Hi,
> As I understand your problem, there is mail which you must accept that uses
> a sender domain name which does not resolve. However, you generally want to
> use reject_unknown_sender_domain, which is a good thing.
>
> The ideal way to address that problem is a check_sender_access map with your
> exception in the smtpd_sender_restrictions list, before
> reject_unknown_sender_domain ALSO in the smtpd_sender_restrictions list.
Okay, I've adjusted my smtpd_sender_restrictions to the following:
smtpd_sender_restrictions =
permit_mynetworks,
check_sender_access hash:/etc/postfix/sender_access,
check_sender_ns_access hash:/etc/postfix/blacklist_ns.cf,
check_sender_access hash:/etc/postfix/sender_checks,
reject_unknown_sender_domain
> You currently have reject_unknown_sender_domain in
> smtpd_recipient_restrictions, so the bogus-domain mail is being rejected. If
> you were to put your permissive check_sender_access map in the
> smtpd_recipient_restrictions list before reject_unknown_sender_domain, all
> of the exceptions in the map would bypass all restrictions following it in
> smtpd_recipient_restrictions. Because a sender address is trivial to forge,
> that would open up a relay and/or local delivery hole as described in
> http://www.postfix.org/SMTPD_ACCESS_README.html
I don't know how I missed that previously. I'm not new to postfix, but
perhaps I was a bit confused.
>> Now it sounds like I should add a check_client_access and
>> check_sender_access map to my smtpd_recipient_restrictions after
>> permit_mynetworks:
>>
>> smtpd_recipient_restrictions =
>> reject_non_fqdn_recipient,
>> reject_non_fqdn_sender,
>> reject_unlisted_recipient,
>> reject_unknown_recipient_domain,
>> reject_unauth_destination,
>> reject_unknown_sender_domain,
>> permit_mynetworks,
>> check_client_access hash:/etc/postfix/client_checks,
>> check_sender_access hash:/etc/postfix/sender_checks,
>> reject_rhsbl_reverse_client mykey.dbl.dq.spamhaus.net,
>> reject_rhsbl_sender mykey.dbl.dq.spamhaus.net,
>> reject_rhsbl_helo mykey.dbl.dq.spamhaus.net
>> check_helo_access pcre:/etc/postfix/helo_checks.pcre,
>> check_helo_access hash:/etc/postfix/helo_checks,
>> reject_non_fqdn_helo_hostname,
>> reject_invalid_helo_hostname,
>> check_policy_service inet:127.0.0.1:2501,
>> check_recipient_access pcre:/etc/postfix/relay_recips_access
>>
>> I've also reordered reject_unauth_destination and
>> reject_unknown_sender_domain to above permit_mynetworks, as no one
>> should be routing mail to unauthorized destinations or domains.
>
> This is a bit exasperating....
>
> Do you not see reject_unknown_sender_domain in that list? Are you refusing
> to accept that "Sender address rejected: Domain not found" in your log meant
> what it said? This is the 3rd (& last) message where I've pointed at
> reject_unknown_sender_domain in smtpd_sender_restrictions being key to your
> originally described problem.
Yes, I sincerely appreciate your patience with me as I try to learn
how to do this. I got confused with placement, but certainly
understand that reject_unknown_sender_domain in
smtpd_recipient_restrictions would have rejected my unknown domains.
> Putting reject_unknown_sender_domain in smtpd_sender_restrictions is more
> absolutely effective than burying it 1/3 of the way into
> smtpd_recipient_restrictions, with the added benefit that you can put your
> exceptions to reject_unknown_sender_domain in a check_sender_access map
> right before it in smtpd_sender_restrictions and have no concern about your
> special snowflake sender domains becoming a free pass for spammers to hit
> local users or to relay through you.
Hopefully the smtpd_sender_restrictions I posted above is correct, but
I will also have to either add the IPs to mynetworks or duplicate the
check_sender_access map in smtpd_recipient_restrictions to avoid being
rejected in the RBLs there, correct?
smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
reject_non_fqdn_sender,
reject_unlisted_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
check_sender_access hash:/etc/postfix/sender_access,
reject_unauth_destination,
reject_rhsbl_reverse_client mykey.dbl.dq.spamhaus.net,
reject_rhsbl_sender mykey.dbl.dq.spamhaus.net,
reject_rhsbl_helo mykey.dbl.dq.spamhaus.net
check_helo_access pcre:/etc/postfix/helo_checks.pcre,
check_helo_access hash:/etc/postfix/helo_checks,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
check_policy_service inet:127.0.0.1:2501,
check_recipient_access pcre:/etc/postfix/relay_recips_access,
Thanks again,
Alex
