mouss wrote: > Henrik K wrote: >> On Thu, Sep 25, 2008 at 03:30:18PM +0200, mouss wrote: >>>> However, since there will be many more domains hosted on this server >>>> is there not a better way? >>> yes, there is: remove your check_sender_mx_access. did it ever >>> catch spam on your server? it never caught anything here. >> >> I don't use it purely for spam prevention. Checking that that sender and >> recipient MX's arent pointing to places such as localhost prevents >> all sorts >> of funny things. What's the point of receiving mail if you can't >> reply to it >> anyway? > > I agree on the principle of "reachable senders", but I have used it > for so long and it never caught any spam. so why query dns for every > email when it catches nothing. and given that the sender may be > forged, you'll be hitting an innocent dns server. not a serious issue, > but if the benefit is 0 hit, ... > > note also that a wrong envelope sender doesn't mean you can't reply. > The From: header may still be ok. > > The only times I've seen an "unreachable" sender (not blocked by zen > and other checks) was with legitimate mail. the most noticeable was > very important mail (financial!) caused by an upgrade of the remote > application server. > >> >> The REAL solution is not to check mx access for local mail. If sender >> and >> recipient are on same domain, then mostly likely you should use >> permit_mynetworks or such before the check. >> > > He already has permit_mynetworks and so on. so his problem is > different (and probably rare). He needs to exclude his domains from > check_mx_access. If he puts check_mx_access at the end of his > restrictions, he can use permit_auth_destination. but again, is all > this worth the pain?
The Problem the OP appears to fall into is that mail coming from outside the mynetworks is being trapped to do a "local" DNS MX/A record. It is probably pointing mail to the "example.com" as 127.0.0.1 (not uncommon). Without knowing the result of 'host example.com' on the Postfix box, we will never know. Brian
