Re: Mail server in loopback network (fairly common?)

Wed, 24 Sep 2008 21:28:29 -0700 

Juan Miscaro wrote:

So I have the following lines in main.cf:

smtpd_recipient_restrictions =
        reject_non_fqdn_recipient
        reject_non_fqdn_sender
        reject_unknown_sender_domain
        permit_mynetworks
        permit_sasl_authenticated
        reject_unauth_destination
        reject_unknown_reverse_client_hostname
        check_helo_access regexp:/etc/postfix/helo_checks
        check_sender_mx_access cidr:/etc/postfix/bogus_mx
        reject_rbl_client zen.spamhaus.org
        permit

I hope that block is OK.

However, this post is about the 'check_sender_mx_access' line.

Contents of 'bogus_mx':

# bogus networks
0.0.0.0/8               550 Mail server in broadcast network
10.0.0.0/8              550 No route to your RFC 1918 network
127.0.0.0/8             550 Mail server in loopback network
224.0.0.0/4             550 Mail server in class D multicast network
192.168.0.0/16          550 No route to your RFC 1918 network

Now I see in my logs:

postfix/smtpd[10896]: connect from toq1-srv.bellnexxia.net[209.226.175.120]
postfix/smtpd[10896]: NOQUEUE: reject: RCPT from
toq1-srv.bellnexxia.net[209.226.175.120]: 550 5.7.1
<[EMAIL PROTECTED]>: Sender address rejected: Mail server in loopback
network; from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]> proto=ESMTP
helo=<toq1-srv.bellnexxia.net>
postfix/smtpd[10896]: disconnect from toq1-srv.bellnexxia.net[209.226.175.120]
postfix/smtpd[10896]: connect from toq1-srv.bellnexxia.net[209.226.175.120]
postfix/smtpd[10896]: 0CA7F20EEE15:
client=toq1-srv.bellnexxia.net[209.226.175.120]
postfix/cleanup[4433]: 0CA7F20EEE15:
message-id=<[EMAIL PROTECTED]>

So here we have a user sending mail to another user in the same
domain.  It makes sense that the mailserver uses its loopback address.
 I just thought that what I'm doing is standard but obviously it
breaks in such a common scenario.  Comments?

/juan
I don't think it's common to have localhost as an MX, but it is common to have local/internal domains with an RFC1918 MX.
At any rate, domains that should not be rejected by this rule need to be exempted somehow. There are several ways...
The easy way is to put this check under smtpd_sender_restrictions (and Not under smtpd_recipient_restrictions) proceeded by a whitelist: 
smtpd_sender_restrictions =
  check_sender_access hash:/etc/postfix/domain_mx_whitelist
  check_sender_mx_access cidr:/etc/postfix/bogus_mx

# domain_mx_whitelist
example.com  OK
example.net  OK


--
Noel Jones

Reply via email to