Today, we faced an unusual problem while restricting few email accounts from sending emails to outside world. Typically we set it up using postfix's official document available here: www.postfix.org/RESTRICTION_CLASS_README.html#external and after setting it up, we normally test it using telnet command to get an access denied error message. If telnet can not get through, obviously outlook would also get the similar error message while sending emails to external email addresses. It worked perfectly as usual.

This time client was using webmail as well and all the users configured under restricted class were easily able to send emails to external email addresses via squirrelmail (webmail).

We started troubleshooting the system with few changes to main.cf file, verification of restriction classes from the postfix.org document mentioned above but couldn't get a clue for such strange behavior. We then executed the conf.pl file of squirrelmail to see the SMTP settings i.e. menu option number 2. By default squirrelmail is configured to use sendmail binary to send out emails under the option number 3. Which means while sending out emails via squirrelmail, postfix restrictions would not at all be called and restricted users shall easily be able to send unauthorized mails via webmail, even though they won't be able to send out using telnet or their email client (outlook, thunderbird, etc.). To put the same restrictions to webmail we simply need to change option 3 under Server Settings (Menu option 2 after launching conf.pl) from Sendmail to SMTP and the restrictions should be back in place.

Happy Mailing!