2008/9/25 Noel Jones <[EMAIL PROTECTED]>: > Juan Miscaro wrote: >> >> So I have the following lines in main.cf: >> >> smtpd_recipient_restrictions = >> reject_non_fqdn_recipient >> reject_non_fqdn_sender >> reject_unknown_sender_domain >> permit_mynetworks >> permit_sasl_authenticated >> reject_unauth_destination >> reject_unknown_reverse_client_hostname >> check_helo_access regexp:/etc/postfix/helo_checks >> check_sender_mx_access cidr:/etc/postfix/bogus_mx >> reject_rbl_client zen.spamhaus.org >> permit >> >> I hope that block is OK. >> >> However, this post is about the 'check_sender_mx_access' line. >> >> Contents of 'bogus_mx': >> >> # bogus networks >> 0.0.0.0/8 550 Mail server in broadcast network >> 10.0.0.0/8 550 No route to your RFC 1918 network >> 127.0.0.0/8 550 Mail server in loopback network >> 224.0.0.0/4 550 Mail server in class D multicast network >> 192.168.0.0/16 550 No route to your RFC 1918 network >> >> Now I see in my logs: >> >> postfix/smtpd[10896]: connect from >> toq1-srv.bellnexxia.net[209.226.175.120] >> postfix/smtpd[10896]: NOQUEUE: reject: RCPT from >> toq1-srv.bellnexxia.net[209.226.175.120]: 550 5.7.1 >> <[EMAIL PROTECTED]>: Sender address rejected: Mail server in loopback >> network; from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]> proto=ESMTP >> helo=<toq1-srv.bellnexxia.net> >> postfix/smtpd[10896]: disconnect from >> toq1-srv.bellnexxia.net[209.226.175.120] >> postfix/smtpd[10896]: connect from >> toq1-srv.bellnexxia.net[209.226.175.120] >> postfix/smtpd[10896]: 0CA7F20EEE15: >> client=toq1-srv.bellnexxia.net[209.226.175.120] >> postfix/cleanup[4433]: 0CA7F20EEE15: >> message-id=<[EMAIL PROTECTED]> >> >> So here we have a user sending mail to another user in the same >> domain. It makes sense that the mailserver uses its loopback address. >> I just thought that what I'm doing is standard but obviously it >> breaks in such a common scenario. Comments? >> >> /juan > > > I don't think it's common to have localhost as an MX, but it is common to > have local/internal domains with an RFC1918 MX. > > At any rate, domains that should not be rejected by this rule need to be > exempted somehow. There are several ways... > > The easy way is to put this check under smtpd_sender_restrictions (and Not > under smtpd_recipient_restrictions) proceeded by a whitelist: > smtpd_sender_restrictions = > check_sender_access hash:/etc/postfix/domain_mx_whitelist > check_sender_mx_access cidr:/etc/postfix/bogus_mx > > # domain_mx_whitelist > example.com OK > example.net OK
Thank you Noel. However, since there will be many more domains hosted on this server is there not a better way? Or perhaps my server is misconfigured. My server evidently resides on a protected internal network and so, yes, it also has an RFC1918 address. Right now my hosts file has both 127.0.0.1 and an RFC1918 address listed there. /juan
