==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.4
- Linux/BSD distribution name and version: Debian 7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? Yes
- Related log if you're reporting an issue:
====

Hello Zhang!

I followed this document to migrate from Cluebringer to iRedAPD:

http://www.iredmail.org/docs/cluebringe … edapd.html

The section "Enable iRedAPD in Postfix" might contain a problem:

smtpd_recipient_restrictions =
    ...
    check_policy_service inet:127.0.0.1:7777
    permit_mynetworks
    permit_sasl_authenticated
    ...

iRedAPD policy is checked first, then allowed networks and (at least in my case) sasl_authenticated users.

In my case this caused a problem as internal servers are using the iRedMail server as relay to send notifications.
They have a standard configuration and use username@hostname as sender address. This address might be "wrong" according to iRedAPD rules and these emails get rejected.

Fix:

I rearranged the order of the rules so that local networks and authenticated users skip iRedAPD check:

smtpd_recipient_restrictions =
    ...
    permit_mynetworks
    permit_sasl_authenticated
    check_policy_service inet:127.0.0.1:7777
    ...

Now the email server works perfectly.

Please consider updating the documentation or add a hint that the order of the checks might be a problem for "some users". I don't know if the order from the documentation is wrong or if it causes just a problem in my case. I guess there is no "wrong" or "right" setting here
Permitting mynetworks and authenticated users seems to me be the "correcter" setting.

What do you think?

Best regards,

Bernhard