Hello!
I have found the "reject_unknown_sender_domain" and
"reject_unknown_recipient_domain" restrictions to be very effective in
cutting-down on spam when applied to "smtpd_recipient_restrictions".
Surely, there will be false-positives, but this is a small, private
server and the "risk is worth the reward" for my particular use-case.
One problem I am having, however, is that I seem not to be able to
exempt certain sender domains from the restrictions.
Here is a sample "problem" log entry (pardon the wrapping); this is from
a legitimate sender (j...@client-domain.com) to a legitimate recipient
(joeu...@otherdomain.com, whose email is hosted on this server); I'd
like to exempt any sender whose domain-part is "client-domain.com" from
the restrictions:
Jul 8 10:15:10 hostname postfix/smtpd[7315]: warning: hostname
fl-exchange02.client-domain.com does not resolve to address
123.456.789.0: Name or service not known
Jul 8 10:15:10 hostname postfix/smtpd[7315]: connect from
unknown[123.456.789.0]
Jul 8 10:15:11 hostname postfix/smtpd[7315]: NOQUEUE: reject: RCPT from
unknown[123.456.789.0]: 450 4.7.1 Client host rejected: cannot find your
hostname, [123.456.789.0]; from=<j...@client-domain.com>
to=<joeu...@otherdomain.com> proto=ESMTP helo=<mail.client-domain.com>
Jul 8 10:15:11 hostname postfix/smtpd[7315]: NOQUEUE: reject: RCPT from
unknown[123.456.789.0]: 450 4.7.1 Client host rejected: cannot find your
hostname, [123.456.789.0]; from=<j...@client-domain.com>
to=<joeu...@otherdomain.com> proto=ESMTP helo=<mail.client-domain.com>
Jul 8 10:15:11 hostname postfix/smtpd[7315]: disconnect from
unknown[123.456.789.0]
Is this caused by the absence of "check_client_access
mysql:/etc/postfix/mysql-virtual_client.cf" in
smtpd_recipient_restrictions? If so, where in the order should it be placed?
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf,
reject_sender_login_mismatch,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
check_policy_service unix:private/policy-spf
That hash file, /etc/postfix/mysql-virtual_client.cf, looks like this
(sanitized, of course):
user = user
password = password
dbname = database
table = mail_access
select_field = access
where_field = source
additional_conditions = and type = 'client' and active = 'y'
hosts = 127.0.0.1
For the relevant exception record, `source` = "client-domain.com",
`access` = "OK", `type` = "client", and `active` = "y".
One other related question: which is "less computationally expensive",
in the context of "smtpd_helo_restrictions":
"reject_invalid_helo_hostname" or "reject_non_fqdn_helo_hostname"? In
other words, which one should come first?
Thanks for any help!
-Ben
