On Mon, 14 Feb 2011 16:52:42 -0600, Stan Hoeppner <s...@hardwarefreak.com> wrote: > Per-Erik Persson put forth on 2/14/2011 4:17 PM: >> I have recently found out the beuty of restriction classes. >> So to reject senders from certain sites that usually misspell their >> sender >> address I have set up the following: >> >> >> smtpd_restriction_classes = verify_client_sender >> verify_client_sender = reject_unverified_sender, permit >> >> smtpd_client_restrictions = >> check_client_access hash:/etc/postfix/client-access, >> check_client_access pcre:/etc/postfix/client-pcre-access, >> permit_mynetworks, >> permit_sasl_authenticated, >> permit >> >> client-access looks like this: >> hostname_of_misspelled sender_1 verify_client_sender >> hostname_of_misspelled sender_2 verify_client_sender >> bla bla bla other hosts i dislike >> >> >> It works! >> But the sender(roundcube webmail) gets the errormessage "450 could not >> add >> recipient" >> It is not the recipientaddress that postfix blocks the email on, it is >> the >> senderaddress. >> Can I give a better errormessage to the users that insists on changing >> their senderaddresses, explaining why the email is rejected? > > http://www.postfix.org/postconf.5.html#reject_unverified_sender > > Just a friendly sanity check: Are you sure that doing forward SAV is what > you > really want to be doing to solve this problem? AIUI there are basically > two > downsides to forward SAV: > > 1. Some MX hosts will "lie" in response to the probe, then reject actual > mail > delivery attempts later, depending on which smtp phase in which they do the > actual mailbox address verification. Honestly, I'm not fully versed on how > Wietse does the probes in Postfix, so this may or may not be an issue with > the > Postfix SAV probe implementation. Historically it has been an issue in the > larger world of smtp. > > 2. Some sites frown on forward SAV probes, period, especially high volume > receivers. The reason here should be obvious.
I am aware of the problems with smtp sender verification. However in this case the sending servers are most likely webmail clients that don't always get the sender address correct. Most likely the senderaddress will point to my mx servers so that should not be a problem. And if the sender address points to gmail and gmail says "oh no, no such user" I will concider that a good thing. Quite a lot of people should be caught if the sender doesn't have a valid mx record, since that was the "only" check earlier. The proper solution would be to teach people to do copy/paste on emailaddresses instead of just guessing :-)
