Am 15.03.2011 20:14, schrieb Victor Duchovni: > On Tue, Mar 15, 2011 at 07:56:22PM +0100, Reindl Harald wrote: > >> what i do not understand is why "reject_unlisted_sender" would not reject >> a mail from outside sender "reindl.har...@gmail.com" because this >> sender-verify > > Don't confuse address validity checks with ingress/egress filtering. These > checks don't attempt to determine whether a particular address is > permitted in mail flowing in a particular direction (in or out). > > To limit which sender domains are valid for inbound vs. outboudn mail, > it is best to separate the inbound and outbound email services, and > apply appropriate policies on each one. > > Checking for authentication is a "weak" form of determining whether > email is flowing in vs. out. As is placement of checks after > permit_sasl_authenticated (thus likely inbound) or > permit_auth_destination (thus likely outbound). > > smtpd_sender_restrictions = > permit_auth_destination, > ... additional checks for outgoing mail ... > > smtpd_recipient_restrictions = > permit_mynetworks, > permit_sasl_authenticated, > reject_unauth_destination, > ... additional checks for inbound mail ... > > The above does not do an exact job of setting policy for internal senders, > since some internal senders send mail to internal recipients. It is far > better to run to separate services each with simpler policies that apply > just to the service at hand.
i tried it some minutes ago on the live-machine and it works beautiful Mar 15 20:08:01 mail postfix/smtpd[28859]: NOQUEUE: reject: RCPT from rh.thelounge.net[10.0.0.99]: 550 5.1.0 <h.reindl-inva...@thelounge.net>: Sender address rejected: User unknown in local recipient table; from=<h.reindl-inva...@thelounge.net> to=<h.rei...@thelounge.net> proto=ESMTP helo=<[10.0.0.99]> Mar 15 20:06:54 mail postfix/qmgr[28823]: E3893B6: from=<reindl.har...@gmail.com>, size=3577, nrcpt=1 (queue active) Mar 15 20:06:55 mail postfix/lmtp[28836]: E3893B6: to=<h.rei...@thelounge.net>, relay=127.0.0.1[127.0.0.1]:24, delay=0.1, delays=0.01/0.01/0/0.08, dsn=2.0.0, status=sent (215 Recipient <h.rei...@thelounge.net> OK) _________________________ smtpd_helo_restrictions = permit_mynetworks, reject_authenticated_sender_login_mismatch, reject_non_fqdn_recipient, reject_non_fqdn_sender, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname smtpd_sender_restrictions = reject_unlisted_sender, permit_mynetworks, reject_authenticated_sender_login_mismatch, reject_non_fqdn_recipient, reject_non_fqdn_sender, permit_sasl_authenticated, reject_unknown_sender_domain, reject_unknown_recipient_domain smtpd_recipient_restrictions = reject_unlisted_sender, permit_mynetworks, reject_authenticated_sender_login_mismatch, reject_non_fqdn_recipient, reject_non_fqdn_sender, permit_sasl_authenticated, reject_unauth_destination, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_invalid_hostname, reject_unauth_pipelining, reject_rbl_client dnsbl-1.uceprotect.net, check_policy_service unix:/var/spool/postfix/postgrey/socket, check_recipient_access mysql:/etc/postfix/mysql-spamfilter.cf _________________________ i love this software and this mailing-list :-)
signature.asc
Description: OpenPGP digital signature
