Le 14/02/2013 16:03, James Day a écrit : > Hello List, > > I'll have to start by breaking to golden rule of this list and not posting > postconf -n output as my question relates to a server over which I have no > control. > > A customer of mine is using a smart host provided by their ISP through which > all outbound mail is delivered smtp.enta.net (which is running postfix). > > This server holds a list of valid domain from which this customer is allowed > to send. A sensible precaution to prevent a compromised machine from sending > spam using spoofed sender addresses on other domains. > > The problem is that when clients mail server sends a NDR the sender address > is <> (ie NULL). The null sender address causes the message to be rejected > with: > > 554+5.7.1+<>:+Sender+address+rejected:+Access+denied > > Is there a sensible way to configure postfix to allow these messages with > null sender addresses to be relayed without opening the smart host up to > exploitation?
null sender should be accepted. as of today, null sendr is not (yet?) abused by spammers. and even if someday spammers decide to abuse it, we will setup simple content filtering rules (NDR is not supposed to use a "normal" From: address, etc etc). so I'd say: just allow the null sender for now. > > Or alternatively - and this is off topic for this list - is there a way to > configure Microsoft exchange 2003 to send NDR's with a different sender > address. dunno. but if you can put a postfix in front of exchange, you could replace the null sender with specific address (of course, if you do so, make sure to discard mail to this address to avoid loops). of course, you should try to only do that for that specific ISP. > > And before anyone comments, yes I know this isn't best practice as NDR's > should have null sender addresses to stop loops (bouncing bounce-backs!). > yeah. but as long as you take care for auto-replies, you can replace the null sender with any specific address of yours (such as n...@example.com) for which you never send bounces. not trivial, but you can do that.
