Postfix's reject_unauth_destination for smtpd_recipient_restrictions

grob115 · 01-02-2014, 12:00 AM

Hi, question with this setting. Per the following explanation from Postfix, it appears that by providing the value "reject_unauth_destination", Postfix will only accept a mail if the recipient belongs to either i) an account managed by Postfix (ie no need to forward any more), or ii) a domain listed in the $relay_domains setting.

Any ideas why?

http://www.postfix.org/postconf.5.ht...th_destination

Quote:

reject_unauth_destination
Reject the request unless one of the following is true:

Postfix is mail forwarder: the resolved RCPT TO domain matches $relay_domains or a subdomain thereof, and contains no sender-specified routing (user@elsewhere@domain),
Postfix is the final destination: the resolved RCPT TO domain matches $mydestination, $inet_interfaces, $proxy_interfaces, $virtual_alias_domains, or $virtual_mailbox_domains, and contains no sender-specified routing (user@elsewhere@domain).

The relay_domains_reject_code parameter specifies the response code for rejected requests (default: 554).

Now what doesn't add up are the following:
1) When I try to send a mail from my phone to my Hotmail account via this Postfix server, it works. I thought I wouldn't be able to do so because I have the following set, and the reject_unauth_destination setting is as described above should have blocked this because hotmail.com does NOT belongs to either i) an account managed by Postfix (ie no need to forward any more), or ii) a domain listed in the $relay_domains setting as I have not set relay_domains.
Even if relay_domains taking on its default value from $mydestination wouldn't make a difference because hotmail.com also isn't on the list for $mydestination.

Code:

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client zen.spamhaus.org

2) When I tried to remove the value "reject_unauth_destination" from the "smtpd_recipient_restrictions" setting, I see the errors in /var/log/maillog (shown below). I thought I can remove it because it is redundant since I have enforced SASL for all SMTP clients and disallowed anonymous sender. Snippet of my /etc/postfix/main.cf is pasted below.

Code:

smtpd_sasl_auth_enable = yes
smtpd_sasl_type = cyrus
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org

Code:

Jan  1 21:36:14 www postfix/master[29314]: daemon started -- version 2.3.3, configuration /etc/postfix
Jan  1 21:37:37 www postfix/smtpd[29362]: fatal: parameter "smtpd_recipient_restrictions": specify at least one working instance of: check_relay_domains, reject_unauth_destination, reject, defer or defer_if_permit
Jan  1 21:37:38 www postfix/master[29314]: warning: process /usr/libexec/postfix/smtpd pid 29362 exit status 1

descendant_command · 01-03-2014, 08:51 AM

It is required, so that postfix will not be an open relay (without a bit more effort).

Your phone is either in $mynetworks or authenticated with a valid user/pass.
(edit: or something you haven't told us is going on...)

grob115 · 01-03-2014, 11:43 AM

Quote:

Originally Posted by descendant_command

It is required, so that postfix will not be an open relay (without a bit more effort).

Your phone is either in $mynetworks or authenticated with a valid user/pass.
(edit: or something you haven't told us is going on...)

My phone wouldn't be in the $mynetworks as it's connecting from within a mobile carrier and I couldn't have known the phone's IP before hand. However it's indeed signing in with a valid user account.

So, can we say that as long as someone signs in with a valid account, the "reject_unauth_destination" setting for "smtpd_recipient_restrictions" wouldn't have applied? If this is the case, shouldn't Postfix's documentation state this as the third condition? My current condition fits neither of its two only conditions.

descendant_command · 01-03-2014, 07:41 PM

Quote:

Code:

permit_sasl_authenticated

^^This.

For an unauthenticated client (that is not in $mynetworks) mail is only accepted for local or "relay" domains.

Otherwise, any old spammer could connect to your box and send mail to whomever they liked.

grob115 · 01-03-2014, 10:14 PM

Ah thanks. BTW does the order of permit_sasl_authenticated, reject_unauth_destination matter? However this only explains point 1.

For point 2, if I remove the value "reject_unauth_destination" from the "smtpd_recipient_restrictions" setting, I see errors in /var/log/maillog (shown on my first post). But why does this happen if I already have permit_sasl_authenticated and I am authenticating myself from the phone?

descendant_command · 01-03-2014, 11:43 PM

Well, I'm not an "expert" but ...

Yes, I believe the order matters.

Postfix will not start without one of the listed configurations to prevent being an open relay.