Le 15/02/2011 07:36, Per-Erik Persson a écrit : > On Mon, 14 Feb 2011 16:52:42 -0600, Stan Hoeppner <s...@hardwarefreak.com> > wrote: >> Per-Erik Persson put forth on 2/14/2011 4:17 PM: >>> I have recently found out the beuty of restriction classes. >>> So to reject senders from certain sites that usually misspell their >>> sender >>> address I have set up the following: >>> >>> >>> smtpd_restriction_classes = verify_client_sender >>> verify_client_sender = reject_unverified_sender, permit >>> >>> smtpd_client_restrictions = >>> check_client_access hash:/etc/postfix/client-access, >>> check_client_access pcre:/etc/postfix/client-pcre-access, >>> permit_mynetworks, >>> permit_sasl_authenticated, >>> permit >>> >>> client-access looks like this: >>> hostname_of_misspelled sender_1 verify_client_sender >>> hostname_of_misspelled sender_2 verify_client_sender >>> bla bla bla other hosts i dislike >>> >>> >>> It works! >>> But the sender(roundcube webmail) gets the errormessage "450 could not >>> add >>> recipient" >>> It is not the recipientaddress that postfix blocks the email on, it is >>> the >>> senderaddress. >>> Can I give a better errormessage to the users that insists on changing >>> their senderaddresses, explaining why the email is rejected? >> >> http://www.postfix.org/postconf.5.html#reject_unverified_sender >> >> Just a friendly sanity check: Are you sure that doing forward SAV is > what >> you >> really want to be doing to solve this problem? AIUI there are basically >> two >> downsides to forward SAV: >> >> 1. Some MX hosts will "lie" in response to the probe, then reject > actual >> mail >> delivery attempts later, depending on which smtp phase in which they do > the >> actual mailbox address verification. Honestly, I'm not fully versed on > how >> Wietse does the probes in Postfix, so this may or may not be an issue > with >> the >> Postfix SAV probe implementation. Historically it has been an issue in > the >> larger world of smtp. >> >> 2. Some sites frown on forward SAV probes, period, especially high > volume >> receivers. The reason here should be obvious. > > I am aware of the problems with smtp sender verification. > However in this case the sending servers are most likely webmail clients > that don't always get the sender address correct.
what is the ratio of mail where senders mistype addresses? 0.00001%? > Most likely the senderaddress will point to my mx servers so that should > not be a problem. > And if the sender address points to gmail and gmail says "oh no, no such > user" I will concider that a good thing. if you do SAV, then you'd better minimise this (only do that after spam checks, rate limit, .... if you don't, then you'll be blacklisted. > Quite a lot of people should be caught if the sender doesn't have a valid > mx record, since that was the "only" check earlier. an MX record isn't mandatory. an A record is enough. but anyway, such checks were abandoned here, because they only blocked "legit" mail. > > The proper solution would be to teach people to do copy/paste on > emailaddresses instead of just guessing :-) No, the propre solution is to do _your_ job and forget about teaching anybody.
