2008/9/25 mouss <[EMAIL PROTECTED]>: > Juan Miscaro wrote: >> >> 2008/9/25 Noel Jones <[EMAIL PROTECTED]>: >>> >>> Juan Miscaro wrote: >>>> >>>> So I have the following lines in main.cf: >>>> >>>> smtpd_recipient_restrictions = >>>> reject_non_fqdn_recipient >>>> reject_non_fqdn_sender >>>> reject_unknown_sender_domain >>>> permit_mynetworks >>>> permit_sasl_authenticated >>>> reject_unauth_destination >>>> reject_unknown_reverse_client_hostname >>>> check_helo_access regexp:/etc/postfix/helo_checks >>>> check_sender_mx_access cidr:/etc/postfix/bogus_mx >>>> reject_rbl_client zen.spamhaus.org >>>> permit >>>> >>>> I hope that block is OK. >>>> >>>> However, this post is about the 'check_sender_mx_access' line. >>>> >>>> Contents of 'bogus_mx': >>>> >>>> # bogus networks >>>> 0.0.0.0/8 550 Mail server in broadcast network >>>> 10.0.0.0/8 550 No route to your RFC 1918 network >>>> 127.0.0.0/8 550 Mail server in loopback network >>>> 224.0.0.0/4 550 Mail server in class D multicast network >>>> 192.168.0.0/16 550 No route to your RFC 1918 network >>>> >>>> Now I see in my logs: >>>> >>>> postfix/smtpd[10896]: connect from >>>> toq1-srv.bellnexxia.net[209.226.175.120] >>>> postfix/smtpd[10896]: NOQUEUE: reject: RCPT from >>>> toq1-srv.bellnexxia.net[209.226.175.120]: 550 5.7.1 >>>> <[EMAIL PROTECTED]>: Sender address rejected: Mail server in loopback >>>> network; from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]> proto=ESMTP >>>> helo=<toq1-srv.bellnexxia.net> >>>> postfix/smtpd[10896]: disconnect from >>>> toq1-srv.bellnexxia.net[209.226.175.120] >>>> postfix/smtpd[10896]: connect from >>>> toq1-srv.bellnexxia.net[209.226.175.120] >>>> postfix/smtpd[10896]: 0CA7F20EEE15: >>>> client=toq1-srv.bellnexxia.net[209.226.175.120] >>>> postfix/cleanup[4433]: 0CA7F20EEE15: >>>> message-id=<[EMAIL PROTECTED]> >>>> >>>> So here we have a user sending mail to another user in the same >>>> domain. It makes sense that the mailserver uses its loopback address. >>>> I just thought that what I'm doing is standard but obviously it >>>> breaks in such a common scenario. Comments? >>>> >>>> /juan >>> >>> I don't think it's common to have localhost as an MX, but it is common to >>> have local/internal domains with an RFC1918 MX. >>> >>> At any rate, domains that should not be rejected by this rule need to be >>> exempted somehow. There are several ways... >>> >>> The easy way is to put this check under smtpd_sender_restrictions (and >>> Not >>> under smtpd_recipient_restrictions) proceeded by a whitelist: >>> smtpd_sender_restrictions = >>> check_sender_access hash:/etc/postfix/domain_mx_whitelist >>> check_sender_mx_access cidr:/etc/postfix/bogus_mx >>> >>> # domain_mx_whitelist >>> example.com OK >>> example.net OK >> >> Thank you Noel. >> >> However, since there will be many more domains hosted on this server >> is there not a better way? > > yes, there is: remove your check_sender_mx_access. did it ever catch spam on > your server? it never caught anything here.
Nicely said mouss, nicely said. >> Or perhaps my server is misconfigured. My >> server evidently resides on a protected internal network and so, yes, >> it also has an RFC1918 address. Right now my hosts file has both >> 127.0.0.1 and an RFC1918 address listed there.
