post...@corwyn.net wrote, at 04/10/2009 12:08 PM:
> Currently I block email with
> smtpd_sender_restrictions =
> reject_unknown_sender_domain
> check_sender_access hash:/etc/postfix/access
> smtpd_data_restrictions =
> reject_multi_recipient_bounce
> smtpd_recipient_restrictions =
> reject_non_fqdn_recipient
> reject_non_fqdn_sender
> reject_unknown_sender_domain
> permit_mynetworks
> permit_sasl_authenticated
> check_client_access hash:/etc/postfix/agencies
> reject_unauth_destination
> check_client_access hash:/etc/postfix/access
> check_helo_access pcre:/etc/postfix/helo_checks
> reject_rbl_client zen.spamhaus.org
> reject_rbl_client bl.spamcop.net
> reject_rbl_client dnsbl.sorbs.net
> reject_rbl_client cbl.abuseat.org
>
>
> I've got a customer who has their Mailer-Daemon address configured to
> respond with an invalid domain so they get rejected:
>
> Apr 9 16:53:44 agencymail postfix/smtpd[1703]: NOQUEUE: reject: RCPT
> from theirotherbutvalid.example.com [x.x.x.x]: 450 4.1.8
> <mailer-dae...@their.example.com>: Sender address rejected: Domain not
> found; from=<mailer-dae...@their.example.com> to=<u...@my.example.com>
> proto=ESMTP helo=<theirotherbutvalid.example.com>
>
>
> I'd like to be able to whitelist their.example.com so it won't reject
> (trying to convince them to fix it, but you know how it goes). With
> the above config, I think I would need to update /etc/postfix/access,
> but also change the order to:
> smtpd_sender_restrictions =
> check_sender_access hash:/etc/postfix/access
> reject_unknown_sender_domain
>
> would I also need to do something with reject_non_fqdn_sender ?
Yes, that would also need to follow the map. I recommend that you
dedicate separate maps to check_sender_access and check_client_access;
combining everything into one map is risky. I use the default of
smtpd_delay_reject = yes and organize everything under
smtpd_recipient_restrictions, so the pertinent part looks like this:
smtpd_recipient_restrictions =
...
check_sender_access hash:/etc/postfix/sender
reject_non_fqdn_sender
reject_unknown_sender_domain
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
...
reject_rbl_client ...
The addresses I want to whitelist are in /etc/postfix/sender:
mailer-dae...@their.example.com permit_auth_destination
Note that I'm only allowing delivery to my domains; they don't get relay
privileges.
If you want/need to continue using smtpd_sender_restrictions, you might
need a more elaborate configuration. Otherwise, put it under
smtpd_recipient_restrictions and be done with it.
