_unauth_destination > -o mynetworks=127.0.0.0/8 > > The idea is that the reject_unauth_destination will reject all mails > except for local recipients because relay_domains is empty. > > Problem is mails for all the domains defined as relay_domains in the > main.cf are still accepted. > > If I set relay_domains to empty in the main.cf it works as expected. > > So it seems to me the '-o relay_domains=' parameter for smtpd does not > work correctly. According to the man page of smtpd however it should be > supported. 1) You need to check the output from: postconf -P 587/inet/relay_domains 2) Verify that you are reslly sending mail into the port 587 instance. Use John's suggestion to set a distinct syslog_name. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: relay_domains override for smtpd
On 16/01/2024 18:12, Marc Dierksen via Postfix-users wrote: Salutations, I am running Postfix 3.5.23 on Debian 11 as an edge mailserver that accepts mails on port 25 for a list of domains defined as relay_domains in the main.cf. I am currently trying to setup a second smtpd process on port 587 that accepts mails only for local recipients. I have added the following entry to the master.cf: 587 inet n - y - - smtpd -o relay_domains= -o content_filter= -o receive_override_options=no_unknown_recipient_checks,no_address_mappings,no_header_body_checks,no_milters -o smtpd_helo_restrictions= -o smtpd_client_restrictions= -o smtpd_sender_restrictions= -o smtpd_relay_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject_unauth_destination -o mynetworks=127.0.0.0/8 The idea is that the reject_unauth_destination will reject all mails except for local recipients because relay_domains is empty. Problem is mails for all the domains defined as relay_domains in the main.cf are still accepted. If I set relay_domains to empty in the main.cf it works as expected. So it seems to me the '-o relay_domains=' parameter for smtpd does not work correctly. According to the man page of smtpd however it should be supported. Am I overlooking something? Hi Marc I'm probably missing something, but what would be the advantage of setting up a separate smtpd processes for this? Out of curiosity how are these emails being sent to port 587? One suggestion is to customize the syslog name of the new smtpd instance in master.cf so as to easily distinguish the logging that comes from the two processes. -o syslog_name=postfix/submission Could you show the log entries of what you are seeing when email arrives on port 587? Thanks John ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org