On 4/20/2011 12:01 PM, Jay G. Scott wrote:
> hi,
>
> here's my problem, which i think i cannot do w/in postfix.
>
> i'm going to have to allow mail to get delivered (in principle,
> not in fact) to all machines of the form
> *.arlut.utexas.edu
> i'm partly unable, partly unwilling to generate a relay recipient map
> that contains this:
> <all possible users>@<entire list of machines>.arlut.utexas.edu OK
> anyway, that might allow some mail to go places i don't want it to go.
> and doing the list properly isn't feasible because i just won't get
> the cooperation i'd need from the users.
To prevent BackScatter, you need either the relay map you mentioned, or
reject_unverified_recipient.
However, you should not reject_unverified_recipient globally as it
causes probes all over the internet.
Some mail administrators do not like that and may slow down high volume
sites.
Instead do something like:
check_recipient_access hash:{$config_directory}/relay_check
relay_check:
#assume mail you are responsible for is example.com and all subdomains
example.com reject_unverified_recipient
#the following line prevents issues if you change
parent_domain_matches_subdomains
.example.com reject_unverified_recipient
This will check all of your controlled addresses and cache them for a
time. (See http://www.postfix.org/ADDRESS_VERIFICATION_README.html for
more details)
> (office politics, ultimately. don't ask.)
>
> is there a way to accomplish this? i can't do this (right?)
> user@*.arlut.utexas.edu OK
> at least, i can't find that kind of thing documented.
It is documented.. please see
http://www.postfix.org/postconf.5.html#relay_domains
Brian
