Relaying mail through postfix with SASL

Question

I'd like to relay mail from my laptop through my server. I've successfully configured postfix and SASL, and I can AUTH successfully using telnet.

dhcp-241:~ jgorset$ telnet mail.example.com 25
Trying 85.25.124.196...
Connected to mail.example.com.
Escape character is '^]'.
220 mail.example.com ESMTP Postfix
EHLO mail.example.com
250-mail.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH PLAIN ***********************
235 2.7.0 Authentication successful
MAIL FROM: <user@example.com>
250 2.1.0 Ok
RCPT TO: <bob@gmail.com>
554 5.7.1 <bob@gmail.com>: Recipient address rejected: Access denied

As demonstrated above, I'm being denied relay through my postfix server even though I've authenticated and configured postfix to allow authenticated clients to relay mail.

# /etc/postfix/main.cf
# SMTP authentication
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous
smtpd_recipient_restrictions = reject, permit_sasl_authenticated

Am I being rejected because the smtpd_recipient_restrictions option is set to reject, even though is specifically states to permit_sasl_authenticated? I was under the impression that the latter would override the former, seeing that you are required to enter either reject, defer, defer_if_permit or reject_unauth_destination with this option.

Update: Turns out this also happens if I telnet from localhost. If I comment out the smtpd_recipient_restrictions line, I can send mail to anyone (though only from localhost). I'd like to do so from any computer that authenticates using SASL. How should I go about this?

Thanks!

Daniel Papasian · Answer 1 · 2010-03-04T13:58:13.967

2

smtp_recipient_restrictions are evaluated in order.

You probably want something that at least starts like this:

smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks

And then proceed to either reject all (if you are only sending mail and never receiving mail on this server) or reject things that look like spam - check out the postfix docs for UCE to get a good starting point.

edited Mar 04 '10 at 13:58

answered Mar 04 '10 at 10:32

Daniel Papasian

341
1
2
7

This will create an open relay (no match at end of list = permit) – quadruplebucky Mar 04 '10 at 10:34
Sorry - meant to say "And then proceed to" -- perhaps the paragraph after the line wasn't clear. – Daniel Papasian Mar 04 '10 at 13:58

score 2 · Accepted Answer · answered Mar 04 '10 at 10:33

2

smtpd_receipient_restrictions are matched from left-to-right, first match wins.

You want smtpd_recipient_restrictions = permit_sasl_authenticated, reject

http://www.postfix.org/SMTPD_ACCESS_README.html

answered Mar 04 '10 at 10:33

quadruplebucky

5,139
20
23

That did it. Thanks so much; I've been banging my head against the wall on this one for hours. – FRKT Mar 04 '10 at 10:38

Relaying mail through postfix with SASL

2 Answers2