[BlueOnyx:26493] Re: The Postfix learning curve continues

Michael Stauber mstauber at blueonyx.it
Wed Sep 20 22:58:24 -05 2023 

Hi Chad,

> I'm resurfacing an issue from about a month ago, on my transition to 
> Postfix.  I've simply not had the time to worry about my internal stuff 
> not working, until now.
> 
> Your original recommendation was:
> 
> "Change your "mynetworks" line in /etc/postfix/main.cf to something like
> this if you want to allow the whole 192.168.0.0/16 network to be able to
> relay through it:
> 
> mynetworks = 127.0.0.0/8 [::1]/128 192.168.0.0/16
> 
> Then restart Postfix and see if that helps:
> 
> systemctl restart postfix"
> 
> I did this, but find that, when I execute the postfix restart, them 
> main.cf gets rewritten

Unfortunately that seems correct. I just checked this part of that 
mechanism and it's not entirely working as intended for that particular 
purpose:

In /etc/postfix/main.cf the line "mynetworks" is reserved and you cannot 
edit it. It will get overwritten on Postfix restarts with the IP 
addresses that you have bound to your server.

The *intended* mechanism for allowing to relay is under "Server 
Management" / "Network Services" / "Email" in the "Advanced" tab.

The idea is to allow all hosts listed in "Relay Email From 
Hosts/Domains/IP Addresses" to relay through your server.

However: In our current Postfix implementation that adds entries to 
/etc/postfix/access like this:

test.smd.net   RELAY

But if "Enable SMTP Auth" is active, that then trips Saslauthd and 
relaying is denied, because the sender didn't authenticate.

You're right: In practical terms the IPs of allowed senders would need 
to go into "mynetworks" instead of stuffing them into 
/etc/postfix/access. The issue here is that we've sort of ported the 
Sendmail config to the Postfix config and in Sendmail you can use the 
access file to allow relaying w/o tripping SMTP-Auth. In Postfix it's a 
different story.

The complication is that the GUI field "Relay Email From 
Hosts/Domains/IP Addresses" accepts both IPs and domain names, but the 
"mynetworks" line in Postfix just accepts IPs. So I'll have to throw in 
some extra cogs and wheels to make sure that only IPs end up in the 
"mynetworks" line. But this is doable.

I'll play around with it tomorrow and will see if I can work this out 
and then we'll have a YUM update ready to fix this in the next few days.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list