Juan Miscaro wrote:
2008/9/25 Noel Jones <[EMAIL PROTECTED]>:
Juan Miscaro wrote:
So I have the following lines in main.cf:
smtpd_recipient_restrictions =
reject_non_fqdn_recipient
reject_non_fqdn_sender
reject_unknown_sender_domain
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
reject_unknown_reverse_client_hostname
check_helo_access regexp:/etc/postfix/helo_checks
check_sender_mx_access cidr:/etc/postfix/bogus_mx
reject_rbl_client zen.spamhaus.org
permit
I hope that block is OK.
However, this post is about the 'check_sender_mx_access' line.
Contents of 'bogus_mx':
# bogus networks
0.0.0.0/8 550 Mail server in broadcast network
10.0.0.0/8 550 No route to your RFC 1918 network
127.0.0.0/8 550 Mail server in loopback network
224.0.0.0/4 550 Mail server in class D multicast network
192.168.0.0/16 550 No route to your RFC 1918 network
Now I see in my logs:
postfix/smtpd[10896]: connect from
toq1-srv.bellnexxia.net[209.226.175.120]
postfix/smtpd[10896]: NOQUEUE: reject: RCPT from
toq1-srv.bellnexxia.net[209.226.175.120]: 550 5.7.1
<[EMAIL PROTECTED]>: Sender address rejected: Mail server in loopback
network; from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]> proto=ESMTP
helo=<toq1-srv.bellnexxia.net>
postfix/smtpd[10896]: disconnect from
toq1-srv.bellnexxia.net[209.226.175.120]
postfix/smtpd[10896]: connect from
toq1-srv.bellnexxia.net[209.226.175.120]
postfix/smtpd[10896]: 0CA7F20EEE15:
client=toq1-srv.bellnexxia.net[209.226.175.120]
postfix/cleanup[4433]: 0CA7F20EEE15:
message-id=<[EMAIL PROTECTED]>
So here we have a user sending mail to another user in the same
domain. It makes sense that the mailserver uses its loopback address.
I just thought that what I'm doing is standard but obviously it
breaks in such a common scenario. Comments?
/juan
I don't think it's common to have localhost as an MX, but it is common to
have local/internal domains with an RFC1918 MX.
At any rate, domains that should not be rejected by this rule need to be
exempted somehow. There are several ways...
The easy way is to put this check under smtpd_sender_restrictions (and Not
under smtpd_recipient_restrictions) proceeded by a whitelist:
smtpd_sender_restrictions =
check_sender_access hash:/etc/postfix/domain_mx_whitelist
check_sender_mx_access cidr:/etc/postfix/bogus_mx
# domain_mx_whitelist
example.com OK
example.net OK
Thank you Noel.
However, since there will be many more domains hosted on this server
is there not a better way?
yes, there is: remove your check_sender_mx_access. did it ever catch
spam on your server? it never caught anything here.
Or perhaps my server is misconfigured. My
server evidently resides on a protected internal network and so, yes,
it also has an RFC1918 address. Right now my hosts file has both
127.0.0.1 and an RFC1918 address listed there.
/juan
