On Mon, Sep 08, 2008 at 01:23:53PM -0400, Brian Evans - Postfix List wrote: > > relay_recipient_maps = regexp:/etc/postfix/relay > > > > This looks potentially bad to me, but without knowing what is in that > /etc/postfix/relay map, it's hard to judge. > > relayhost = [redacted-trap] > > > > > smtpd_recipient_restrictions = check_policy_service > > inet:[127.0.0.1]:2025 > > check_sender_access > > hash:/etc/postfix/sender_access > > check_client_access > > hash:/etc/postfix/aol_server_rejects > > check_client_access > > hash:/etc/postfix/dnswl_rejects > > check_client_access > > hash:/etc/postfix/whitelisted_clients > > check_recipient_access > > hash:/etc/postfix/recipient_access > > reject_invalid_hostname > > reject_unknown_hostname > > reject_rbl_client cbl.abuseat.org > > reject_rbl_client dnsbl.sorbs.net > > reject_rbl_client aspews.ext.sorbs.net > > reject_unauth_destination > > > > This is a potential open relay.
Nah, it's sending mail to exactly the correct servers. There's a reason for this host to have a relayhost setting, and for me to redact it. Look at the name of the relayhost :P > If check_sender_access returns or check_recipient_access an OK, then it > is. They should return permit_auth_destination for the simple fact that > they are easily forged. Easy fix: move reject_unauth_destination to the > first position That would just increase the amount of mail the relayhost needs to process for no appreciable benefit. Devdas Bhagat
