Julian Cowley:
> Hello,
>
> Several months ago I discovered a problem with reject_unlisted_sender
> allowing through some mail that should have been blocked. I finally
> found the incentive to track it down and create a simple test case
> for it.
Good catch. Unfortunately, a quick check shows that
(smtpd_)reject_unlisted_recipient is broken in more ways, and
I have several serious deadlines in the remainder of this month.
Workarounds are easy (don't set state->sender_rcptmap_checked=1)
but that can result in unnecessary table lookups.
So I recommend that you use reject_unlisted_sender inside
smtpd_sender_restrictions until I get around later in this year.
This is subtle code and I will not have time to review solutions
from other people.
Wietse
> The apparent problem is that reject_unlisted_sender in
> smtpd_recipient_restrictions doesn't work correctly when
> smtpd_delay_reject is set to no. If the sender address would be
> blocked by reject_unlisted_sender, the first RCPT TO blocks the
> invalid sender address as expected, but any RCPT TO sent afterward
> is accepted with a 250 OK.
>
> Here are two raw SMTP transcripts that show the problem (nothing has
> been changed here). In the following, [EMAIL PROTECTED]
> is not a valid address, and [EMAIL PROTECTED] is valid (it is
> listed in local_recipient_maps).
>
> $ postconf mail_version
> mail_version = 2.5.5
>
> $ postconf myhostname
> myhostname = babingka.lava.net
>
> The first is with smtpd_delay_reject set to yes (the default), and
> everything works correctly.
>
> $ postconf -n
> config_directory = /etc/postfix
> smtpd_delay_reject = yes
> smtpd_recipient_restrictions = reject_unauth_destination,
> reject_unlisted_sender
>
> --> 220 babingka.lava.net ESMTP Postfix
> <-- EHLO primo.lava.net
> --> 250-babingka.lava.net
> --> 250-PIPELINING
> --> 250-SIZE 10240000
> --> 250-VRFY
> --> 250-ETRN
> --> 250-ENHANCEDSTATUSCODES
> --> 250-8BITMIME
> --> 250 DSN
> <-- MAIL FROM:<[EMAIL PROTECTED]>
> --> 250 2.1.0 Ok
> <-- RCPT TO:<[EMAIL PROTECTED]>
> --> 550 5.1.0 <[EMAIL PROTECTED]>: Sender address rejected: User unknown
> in local recipient table
> <-- RCPT TO:<[EMAIL PROTECTED]>
> --> 550 5.1.0 <[EMAIL PROTECTED]>: Sender address rejected: User unknown
> in local recipient table
> <-- RCPT TO:<[EMAIL PROTECTED]>
> --> 550 5.1.0 <[EMAIL PROTECTED]>: Sender address rejected: User unknown
> in local recipient table
> <-- RCPT TO:<[EMAIL PROTECTED]>
> --> 550 5.1.0 <[EMAIL PROTECTED]>: Sender address rejected: User unknown
> in local recipient table
> <-- QUIT
> --> 221 2.0.0 Bye
>
> Now with smtpd_delay_reject set to no. Notice the first address is
> blocked, but all recipients after that get accepted.
>
> $ postconf -n
> config_directory = /etc/postfix
> smtpd_delay_reject = no
> smtpd_recipient_restrictions = reject_unauth_destination,
> reject_unlisted_sender
>
> --> 220 babingka.lava.net ESMTP Postfix
> <-- EHLO primo.lava.net
> --> 250-babingka.lava.net
> --> 250-PIPELINING
> --> 250-SIZE 10240000
> --> 250-VRFY
> --> 250-ETRN
> --> 250-ENHANCEDSTATUSCODES
> --> 250-8BITMIME
> --> 250 DSN
> <-- MAIL FROM:<[EMAIL PROTECTED]>
> --> 250 2.1.0 Ok
> <-- RCPT TO:<[EMAIL PROTECTED]>
> --> 550 5.1.0 <[EMAIL PROTECTED]>: Sender address rejected: User unknown
> in local recipient table
> <-- RCPT TO:<[EMAIL PROTECTED]>
> --> 250 2.1.5 Ok
> <-- RCPT TO:<[EMAIL PROTECTED]>
> --> 250 2.1.5 Ok
> <-- RCPT TO:<[EMAIL PROTECTED]>
> --> 250 2.1.5 Ok
> <-- QUIT
> --> 221 2.0.0 Bye
>
>
