使用 Postfix 和外部邮件过滤服务？

当前的 Postfix (2.9) 配置非常简单：MX 记录指向运行 Postfix 的服务器，Postfix 将邮件发送到用户的邮件目录。用户通过 dovecot 通过 IMAP 获取邮件，并通过 Postfix 在端口 465 上通过 TLS 中继出站邮件，并进行身份验证。以下是经过轻微审查的/etc/postfix/main.cf：

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
myorigin = /etc/mailname

mydomain = example.net

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
delay_warning_time = 4h

readme_directory = no

# SASL
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_sasl_auth_enable = yes

# Anti-spam
disable_vrfy_command = yes
smtpd_helo_required = yes
header_checks = regexp:/etc/postfix/header_checks

smtpd_recipient_restrictions = 
    permit_sasl_authenticated,
    permit_mynetworks,
    reject_invalid_helo_hostname,
    reject_non_fqdn_helo_hostname,
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    reject_unknown_sender_domain,
    reject_unknown_recipient_domain,
    reject_unauth_pipelining,
    reject_unauth_destination,
    check_helo_access pcre:/etc/postfix/helo_checks.pcre
    check_policy_service unix:private/policy-spf
    reject_rbl_client zen.spamhaus.org,

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/figaro.example.net.crt
smtpd_tls_key_file=/etc/ssl/private/figaro.example.net.key
smtpd_tls_CAfile=/etc/ssl/certs/sub.class1.server.ca.pem
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_timeout = 3600s
smtp_tls_note_starttls_offer = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# different EHLO response for localhost
# (we speed up roundcube by disabling STARTTLS)
smtpd_discard_ehlo_keyword_address_maps = hash:/etc/postfix/discard_ehlo

myhostname = figaro.example.net
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = figaro.example.net, localhost.example.net, example.net, localhost 
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = .
inet_interfaces = all
home_mailbox = Maildir/
policy-spf_time_limit = 3600s

这种方法在一段时间内效果很好，但我们遇到了垃圾邮件问题，因此决定与外部垃圾邮件过滤服务签订合同。其工作原理是，我们将他们的 SMTP 服务器放在我们域的 MX 记录中，然后他们将（表面上）合法的邮件转发到我们的服务器。

但我在配置 Postfix 时遇到了困难：

1. 将经过身份验证的客户端的邮件中继到网络的其余部分
2. 仅接受来自外部邮件过滤服务发往本地用户的邮件

所有其他投递或中继尝试都应被拒绝。垃圾邮件过滤服务将其传出 IP 列为给定主机的 DNS A 记录。假设为 delivery.example.com。我创建了/etc/postfix/access以下内容（记得postmap /etc/postfix/access随后运行）：

delivery.example.com OK

然后修改/etc/postfix/main.cf并替换smtp_recipient_restrictions为：

smtpd_client_restrictions =
    hash:/etc/postfix/access
    permit_sasl_authenticated
    permit_mynetworks
    reject

这种方法有效，因为来自 delivery.example.com 的邮件会被接受，而来自其他地方的邮件会被拒绝，问题在于，对于尝试从普通邮件客户端（如 Thunderbird）通过服务器发送邮件的用户，中继访问会被拒绝：

Aug 29 13:37:36 figaro postfix/smtpd[24703]: connect from <censored>
Aug 29 13:37:37 figaro postfix/smtpd[24703]: Anonymous TLS connection established from <censored>: TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)
Aug 29 13:37:38 figaro postfix/smtpd[24703]: NOQUEUE: reject: RCPT from <censored>: 554 5.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[192.168.0.1]>
Aug 29 13:37:44 figaro postfix/smtpd[24703]: disconnect from <censored>

我原本以为（即使读过文档之后）permit_sasl_authenticated 应该允许用户通过服务器发送邮件，但似乎行不通。（它在上述当前配置下确实有效。而且在任何一种情况下，服务器都不是开放中继。）有什么建议吗？