Imagine you did do as you told with putting the table in smtpd_sender_restrictions, and smtpd_delay_reject = no. Imagine now a relay testing tool tests the server, and does the following, to attempt to find a closed-relay, that is a open-relay if you spoof the domain that the server are authorative for:
MAIL FROM: <relayt...@yourdomain.com> 550 5.5.4 Sender Access Denied.And then the tool "fails" the server (marks it as a open-relay) because the tool did not reach to the RCPT TO stage. Since some tools also automatically report servers to DNSBL's it can be a good idea to still cope for it.
Yes, Im fully aware, that when you put "too much" in smtpd_relay_restrictions or smtpd_recipient_restrictions, you have to be extremely careful when changing in the policies. Everytime I change in the relay policies, I do perform both external and internal open relay testing, and evaluate the policies manually carefully to be completely sure its not an openrelay. Having this approach, allows for much more flexible relaying policies, but allows for less mistakes before your server becomes a open relay. Having delay_reject to no, allows you to specifically fine-tune when it should reject, making the rules more flexible.
About the IP lookup, I still do not understand what you are talking about. If you are talking about the rule: "[<EXTERNAL_IP_OF_SMTP_SERVER>] permit_mynetworks, reject"its to allow domain literals, for example: "someuser@[94.185.86.58]" to be treated same as if they were "someu...@sebbe.eu".
-----Ursprungligt meddelande----- From: Viktor Dukhovni
Sent: Monday, March 09, 2015 7:31 PM To: postfix-users@postfix.orgSubject: Re: smtpd_relay_restrictions in Postfix 2.11.3 on openSUSE 13.2 causes mail to local domain to be rejected
On Mon, Mar 09, 2015 at 06:53:21PM +0100, Sebastian Nielsen wrote:
I have noticed some automated open relay testing services do "fail" a domainif it rejects a relay too early (eg in MAIL FROM).
Obviously, Postfix cannot and does not reject relay attempts at MAIL FROM. At that point the destination domain is not availableto make relay decisions. Likely you're unaware of "smtpd_delay_reject = yes".
And you are a bit wrong with IP adress lookup. Yes, check_sender_access do not itself lookup IPs.
On this list, a reasonably safe bet is that I'm not wrong. If you disagree, think harder, do some more research, ... --Viktor.
smime.p7s
Description: S/MIME Cryptographic Signature
