`check_policy_service` should come before `permit_mynetworks` in Postfix conf

[draeklae]

Support guidelines

• [X] I've read the support guidelines

I've found a bug and checked that ...

• [X] ... the documentation does not mention anything about my problem
• [X] ... there are no open or closed issues that are related to my problem

Description

Postfix configuration at the moment is such that check_policy_service comes after permit_mynetworks. The effect is that all mail from local networks is forwarded without checking if, e.g., an alias is activated or not. This is especially problematic when Addy is receiving mail forwarded from a Postfix relay in the same network (e.g., another mail server container on the same host).

Expected behaviour

All mail should be going through the policy service, even if it comes from local networks.

Actual behaviour

If mail comes from local network (e.g., a Postfix relay in the same network), then Addy delivers the email without going through policy checks.

Steps to reproduce

1. Create Addy instance that is receiving mail from another Postfix server in the same network
2. Create an alias and deactivate it
3. Send email to deactivated alias (mail is delivered even though alias is deactivated)

Docker info

Client:
 Context:    default
 Debug Mode: false

Server:
 Containers: 12
  Running: 12
  Paused: 0
  Stopped: 0
 Images: 48
 Server Version: 20.10.24+dfsg1
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 1.6.20~ds1-1+b1
 runc version: 1.1.5+ds1-1+deb12u1
 init version: 
 Security Options:
  apparmor
  seccomp
   Profile: default
  cgroupns
 Kernel Version: 6.1.0-23-amd64
 Operating System: Debian GNU/Linux 12 (bookworm)
 OSType: linux
 Architecture: x86_64
 CPUs: 8
 Total Memory: 15.62GiB
 Name: v220240637402273018
 ID: JOAL:Y3H2:TW2J:SWQH:UHJ6:WGOB:NN6F:QIOD:NYFH:KOQY:H46T:RSPU
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Docker Compose config

No response

Logs

---

Additional info

Bug is fixed simply by reordering the two in smtpd_recipient_restrictions.