On Tue, Jan 19, 2010 at 11:34:13AM +0530, J. Bakshi wrote:
> I am trying to drop outgoing emails having particular email-id in
> its [TO] field. Say myn...@domain1.com and myna...@domain2.com,
> hence any mail destined for myn...@domain1.com or
> myna...@domain2.com will be dropped . To achieve this I have made a
> file sender_reject with following entry
>
> ` ` `
> myn...@domain1.com REJECT
> myn...@domain2.com REJECT
"REJECT" does not mean "drop". Refer again to the actions part of the
access(5) man page. Decide what it is that you really want to do.
Generally, rejection is best.
> and now generating the hash map by "postmap sender_reject"
>
> main.cf has
>
> ` ` `
> smtpd_recipient_restrictions = permit_sasl_authenticated,
> check_relay_domains,
check_relay_domains was deprecated years ago, perhaps you should
(re)visit the BASIC_CONFIGURATION_README and update your
configuration?
> check_sender_access hash:/etc/postfix/sender_reject
> ` ` `
>
> After restarting the postfix I sent an email with mail command like
>
> ` ` `
> mail myn...@domain1.com
> ` ` `
>
> and the mail was delivered !!!. It should be dropped by postfix.
No. There is a great deal of confusion here. First, your mailx(1)
command uses sendmail(1) submission. It does not use smtpd(8),
therefore no restrictions apply.
Second, think about what the "sender" part of "check_sender_access"
means. Does "sender" mean the address the mail is "TO"? What does
"recipient" mean? IMPORTANT HINT: the "mumble" part of any
check_mumble_access restriction tells you what part of the SMTP
envelope or transaction is being checked.
The solutions to this problem vary depending on what you think the
problem is. If you simply didn't understand the above about your
"mail" command, next time use a SMTP-client MUA to test smtpd
restrictions. According to the incomplete information presented, the
mail should possibly have been accepted by "check_relay_domains".
To reject it, obviously, do not expect a check_sender_access lookup
to act on a recipient address. With a check_recipient_access lookup
and a SMTP-client MUA, this might have been rejected. The MUA would
have seen, and perhaps presented the user, with an error message.
> Have I done any mistake/wrong configuration here ?
If the problem is that you have untrusted users with shell access, I
strongly recommend that you remove those users. You will have much
greater risks than having these users send mail as a prohibited
sender address, or to a prohibited recipient. I don't think you sound
prepared to handle those risks. (I don't think I am, either, FWIW.)
If you do want to limit the ability of shell users to submit mail,
see postconf.5.html#authorized_submit_users to block access to
sendmail. There is no good way to control the addresses (sender nor
recipient) used by a shell user of sendmail.
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
