From ab2d807084f68a31bcb3ad9c8f7ad3885e4ccaad Mon Sep 17 00:00:00 2001 From: link2xt Date: Sat, 16 May 2026 18:46:45 +0200 Subject: [PATCH] fix: set relay restrictions per smtpd service with default reject We never want to defer email with a tepporary error when it has destination that we cannot deliver locally and don't want to relay. To avoid doing this accidentally, set default action to "reject" and then override it with the minimal restrictions per smtpd. Submission ports already had smtpd_relay_restrictions=permit_sasl_authenticated,reject override. Each smtpd port must have at least one of reject, reject_unauth_destination, defer, defer_if_permit, defer_unauth_destination according to . I have set smtpd_relay_restrictions=reject_unauth_destination for port 25 and incoming reinject port, and smtpd_relay_restrictions=permit_mynetworks,reject for outgoing reinject port. --- cmdeploy/src/cmdeploy/postfix/main.cf.j2 | 3 ++- cmdeploy/src/cmdeploy/postfix/master.cf.j2 | 3 +++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/cmdeploy/src/cmdeploy/postfix/main.cf.j2 b/cmdeploy/src/cmdeploy/postfix/main.cf.j2 index a10b0e2c..6f88277c 100644 --- a/cmdeploy/src/cmdeploy/postfix/main.cf.j2 +++ b/cmdeploy/src/cmdeploy/postfix/main.cf.j2 @@ -53,7 +53,8 @@ smtpd_tls_exclude_ciphers = aNULL, RC4, MD5, DES # See . tls_preempt_cipherlist = yes -smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination +# Reject by default, override per smtpd in master.cf +smtpd_relay_restrictions = reject myhostname = {{ config.postfix_myhostname }} alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases diff --git a/cmdeploy/src/cmdeploy/postfix/master.cf.j2 b/cmdeploy/src/cmdeploy/postfix/master.cf.j2 index bf108fec..84c17413 100644 --- a/cmdeploy/src/cmdeploy/postfix/master.cf.j2 +++ b/cmdeploy/src/cmdeploy/postfix/master.cf.j2 @@ -17,6 +17,7 @@ smtp inet n - y - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_tls_mandatory_protocols=>=TLSv1.2 -o smtpd_proxy_filter=127.0.0.1:{{ config.filtermail_smtp_port_incoming }} + -o smtpd_relay_restrictions=reject_unauth_destination submission inet n - y - 5000 smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt @@ -81,12 +82,14 @@ filter unix - n n - - lmtp -o syslog_name=postfix/reinject -o milter_macro_daemon_name=ORIGINATING -o cleanup_service_name=authclean + -o smtpd_relay_restrictions=permit_mynetworks,reject {% if not config.ipv4_relay %} -o smtpd_milters=unix:opendkim/opendkim.sock {% endif %} # Local SMTP server for reinjecting incoming filtered mail 127.0.0.1:{{ config.postfix_reinject_port_incoming }} inet n - n - 100 smtpd -o syslog_name=postfix/reinject_incoming + -o smtpd_relay_restrictions=reject_unauth_destination # Cleanup `Received` headers for authenticated mail # to avoid leaking client IP.