On 05-Dec-2013 12:17 am, "Viktor Dukhovni" <postfix-us...@dukhovni.org> wrote: > > On Wed, Dec 04, 2013 at 11:54:11PM +0530, Nilesh Govindrajan wrote: > > > I have a postfix server configured with following restrictions - > > > > smtpd_reject_unlisted_sender = yes > > You'll have implement this control in the PHP application or submit email > via SMTP, rather than the sendmail(1) command. Submission with sendmail(1) > is asynchronous, and works even when Postfix is not running. Messages in > the "maildrop" directory are processed once Postfix is running, but it is > too late to tell the application that the message is not acceptable. > > > smtpd_relay_restrictions = reject_unverified_recipient, > > permit_mynetworks, permit_sasl_authenticated, permit_auth_destination, > > reject > > Why is your PHP application allowing users to send messages to > arbitrary recipients? You should not need "reject_unverified_recipient" > unless you have an open-relay web-form, fix the real problem. > > > smtpd_recipient_restrictions = > > reject_rbl_client zen.spamhaus.org, reject_rbl_client > > bl.spamcop.net, reject_rhsbl_helo dbl.spamhaus.org, reject_rhsbl_sender > > dbl.spamhaus.org, > > reject_unknown_recipient_domain, reject_unlisted_recipient, > > reject_unverified_recipient, permit > > Your own machine is probably not on any RBL, so you won't get much help > here. > > > When I try to send mail using telnet to a failing address (aka > > unverified) it properly fails. > > But when PHP sends mail (which uses sendmail -t -i), it queues the mail. > > > > What am I missing? > > Don't let your PHP applications send mail to arbitrary addresses > unless they are restricted to authenticated trusted users. If the > latter, make sure you have valid sender addresses recorded for each > such user, and use these rather than webform input as the sender > address. If a submitted message from a trusted user bounces, the > right user receives the bounce. > > If some of your users are spammers, solve that problem, just > filtering out messages to invalid recipients is not the right > answer. > > -- > Viktor.
I have sufficient spam and virus protection using amavisd. That's not the issue. Some applications keep trying to send mail to addresses which keep failing and it fills the queue. Plus gets the server IP a bad name because of frequent failure. And as a hosting service provider I can't control each and every aspect. So chose this method. I guess it's right? Regarding the sender restrictions looks like I missed permit_mynetworks there, thanks for pointing it out.
