0

I have a postfix server that I inherited many years ago. Originally it successfully controlled the sending of messages through authentication and IP addresses - if an authenticated user was sending from an IP address in 'mynetworks', it was allowed. Since then it's been through two major upgrades, from Lenny to Jesse in 2017 and from Jesse to Bullseye in 2022. It seems the IP address restriction requirement was lost with the Bullseye upgrade, and now authenticated users can send from any IP address.

All of the smtpd checks and restrictions in main.cf have historically been under smtpd_recipient_restrictions, with smtpd_helo/sender/data_restrictions all being empty. Here is are the current settings:

smtpd_recipient_restrictions =
        reject_unlisted_recipient,
        permit_mynetworks,
        check_client_access    hash:/etc/postfix/GEN000_override,
        check_client_access  regexp:/etc/postfix/fqrdns.regexp,
        check_helo_access      hash:/etc/postfix/access,
        check_helo_access    regexp:/etc/postfix/helo_blacklist.regexp,
        check_sender_access    hash:/etc/postfix/blacklist,
        check_sender_access  regexp:/etc/postfix/sender_blacklist.regexp,
        check_sender_mx_access cidr:/etc/postfix/mx_access.txt,
        check_sender_access    hash:/etc/postfix/bdwl
        check_client_access    hash:/etc/postfix/broken_helos,
        reject_invalid_hostname,
        reject_non_fqdn_sender,
        reject_unknown_sender_domain,
        reject_unknown_recipient_domain,
        reject_non_fqdn_hostname,
        reject_non_fqdn_recipient,
        reject_unauth_destination,
        check_recipient_access hash:/etc/postfix/restricted,
        reject_unknown_client,
        reject_unknown_hostname,
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client bl.spamcop.net

Although I've learned a lot about postfix over the years, I still find the system daunting. Needless to say, lots of packages were replaced and perhaps of significance, we had to move from SquirrelMail to RoundCube for our web-based clients (most use Thunderbird). FWIW I did try...

smtpd_client_restrictions = permit_mynetworks, reject

...and this worked, but had the undesired side effect bouncing all incoming mail from external sources (e.g. gmail.com) with 554 5.7.1 errors. I am hoping something simple was moved or lost during the upgrade. Pointers welcome!!

bithead
  • 1
  • 1
    Assuming you are using debian's default packages, jessie shipped with postfix 2.11.3 but postfix megred "smtpd_client_restrictions" with relay in 2.10. So the problem was probably not caused when you upgraded to Bullseye Please read postifx documentation to have a better understanding about the changes. https://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions – pmarkoulidakis May 22 '23 at 09:27
  • Look at the [tag descriptions](https://serverfault.com/tags/postfix/info); I suspect you have different smtpd_mumble_restrictions for general exchange service on 25 and on a submission port such as 465 - that would be clearly visible in a config dump using postconf -n/-M. – anx May 22 '23 at 23:29

0 Answers0