If I am using dovecot for submission, should I reject all emails sent through postfix?

Question

I have configured dovecot submission service on port 587, with the relay being the postfix server. They are on two different ip addresses/machines.

The only way I want email to be sent, is through port 587, meaning dovecot will handle it and relay it to postfix. I do not want people or anything connecting to port 25 to create new emails and send them to anybody. Everything has to go through dovecot, and therefore all mails are authenticated against a SASL/mysql database.

Does this mean in postfix, I should set:

smtpd_sender_restrictions = reject

Therefore any sender is immediately rejected without any processing at all, or would this prevent dovecot from also sending?

postconf -n

access_map_reject_code = 554
alias_maps =
compatibility_level = 2
debug_peer_level = 100
disable_vrfy_command = yes
inet_interfaces = all
inet_protocols = all
invalid_hostname_reject_code = 554
lmtp_host_lookup = native
mailbox_size_limit = 0
maps_rbl_reject_code = 554
message_size_limit = 50000000
milter_default_action = accept
milter_protocol = 2
multi_recipient_bounce_reject_code = 554
mydestination =
mydomain = s2.__SNIP__.com
myhostname = s2.__SNIP__.com
mynetworks = 127.0.0.1/32 [::1]/128 10.0.0.0/8
myorigin = $mydomain
mysql = mysql:${config_directory}
non_fqdn_reject_code = 554
non_smtpd_milters = inet:opendkim.mail-server:8891
plaintext_reject_code = 554
postscreen_upstream_proxy_protocol = haproxy
postscreen_upstream_proxy_timeout = 10s
readme_directory = no
recipient_delimiter = +
reject_code = 554
relay_domains_reject_code = 554
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_delay_reject = no
smtpd_error_sleep_time = 20
smtpd_hard_error_limit = 3
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks reject_unknown_helo_hostname reject_non_fqdn_helo_hostname reject_invalid_helo_hostname
smtpd_junk_command_limit = 2
smtpd_milters = inet:opendkim.mail-server:8891
smtpd_recipient_restrictions = reject_non_fqdn_recipient reject_unknown_recipient_domain permit_mynetworks reject_unknown_reverse_client_hostname reject_unknown_client_hostname permit
smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination
smtpd_sasl_path = inet:dovecot.mail-server:24
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_unknown_sender_domain reject_non_fqdn_sender
smtpd_soft_error_limit = 1
smtpd_tls_cert_file = /etc/certs/tls.crt
smtpd_tls_key_file = /etc/certs/tls.key
smtpd_tls_security_level = may
unknown_address_reject_code = 554
unknown_client_reject_code = 450
unknown_hostname_reject_code = 450
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_recipient_reject_reason = Address lookup failure
unverified_sender_reject_code = 554
virtual_alias_maps = ${mysql}/mysql_virtual_alias_maps.cf
virtual_mailbox_domains = ${mysql}/mysql_virtual_mailbox_domains.cf
virtual_mailbox_limit = 0
virtual_mailbox_maps = ${mysql}/mysql_virtual_mailbox_maps.cf
virtual_transport = lmtp:inet:dovecot.mail-server:24

doveconf -n

# doveconf -n
# 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.4 ()
# OS: Linux 4.9.0-8-amd64 x86_64 Debian buster/sid ext4
# Hostname: dovecot-0.dovecot.mail-server.svc.cluster.local
auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_verbose = yes
auth_verbose_passwords = yes
disable_plaintext_auth = no
first_valid_gid = 8
first_valid_uid = 8
haproxy_timeout = 5 secs
haproxy_trusted_networks = 10.0.0.0/8
hostname = s2.__SNIP__.com
log_path = /dev/stderr
mail_access_groups = mail
mail_debug = yes
mail_gid = mail
mail_home = /mail/%d/%n
mail_location = maildir:/mail/%d/%n
mail_privileged_group = mail
mail_uid = mail
maildir_stat_dirs = yes
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    auto = subscribe
    special_use = \Drafts
  }
  mailbox Junk {
    auto = subscribe
    special_use = \Junk
  }
  mailbox Sent {
    auto = subscribe
    special_use = \Sent
  }
  mailbox Trash {
    auto = subscribe
    special_use = \Trash
  }
  prefix =
}
passdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
postmaster_address = info@__SNIP__.com
protocols = " imap lmtp pop3 submission"
service auth-worker {
  unix_listener auth-worker {
    group = mail
    mode = 0660
    user = $default_internal_user
  }
  user = mail
}
service auth {
  user = $default_internal_user
}
service dict {
  unix_listener dict {
    group = mail
    mode = 0660
  }
}
service imap-login {
  inet_listener imap {
    haproxy = yes
    port = 143
  }
  inet_listener imaps {
    haproxy = yes
    port = 993
    ssl = yes
  }
}
service lmtp {
  inet_listener lmtp {
    haproxy = no
    port = 24
  }
}
service pop3-login {
  inet_listener pop3 {
    haproxy = yes
    port = 110
  }
  inet_listener pop3s {
    haproxy = yes
    port = 995
    ssl = yes
  }
}
service submission-login {
  inet_listener submission {
    haproxy = no
    port = 587
  }
}
ssl_cert = </certs/tls.crt
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
submission_relay_host = postfix.mail-server
submission_relay_port = 587
userdb {
  driver = prefetch
}
userdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
verbose_ssl = yes
protocol !indexer-worker {
  mail_vsize_bg_after_count = 100
}
protocol lda {
  mail_plugins =
}
protocol imap {
  mail_plugins =
}
protocol lmtp {
  mail_plugins =
  recipient_delimiter = +
}
protocol pop3 {
  mail_plugins =
}

Answer 1

The answer is no. If you reject all senders, then relay emails from dovecot are also rejected as well. Relaying is Sending. So this just blocks your server from being functional at all