Postfix Bi-directional relaying / smarthost

Discussion in 'Server Operation' started by beistrich, Mar 28, 2014.

  1. beistrich

    beistrich New Member

    Hey all!
    I just registered, because I'm currently struggling with my postfix configuration!

    I currently want to set up the following mail-flow-scenario:

    internet -> postfix (relay to) -> mailserver
    mailserver -> (smarthost) postfix) -> internet

    So, I want that postfix receives all e-mail traffic and then relays it to my mailserver.
    Further I want that all outgoing mail should be send through the postfix server (acting as smarthost)

    Mailserver and Postfix-Server are not on the same subnet/ip-range

    this is my current configuration. I tried with smtp_client_restrictions and smtpd_recipient_restrictions .

    Somehow I have to allow my mailserver (with hostname/ip) only to send e-mails. But also allow all others to connect to receive e-mails

    The relay_recipients map contains all valid e-mail recipients
    The map access_clients contains the hostname and ip of my mailserver

    ###Basic Settings
    myhostname =
    mydomain =
    myorigin = $mydomain
    inet_interfaces = all
    #mydestination = $mydomain, localhost
    relay_domains =
    mynetworks =, external.ip/32
    #smtpd_peername_lookup = no
    local_recipient_maps =
    local_transport = error: local main delivery disabled
    transport_maps = hash:/etc/postfix/maps/transport
    relay_recipient_maps = hash:/etc/postfix/maps/relay_recipients
    smtpd_client_restrictions = permit_mynetworks,
                                check_client_access hash:/etc/postfix/maps/access_clients,
    smtpd_helo_restrictions = permit_mynetworks,
    smtpd_sender_restrictions = reject_unknown_sender_domain
    smtpd_recipient_restrictions = permit_mynetworks,
                                   check_client_access hash:/etc/postfix/maps/access_clients,
    smtpd_data_restrictions = reject_unauth_pipelining
    Currently postfix says "Client host rejected: Access denied " for alle connections!

    Somebody has an idea how I can achieve my scenario?
  2. Acceos

    Acceos New Member


    Have you managed to pin down what restriction that is causing the rejection?

    Is it check_client_access?

    If unsure, please comment out both lines with "check_client_access" and try again. If it works then. Please get back to us with the content of check_client_access.

Share This Page