Henrik K wrote:
On Thu, Sep 25, 2008 at 03:30:18PM +0200, mouss wrote:
However, since there will be many more domains hosted on this server
is there not a better way?
yes, there is: remove your check_sender_mx_access. did it ever catch
spam on your server? it never caught anything here.
I don't use it purely for spam prevention. Checking that that sender and
recipient MX's arent pointing to places such as localhost prevents all sorts
of funny things. What's the point of receiving mail if you can't reply to it
anyway?
I agree on the principle of "reachable senders", but I have used it for
so long and it never caught any spam. so why query dns for every email
when it catches nothing. and given that the sender may be forged, you'll
be hitting an innocent dns server. not a serious issue, but if the
benefit is 0 hit, ...
note also that a wrong envelope sender doesn't mean you can't reply. The
From: header may still be ok.
The only times I've seen an "unreachable" sender (not blocked by zen and
other checks) was with legitimate mail. the most noticeable was very
important mail (financial!) caused by an upgrade of the remote
application server.
The REAL solution is not to check mx access for local mail. If sender and
recipient are on same domain, then mostly likely you should use
permit_mynetworks or such before the check.
He already has permit_mynetworks and so on. so his problem is different
(and probably rare). He needs to exclude his domains from
check_mx_access. If he puts check_mx_access at the end of his
restrictions, he can use permit_auth_destination. but again, is all this
worth the pain?
