Issue blocking a user's account to send email through Postfix
check_sender_access belongs in smtpd_sender_restrictions, not in smtpd_recipient_restrictions.
You are offering submission services on two ports, with different option overrides:
- legacy STARTTLS on port 587 (
submissionin first column inmaster.cf) - SMTP wrapped in TLS on port 465 (
smtpsin first column inmaster.cf)
You currently do not require auth on both those ports, yet override restrictions for only one:
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
submission inet n - n - - smtpd
-o smtpd_enforce_tls=yes
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
What I expect what you want is something like this: requiring auth on both ports, and only overriding sender and client restrictions, while still applying global recipient restrictions:
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_restrictions=
submission inet n - n - - smtpd
-o smtpd_enforce_tls=yes
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_restrictions=
If not overridden, your recipient restrictions from the main.cf file would then apply to both those services.
smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/sender_access, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
(unrelated: you may not want to allow authentication on port 25 - you are allowing connections without transport security there. When you override it for all (2) submission ports anyway, reconsider smtpd_sasl_auth_enable = yes in main.cf)