How to authorize a SASL authenticated user to relay mail under Linux postfix smtpd (opensuse leap 42.3)?
Thank you for this forum… Deta
We have two validated users for the mail server: **alavarre@mydomain.com** and **andy@mydomain.com**.
• Each ils belowcan receive mail (postfix → dovecot).
• Each can send mail to the other (postfix → smtpd).
• Neither can send mail outside of the home domain (relay).
We have enabled STARTTLS and it is working.
We have checked *main.cf*, in particular the *[smtpd restrictions](https://forums.opensuse.org/up--Steps--5._Mail_server--Postfix--Lessons_Learned--Recipient_address_rejected_Server_configuration_problem--main.cf--smtpd_restrictions.html)*.
We understand that we can enable relay from **mynetworks**
We do not want to add all the possible external IP addresses to **mynetworks**:
rather would prefer to rely upon the user being authenticated on login by SASL.
*If he can log in to send mail within the domain he should likewise be authorized to relay traffic.*
The message returned to the client (evolution) is
**Recipient address rejected: Server configuration problem **
We try a manual login using both telnet and openssl.
These succeed, showing starttls is working and the users are SASL-accepted and can send mail within the domain.
Connecting shows the certificate and TLS parameters.
ehlo and mail from succeed:
mail from:<andy@privustech.com>
250 2.1.0 Ok
rcpt to: fails
rcpt to:<alavarre@lavarre.org>
554 5.7.1 <alavarre@lavarre.org>: Relay access denied
We have checked *[main.cf](https://forums.opensuse.org/Develop--Server--Setup--Steps--5._Mail_server--Postfix--Lessons_Learned--Recipient_address_rejected_Server_configuration_problem--main.cf.html)* and find nothing wrong.
In particular, we have checked the *[smtpd restrictions](https://forums.opensuse.org/up--Steps--5._Mail_server--Postfix--Lessons_Learned--Recipient_address_rejected_Server_configuration_problem--main.cf--smtpd_restrictions.html)* and they appear to be in order:smtpd_client_restrictions =
smtpd_helo_restrictions =
smtpd_sender_restrictions =
smtpd_recipient_restrictions =
smtpd_relay_restrictions =
[INDENT=2]permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
[/INDENT]
smtp_sasl_auth_enable = yes
The last is most important, since we don't want to add all the possible external IP addresses to ***mynetworks***, rather rely upon the user being authenticated on login by SASL. If he can log in to send mail within the domain he should likewise be authorized to relay traffic.