How do I tell Postfix to relax smtpd_sender_restrictions?

Question

If I connect to Postfix on my server with a mail client on port 143 with SSL then mail sent via this connection from a virtual domain passes the smtpd_sender_restrictions and thus enables the filter that routes it to amavis to have its DKIM signature added before transmission.

So far so good, but ...

If, however, I generate an email from the same user@virtual_domain as above, directly from Drupal (or Roundcube running for an authenticated user, for that matter) running on the same server as Postfix, that email does not pass the smtpd_sender_restrictions and thus does not get to amavis and get its DKIM signing.

What do I do to permit my local (programmatically-generated) emails to pass the smtpd_sender_restrictions? There seems to be no condition I can see here in the manual that I can add to the rule to relax it? Here's the rule I am using in /etc/postfix/main.cf:

    ##################                                                                                                                                             
    # SASL Settings and DKIM Settings                                                                                                                              
    # See http://gogs.info/books/debian-mail/chunked/postfix.sasl.html                                                                                             
    # See http://gogs.info/books/debian-mail/chunked/antispam.dkim.html                                                                                            
    ##################                                                                                                                                             
    smtpd_sender_restrictions =
    # If mail is coming from mynetwork or from authenticated users use amavis filtering on port 10026 (DKIM signing)                                               
      check_sender_access regexp:/etc/postfix/amavis/tag_as_originating.re
      permit_mynetworks
      permit_sasl_authenticated
      permit_tls_clientcerts
    # For other mail use amavis filtering on port 10024 (skips DKIM signing)                                                                                       
      check_sender_access regexp:/etc/postfix/amavis/tag_as_foreign.re

I manage m virtual domains with Post Admin and the permitted senders are listed here:

    virtual_mailbox_domains = mysql:/etc/postfix/sql/virtual_domains_maps.cf

and I have smtpd_recipient_restrictions to guard agains arbitrary open relaying.

On my Exim MTA I sign every outgoing message. I can see the point of Postfix's smtpd_sender_resrictions but I can't seem to get them to do what I want here.

Please post the _rest_ of your Postfix `main.cf`. – Michael Hampton Feb 15 '13 at 04:20 — Michael Hampton, Feb 15 '13 at 04:20

score 1 · Accepted Answer · answered Feb 16 '13 at 13:11

I was able to direct messages coming in through the pickup queue through to amavis on port 10026 to have them DKIM signed.

These messages are either generated by a Drupal website on my server (trusted by me) and from users signing in to their Roundcube webmail.

I just added these two arguments to the existing pickup transport in /etc/postfix/master.cf:

    pickup fifo n - - 60 1 pickup
      -o smtpd_tls_security_level=encrypt
      -o content_filter=smtp-amavis:[127.0.0.1]:10026

(Thanks to blog.purrdeta.com for pointers)

The transport smtp-amavis was already defined in master.cf and being used by messages coming in through the smtpd queue.

It took me a while to realise that these messages were coming in through through the pickup queue and thus would not be subject to the smtpd_sender_restrictions in my original question. For realising this mistake I have to thank the very clear explanation of the Postfix architecture.

How do I tell Postfix to relax smtpd_sender_restrictions?

1 Answers1