==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.6.2
- Deployed with iRedMail Easy or the downloadable installer? Installer
- Linux/BSD distribution name and version: Rocky 9.1
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MariaDB
- Web server (Apache or Nginx): (why do we still ask this -- when was Apache still an option?)
- Manage mail accounts with iRedAdmin-Pro? No
====

I am trying to resolve a puzzle that seems to have no acceptable solution -- maybe someone here has a bright idea.

Background: we have a old networked scanner that can send scans by SMTP, but has no support for authentication or encryption. Previously both the scanner and the iRedMail installation were in-house. By following the procedure at https://docs.iredmail.org/additional.smtp.port.html (although modified to remove the authentication requirement) scans were accepted by iRedmail and routed to any internal or external recipient.

Although this creates an entirely open relay server, it's safe because iRedMail's firewall is closed to all Alt-SMTP traffic save the scanner (and it's an internal subnet anyway).

Our new iRedMail installation is in the cloud, and I'm trying to achieve the same effect. But it doesn't seem to be possible, as Postfix (deliberately) won't let me configure what I need.

1. I can establish an Alt-SMTP port on the cloud iRedMail and set the firewall to bar all incoming traffic to it except from our scanner.

2. I can (as above) turn off authentication and encryption requirements for the Alt SMTP port.

3. But Postfix won't let me have non-local unauthenticated traffic be relayed to external recipients. Period. Even though I know that only valid traffic can get to Postfix.

From the man page, in the smtpd_relay_restrictions section:

By default, the Postfix SMTP server accepts:

Mail from clients whose IP address matches $mynetworks, or:
Mail from clients who are SASL authenticated, or:
Mail to remote destinations that match $relay_domains, except for addresses that contain sender-specified routing (user@elsewhere@domain), or:
Mail to local destinations that match $inet_interfaces or $proxy_interfaces, $mydestination, $virtual_alias_domains, or $virtual_mailbox_domains.

IMPORTANT: Either the smtpd_relay_restrictions or the smtpd_recipient_restrictions parameter must specify at least one of the following restrictions. Otherwise Postfix will refuse to receive mail:

reject, reject_unauth_destination
defer, defer_if_permit, defer_unauth_destination

It would seem from the above that all I would need to do is add the scanner's public IP to $mynetworks, but iRedMail uses the option to automatically generate the $mynetworks variable, and there's no option in Postfix to concatenate a single static IP to the automatic string. Thus I would have to manually construct a full version of the string, and manually change it anytime any of the addresses involved (including all the stupid IPv6 ones) changed.

This means I'm forced to specify both smtpd_relay_restrictions=permit and smtpd_recipient_restrictions=permit, but then Postfix does, as promised, refuse to receive mail.

So I'm stuck. Ideas?