postfix: smtpd configured to allow mail to/from local domain only?

Question

I have an email server set up for our company's domain. We want to be able to receive our domain-based mail but we would like to be able to send email to ANY domain through the server as well. Using postfix/sasl on a slackware box. Sendmail is not installed. The server is on a public class A ip, with nothing between it and the internet. SASL was built with LOGIN support to be compatible with older Outlook clients, and is using shadow as the auth method. I built SASL with sql support using postgres. I plan to migrate to that method as soon as I get all the bugs worked out of my present setup. Authentication using SASL appears to be working.

My present configuration works in that we can send and receive domain-based email just fine, but any email addressed to domains other than ours aren't sent ("relayed" I guess is the proper term?). But it's strange: I seem to be able to send email to gmail and to other domains, but other employees, who work at another location, using Outlook 2000 cannot send email outside our domain. I am using gmail and thunderbird as my send/receive clients and I don't seem to have a problem. Can you folks look at my config and tell me if there are some settings that need to be added/removed/adjusted? Also, if there are any security adjustments that should be implemented, please let me know.

Here's the output of postconf -n:

alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/local/man
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, mail.$mydomain, www.$mydomain
mydomain = mydomain.com
myhostname = mail.mydomain.com
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
notify_classes = resource, software
queue_directory = /var/spool/postfix
readme_directory = no
relay_domains =
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = cyrus
soft_bounce = no
unknown_local_recipient_reject_code = 550

Thanks!

Answer 1

As I understand it, you have two sites. The Postfix server is at site A, and all users can use it normally. However, from site B, users can send mail only within the domain and not elsewhere.

The short quick answer is to add the IP address(es) of site B to the mynetworks variable in main.cf.

A slightly longer answer:

Postfix makes it relaying decisions in smtpd_recipient_restrictions. This is a list of checks to be run against the incoming message.

Postfix accepts mail from the world, and will send to the world. To ensure that Postfix is not an open relay, the defaults are slightly restrictive:

Mail from the world (0.0.0.0/0) will be relayed to domains explictly listed in the configuration. Mail from whitelisted IP addresses will be relayed to any domain, regardless of whether that domain is locally configured or not.

The defaults for these variables are mydestination and mynetworks.

Since you are exploring SMTP AUTH, here's what you need to add:
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

See http://www.postfix.org/SASL_README.html#server_sasl_authz

Ensure that your remote systems are configured to actually authenticate to the server.