On Fri, Oct 17, 2008 at 10:06:50PM -1000, Julian Cowley wrote:
> Hello,
>
> Several months ago I discovered a problem with reject_unlisted_sender
> allowing through some mail that should have been blocked. I finally
> found the incentive to track it down and create a simple test case
> for it.
>
> The apparent problem is that reject_unlisted_sender in
> smtpd_recipient_restrictions doesn't work correctly when
> smtpd_delay_reject is set to no. If the sender address would be
> blocked by reject_unlisted_sender, the first RCPT TO blocks the
> invalid sender address as expected, but any RCPT TO sent afterward
> is accepted with a 250 OK.
The code expected explicit "reject_unlisted_sender" directives to be
used in smtpd_sender_restrictions, not "smtpd_recipient_restrictions".
This is where the implicit check is done when the explicit check is not
encountered first and smtpd_reject_unlisted_sender = yes.
The following anomalies are found otherwise:
- smtpd_delay_reject = no, smtpd_reject_unlisted_sender = no and
reject_unlisted_sender in the rcpt restrictions.
In this case only the first recipient is rejected
- smtpd_delay_reject = yes, smtpd_reject_unlisted_sender = yes.
and reject_unlisted_sender in the client or helo restrictions.
In this case, after one recipient is rejected in the "helo" or
"client" restrictions, the remaining ones are instead handled
by the implicit code path in the sender checks.
For now, do not use "reject_unlisted_sender" outside the
smtpd_sender_restrictions list, where it should work correctly.
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[EMAIL PROTECTED]>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
