On Thu, Mar 25, 2010 at 05:43:11PM +0000, Jamie Griffin wrote:
> > You need to understand the documentation of
> > parent_domain_matches_subdomains. Unfortunately, I don't know
> > enough to explain it to you. :) But I'm fairly sure in your case
> > that the leading dot pattern was not looked up. I unset this:
> > parent_domain_matches_subdomains =
> > so, for me, something similar (with ihost.com) is what worked.
>
> I had briefly looked at that setting earlier but thought just
> using the .domain.tld notation would be ok. Just having another
> read about that, it looks as though I need to set it like this:
>
> /usr/pkg/etc/postfix/main.cf:
> [ ... ]
> parent_domain_matches_subdomains = smtpd_access_maps
> [ ... ]
>
> is that right?
No. If you tell Postfix to match subdomains, the lookup that does
this is the domain name WITHOUT the leading dot. For example, this:
ihost.com permit_auth_destination
would match for a check_sender_access lookup of
i...@low1ap106.infra.secaucus.mebs.ihost.com . (Maybe my complaint
went up the line, because I see that name now has an A record. Go
figure!)
If you unset parent_domain_matches_subdomains as I suggested, the
lookup would be this, with the leading dot:
.ihost.com permit_auth_destination
If you have a parent_domain_matches_subdomains list which does NOT
include smtpd_access_maps. I am not sure how that is handled. My
guess is that the leading dot lookup is used.
> I also understood that using the $smtpd_sender_restrictions
> parameter would be the right way to whitelist this domain for what
> i'm trying to achieve, have I got that right?
You have what is IMO an unwieldy and hard-to-manage set of smtpd
restrictions. Personally, I prefer keeping most or all restrictions
in a single stage, smtpd_recipient_restrictions. However, IIRC from
your OP, you did have the reject_unknown_sender_domain only in
smtpd_sender_restrictions. Therefore yes, you are right. But to
understand why, you should know that reject_unknown_sender_domain
that caused your rejection. Anywhere you use that restriction, you
must precede it with your whitelist lookup.
Ugh. Do consider standing up for the principle of requiring senders
to use real domains in their email addresses. I would have done so
myself, but I knew they were not going to resend the bounced email.
:) (IIRC it was just a copy of my invoice, which I had from my Web
browser anyway.)
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
