Issue blocking a user's account to send email through Postfix

check_sender_access belongs in smtpd_sender_restrictions, not in smtpd_recipient_restrictions.


You are offering submission services on two ports, with different option overrides:

  1. legacy STARTTLS on port 587 (submission in first column in master.cf)
  2. SMTP wrapped in TLS on port 465 (smtps in first column in master.cf)

You currently do not require auth on both those ports, yet override restrictions for only one:

smtps      inet  n       -       n       -       -       smtpd
 -o smtpd_tls_wrappermode=yes
submission inet  n       -       n       -       -       smtpd
 -o smtpd_enforce_tls=yes
 -o smtpd_tls_security_level=encrypt
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 -o smtpd_sender_restrictions=
 -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination

What I expect what you want is something like this: requiring auth on both ports, and only overriding sender and client restrictions, while still applying global recipient restrictions:

smtps      inet  n       -       n       -       -       smtpd
 -o smtpd_tls_wrappermode=yes
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 -o smtpd_sender_restrictions=
submission inet  n       -       n       -       -       smtpd
 -o smtpd_enforce_tls=yes
 -o smtpd_tls_security_level=encrypt
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 -o smtpd_sender_restrictions=

If not overridden, your recipient restrictions from the main.cf file would then apply to both those services.

smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/sender_access, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

(unrelated: you may not want to allow authentication on port 25 - you are allowing connections without transport security there. When you override it for all (2) submission ports anyway, reconsider smtpd_sasl_auth_enable = yes in main.cf)