Re: Sender with invalid domain

[Jorey Bump]

post...@corwyn.net wrote, at 04/10/2009 12:08 PM:

> Currently I block email with
> smtpd_sender_restrictions  =
>    reject_unknown_sender_domain
>    check_sender_access hash:/etc/postfix/access
> smtpd_data_restrictions =
>    reject_multi_recipient_bounce
> smtpd_recipient_restrictions =
>    reject_non_fqdn_recipient
>    reject_non_fqdn_sender
>    reject_unknown_sender_domain
>    permit_mynetworks
>    permit_sasl_authenticated
>    check_client_access hash:/etc/postfix/agencies
>    reject_unauth_destination
>    check_client_access hash:/etc/postfix/access
>    check_helo_access pcre:/etc/postfix/helo_checks
>    reject_rbl_client zen.spamhaus.org
>    reject_rbl_client bl.spamcop.net
>    reject_rbl_client dnsbl.sorbs.net
>     reject_rbl_client cbl.abuseat.org
> 
> 
> I've got a customer who has their  Mailer-Daemon address configured to
> respond with an invalid domain so they get rejected:
> 
> Apr  9 16:53:44 agencymail postfix/smtpd[1703]: NOQUEUE: reject: RCPT
> from theirotherbutvalid.example.com [x.x.x.x]: 450 4.1.8
> <mailer-dae...@their.example.com>: Sender address rejected: Domain not
> found; from=<mailer-dae...@their.example.com> to=<u...@my.example.com>
> proto=ESMTP helo=<theirotherbutvalid.example.com>
> 
> 
> I'd like to be able to whitelist their.example.com so it won't reject
> (trying to convince them to fix it, but you know how it goes).   With
> the above config, I think I would need to update /etc/postfix/access,
> but also change the order to:
> smtpd_sender_restrictions  =
>    check_sender_access hash:/etc/postfix/access          
> reject_unknown_sender_domain
> 
> would I also need to do something with    reject_non_fqdn_sender ?

Yes, that would also need to follow the map. I recommend that you
dedicate separate maps to check_sender_access and check_client_access;
combining everything into one map is risky. I use the default of
smtpd_delay_reject = yes and organize everything under
smtpd_recipient_restrictions, so the pertinent part looks like this:

smtpd_recipient_restrictions =
    ...
    check_sender_access hash:/etc/postfix/sender
    reject_non_fqdn_sender
    reject_unknown_sender_domain
    permit_mynetworks
    permit_sasl_authenticated
    reject_unauth_destination
    ...
    reject_rbl_client ...

The addresses I want to whitelist are in /etc/postfix/sender:

    mailer-dae...@their.example.com    permit_auth_destination

Note that I'm only allowing delivery to my domains; they don't get relay
privileges.

If you want/need to continue using smtpd_sender_restrictions, you might
need a more elaborate configuration. Otherwise, put it under
smtpd_recipient_restrictions and be done with it.