On 8/5/2012 10:54 PM, email builder wrote: > I seek clarification about reject_unlisted_recipient and > smtpd_reject_unlisted_recipient > > If smtpd_reject_unlisted_recipient is enabled, WHEN does this check take > place in the scheme of smtpd_*_restrictions?
Think of it as being silently added after smtpd_recipient_restrictions. > I'm not sure, but it looks like it might happen only if and after a PERMIT in > the recipient restrictions? Can someone say for certain if/when/where this > check happens? It happens after smtpd_recipient_restrictions regardless of the presence of an explicit PERMIT, assuming the recipient hasn't been rejected by some previous rule. > > If smtpd_reject_unlisted_recipient is enabled, what effect does adding > reject_unlisted_recipient to smtpd_*_restrictions have? Is one or the other > ignored? A particular recipient is only checked once. You get to pick if it's checked by the built-in smtpd_reject_unlisted_recipient or by an explicit reject_unlisted_recipient. > > If only using reject_unlisted_recipient, I think it would need to be located > in smtpd_*_restrictions before things like permit_mynetworks, otherwise local > senders will cause bounces for sending to invalid addresses instead of > getting an immediate rejection. Yes; you get to choose for flexibility. Some folks like internal users to get an immediate reject. Some embedded systems (printers, scanners, etc.) react badly to reject and need a bounce to an administrative address. > Is this right? If smtpd_reject_unlisted_recipient forces the check to > happen after a PERMIT (see my first question), that's a better solution for > this because otherwise external systems can use it as an address verify > service?? That's a very minor concern. Others feel that it's best to reject the client for whatever reason as quickly and efficiently as possible. Since the unlisted recipient check is usually a local table lookup, it's a quick and cheap test. But again, you get to choose. Regardless, it's probably a good idea to place the unlisted recipient check AFTER a few basic anti-spam tests -- postscreen is excellent for this. Some folks use use fail2ban or similar to auto-block offenders (X unknown users within N seconds) for a period of time. It's not clear if this is worthwhile, but it's easy and it might make you feel better. -- Noel Jones
