On Thu, Apr 07, 2011 at 06:42:22PM +0200, G?bor L?n?rt wrote:
> On Thu, Apr 07, 2011 at 12:20:51PM -0400, Victor Duchovni wrote:
> > On Thu, Apr 07, 2011 at 05:57:24PM +0200, G?bor L?n?rt wrote:
> >
> > > > Instead, Postfix requires that you have one or more of (reject,
> > > > reject_unauth_destination, etc.) SOMEWHERE in
> > > > sender_recipient_restrictions.
> > >
> > > I have the needed rejects at the sender, but not at the recipient,
> > > because I
> > > have the idea that if I reject "unwanted" things at the sender, I am safe
> > > not to do the same restrictions at the recipient restrictions.
> >
> > You are confused. The above is simply wrong. Either the timing is
> > identical for both checks, and you gain nothing, or critical data (the
> > recipient domain) is missing at sender stage (if smtpd_delay_reject=no,
> > which is not recommended).
>
> I meant that I rejected everything at the sender restrictions which are
> based on information available at sender or maybe even earlier. Of course,
> information like recipient based things can't be rejected at the sender,
> it's done at the recipient.
That's not how it works. Either you can't validate that the recipient domain
is yours and you are not relaying, because the check is at "MAIL FROM:"
(smtpd_delay_reject = no, which is not recommended), or else, you can make
the check in the sender-restrictions, but "reject_unath_destination" really
belongs in the "recipient" checks, and your configuration is unnecessarily
twisted. Just move all the checks to the recipient restrictions.
> Ok, I've tried to do what I want (it seems to work ... but hmmm), the
> important part:
>
> smtpd_sender_restrictions =
> reject_unauth_pipelining,
> reject_non_fqdn_sender,
> reject_unknown_sender_domain,
> check_sender_access pcre:/etc/postfix/check_address_syntax.pcre,
> check_sender_access mysql:/etc/postfix/banned_senders.sql,
> check_sender_mx_access cidr:/etc/postfix/mx_access.cidr,
> permit_sasl_authenticated,
> reject_invalid_helo_hostname,
> reject_non_fqdn_helo_hostname,
> reject_unknown_helo_hostname,
> check_client_access cidr:/etc/postfix/ip_based_relay.cidr,
> check_client_access ldap:/etc/postfix/ip_based_relay.ldap,
> reject
> smtpd_recipient_restrictions =
> reject_unauth_pipelining,
> reject_non_fqdn_recipient,
> reject_unknown_recipient_domain,
> check_recipient_access pcre:/etc/postfix/check_address_syntax.pcre,
> check_recipient_access mysql:/etc/postfix/banned_rcpts.sql,
> check_recipient_mx_access cidr:/etc/postfix/mx_access.cidr,
> check_recipient_access static:OK,
> reject
This is a broken open relay. Which domains are yours? Where is the
reject_unauth_destination check?
--
Viktor.
