On Tue, Mar 15, 2011 at 07:56:22PM +0100, Reindl Harald wrote:
> what i do not understand is why "reject_unlisted_sender" would not reject
> a mail from outside sender "reindl.har...@gmail.com" because this
> sender-verify
Don't confuse address validity checks with ingress/egress filtering. These
checks don't attempt to determine whether a particular address is
permitted in mail flowing in a particular direction (in or out).
To limit which sender domains are valid for inbound vs. outboudn mail,
it is best to separate the inbound and outbound email services, and
apply appropriate policies on each one.
Checking for authentication is a "weak" form of determining whether
email is flowing in vs. out. As is placement of checks after
permit_sasl_authenticated (thus likely inbound) or
permit_auth_destination (thus likely outbound).
smtpd_sender_restrictions =
permit_auth_destination,
... additional checks for outgoing mail ...
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
... additional checks for inbound mail ...
The above does not do an exact job of setting policy for internal senders,
since some internal senders send mail to internal recipients. It is far
better to run to separate services each with simpler policies that apply
just to the service at hand.
--
Viktor.
