Re: smtpd_recipient_restrictions = reject_unlisted_recipient vs. smtpd_reject_unlisted_recipient = yes

Wed, 23 Jun 2010 11:12:35 -0700 

On 6/23/2010 12:15 PM, Phil Howard wrote:

The default for smtpd_reject_unlisted_recipient is yes.  How does that
affect using reject_unlisted_recipient in
smtpd_recipient_restrictions?


It allows you to control *when* the check is performed.



Does it mean it is effectively included
whether you include it or not?



It means the default is to check for unlisted recipients after 
smtpd_recipient_restrictions are evaluated.



I presume I still need to list other
things like "smtpd_recipient_restrictions = permit_mynetworks
permit_sasl_authenticated" so I don't see the point in having a
separate smtpd_reject_unlisted_recipient.


It's about controlling when the check takes place.

Some people like to reject unlisted recipients before other 
(maybe more expensive) checks.  Some people like to reject 
connections for RBL or blacklist before checking recipients to 
not "leak" information about valid recipients.


It's about choice and local policy; either way is valid.



I had "smtpd_reject_unlisted_recipient = yes" but it doesn't seem to
work (it still accepts mail for unknown/non-existent recipients and
sends a bounce back).



Then you broke recipient validation.  The most frequent cause 
of this is wildcard "@domain1  @domain2" entries in either 
virtual_alias_maps or *canonical_maps.



Bounces can also happen if your postfix rejects mail relayed 
from an upstream MTA, such as from your ISP or company 
gateway.  In this case the upstream MTA generates the bounce.




This is not the only variation I have tried, but here is where I am at
the moment:


...

default_destination_concurrency_limit = 2


Very low.  The default value usually sufficient.


smtpd_recipient_restrictions =
permit_mynetworks       permit_sasl_authenticated       
reject_unauth_destination       reject_unknown_recipient_domain 
reject_unverified_recipient



reject_unknown_recipient_domain after 
reject_unauth_destination can only reject your own domain. 
Think about it...  then remove it.




soft_bounce = yes



Only for testing!   Make sure to remove this once testing is 
completed.




unknown_local_recipient_reject_code = 450



Only for testing!   Make sure to remove this once testing is 
completed.



unverified_recipient_reject_code = 450



Usually only for testing.  Probably change this to 550 when 
testing is complete.



virtual_alias_maps = cdb:/etc/postfix/virtual
virtual_mailbox_domains = /etc/postfix/domains
virtual_transport = dovecot



  -- Noel Jones






















					Reply via email to