Postfix - SMTP Port 25
I need to use port 25 to send some notifications on local networks (nagios, ups etc) without sasl authentication.
So I have to block access from net to use port 25
I added to smtp master and its working,
smtpd_client_restrictions=permit_mynetworks,reject
but when somebody sends email from outside (587/465) get error
Client host rejected: Access denied
Why ?
Maybe there is a different way to do that
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
#smtp inet n - y - - smtpd
#smtp inet n - n - 1 postscreen
#smtpd pass - - n - - smtpd
#dnsblog unix - - n - 0 dnsblog
#tlsproxy unix - - n - 0 tlsproxy
smtp inet n - y - - smtpd
-o syslog_name=postfix/smtp
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=permit_mynetworks,reject
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_mynetworks,reject_unauth_destination
# -o smtpd_relay_restrictions=permit_mynetworks,defer_unauth_destination
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
# -o smtpd_sasl_type=dovecot
# -o smtpd_sasl_path=private/auth
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_auth_only=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_helo_restrictions=
# -o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
-o smtpd_relay_restrictions=permit_sasl_authenticated,permit_mynetworks,defer_unauth_destination
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
-o smtpd_relay_restrictions=permit_sasl_authenticated,permit_mynetworks,defer_unauth_destination
# - smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
#628 inet n - n - - qmqpd
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o syslog_name=postfix/$service_name
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
postlog unix-dgram n - n - 1 postlogd
#
A standard Postfix configuration allows both receiving mail from outside as well as sending from local "trusted" hosts/networks over port 25 without authentication. You don't need to mess up with smtpd_client_restrictions, the defaults are pretty reasonable. The default values of all smtpd_*_restrictions are empty except from smtpd_recipient_restrictions, which is:
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
and that does exactly what you need. permit_mynetworks allows mail from hosts specified by mynetworks parameter, and rejest_unauth_destination rejects all mail whose recipient is not local (that is, the recipient domain matches mydestination, inet_interfaces, proxy_interfaces, virtual_alias_domains, virtual_mailbox_domains or relay_domains).
In simple cases like yours, the only parameters you would care about are mydestination which should list all possible names under which your server can receive mail and mynetworks that should include IP addresses of all hosts/networks that are allowed to send mail without authentication.
I suggest that you start configuring Postfix from very simple, but working configurations and gradually add more complicated things. A good place to start is http://www.postfix.org/STANDARD_CONFIGURATION_README.html which shows most typical configurations. In your case, "Postfix on a local network" is the one that may interest you.
And, it is a good practice to not mess up your master.cf with too many unneeded -o parameters. Instead, main.cf is the intended place to put your configuration. In simple Postfix instances master.cf usually can be left at factory default.
Also the useful commands are postconf -d which lists default values of all Postfix configuration parameters and postconf -n which lists configuration parameters that you explicitly specified in main.cf (they may be identical or different from the defaults).