This setup is not very unusual if you have a lager network. Then you
have multiple mailout servers for send/deliver the mails.
How could i possibly control recipients that do not belong to me?!
This is my config:
--------------------------
postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
inet_interfaces = all
inet_protocols = ipv4
mailbox_size_limit = 0
mydestination =
myhostname = mailout9.example.net
mynetworks = 127.0.0.0/8 xxx.xxx.132.35 xxx.xxx.131.219 195.4.248.13
xxx.xxx.132.51 xxx.xxx.132.36 xxx.xxx.131.181 xxx.xxx.131.201
xxx.xxx.131.205 xxx.xxx.130.99 xxx.xxx.132.56 xxx.xxx.132.73
xxx.xxx.130.98 xxx.xxx.154.100 xxx.xxx.132.57 xxx.xxx.146.241
xxx.xxx.138.85
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_restrictions = reject_unknown_client_hostname
reject_unknown_reverse_client_hostname
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname reject_unknown_helo_hostname
smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination
smtpd_sender_restrictions = reject_non_fqdn_sender reject_unknown_sender_domain
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = no
transport_maps = hash:/etc/postfix/transport
unverified_recipient_reject_code = 550
Looking at it now, mynetwork seems to be the reason my mta accepts all
mails (which it does not by default).
Here is a little ugly diagram:
http://www.sumoware.com/images/temp/xztxkmqojbcmrerp.png
I tried using reject_unverified_recipient to avoid that the mailout
server accept mails it wont be able to deliver.
What am i doing wrong? Or: HOW should i do it?
Thanks,
Mario
On Wed, Aug 20, 2014 at 1:44 PM, Daniele Nicolodi <dani...@grinta.net> wrote:
> On 20/08/2014 10:56, ml ml wrote:
>> By default my postfix accepted those mails until it found out that the
>> recipent does not exists. Then postfix tries to send back that "550
>> User Unknown" error mail.
>
> I doubt that Postfix by default accepts mail for users it does not know
> about, but anyway...
>
>> However, the sender is fake. Therefore the mails get stuck on my postfix mta.
>>
>> I now enabled recipient address verification. In that case my postfix
>> mta will reject the mails already in the rcpt to stream. Which is
>> great.
>>
>> However, i now got blacklisted by backscatterer:
>
> I'm not surprised.
>
>> The source of this problem seem to be the emtpy address verify
>> probes/mails. In this case this no spam or mass mails or anything.
>> Just a lot of mails and empty from sender addresses and a lot of mail
>> traffic.
>
> The reason why you are blacklisted is the backscatter caused by your
> late rejection of incoming messages, NOT the recipient verify probes.
> And if you need to use recipient verify for domains that are not under
> your control, you are definitely doing something wrong: why do you
> accept mail from external sources directed to domains you do not
> control? This smells like an open relay to me.
>
> Cheers,
> Daniele
>
