Univers Libre

Upgrade to Debian Jessie, introducing smtpd_relay_restrictions in Postfix

Written on 10 June 2016, 10:51 EDT
Tags: postfix, sysadmin.

TL;DR: since debconf appends a smtpd_relay_restrictions at the end of your main.cf file with same values of smtpd_recipient_restrictions, you have to do the same on all your services listed in master.cf. smtpd_relay_restrictions intends to replace smtpd_recipient_restrictions on next Postfix releases.

After upgrading my mail server to Debian Jessie, I was faced with a weird problem with Postfix: emails sent from authenticated clients were rejected with a “Relay access denied” error.

I have a particular setup, though not so uncommon I think, since it should be the standard: port 25 is dedicated to server-to-server communications, no authentication is supported on that port. Instead, clients which want to send emails have to submit them on submission port (obviously). Concretely on my master.cf file, I override smtpd_recipient_restrictions for submission service to allow sending of emails with minimum restrictions if clients get authenticated.

On my main.cf file:

smtpd_recipient_restrictions =
   permit_mynetworks,
   check_client_access hash:/etc/postfix/client_access,
   #check_sender_access hash:/etc/postfix/sender_access,
   check_recipient_access hash:/etc/postfix/recipient_access,
   reject_unauth_destination,
   reject_invalid_helo_hostname,
   reject_non_fqdn_helo_hostname,
   reject_non_fqdn_sender,
   reject_non_fqdn_recipient,
   reject_unknown_sender_domain,
   reject_unknown_recipient_domain,
   check_policy_service unix:private/whitelister.ctl,
   check_policy_service inet:127.0.0.1:10023,
   permit

And on my master.cf file:

submission inet n       -       -       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_sender_restrictions=permit
  -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING

So in my case, it seemed that the smtpd_recipient_restrictions option passed to submission process was ignored, or the one set up on my main.cf file won. Enabling debugging didn't tell me anything, but confirmed me that the smtpd_recipient_restrictions option for submission process was ignored since I saw Postfix testing all conditions specified on my main.cf

Then after some time, I have seen a new line at the end of my main.cf file: smtpd_relay_restrictions, with all the tests of smtpd_recipient_restrictions. Searching this on postconf(5) manual confirmed me that it replace smtpd_recipient_restrictions in Postfix 2.10, although this one is always supported and not planed to be removed on the next coming versions. This directive indents to simplify and unify the use of smtpd_*_restrictions.

So debconf has added this new directive on my main.cf file, without any debconf notice as far as I remember, and, in my opinion, without reason (Postfix don't even raise a depreciation warning about other smtpd_*_restrictions), and that breaks other services set up on master.cf.

Strangely, no one on the Internet seem to have encountered a similar problem with this directive when upgrading to Jessie.

So I simply do the replacement on my submission service in master.cf and that solve my problem.