Univers Libre

Upgrade to Debian Jessie, introducing relay_access_restrictions in Postfix

Written on 10 June 2016, 10:51 EDT
Tags: postfix.

Abstract for TL;DR readers: since debconf append a relay_access_restrictions at the end of your main.cf file with same values of recipient_access_restriction, you have to do the same on all your services listed in master.cf. relay_access_restrictions intends to replace recipient_access_restriction on next Postfix releases.

After upgrading my mail server to Debian Jessie, I faced a weird problem with Postfix: emails sent from authenticated clients were rejected with a “Relay access denied” error.

I have a particular setup, though not-so-uncommon I think, since it should be the standard: port 25 is for server-to-server communications, no authentication is supported here. Instead, clients which want to send emails have to submit them on submission port (obviously). Concretely on my master.cf file, I override recipient_access_restriction for submission service to allow sending of emails with minimum restrictions if clients got authenticated.

So in my case, it seemed that the recipient_access_restriction option passed to submission process was ignored, or the one setup on my main.cf file won. Enabling debugging didn't tell me anything. It even confirmed me that the recipient_access_restriction option for submission process was ignored since I saw Postfix testing all conditions specified on my main.cf

Then after some time, I have seen a new line at the end of my main.cf file : relay_access_restrictions, with all the tests of recipient_access_restrictions. Searching this on postconf(5) manual confirmed me that it replace recipient_access_restriction, although this one is always supported and not planed to be removed on the next coming versions. So debconf has added this new directive on my main.cf file, without any debconf advertisment as far as I remember, and without reason (Postfix don't even raised a depreciation warning about that), and that breaks other services setted up on master.cf.

No ones seem to mention that on the Internet.