On 25 Oct 2016, at 2:04, mro...@insiberia.net wrote:
Hi,
Reading the postconf explanation of reject_unknown_recipient_domain
and reject_unknown_sender_domain, I'm having trouble understanding
where these find their use.
For incoming mail: The first test criteria for both is that Postfix
not be the final destination for the recipient/sender domain, so when
Postfix is not set up with a catchall and rejects unknown users, am I
correct to think there is no use for these here?
Not exactly. It isn't very helpful to group these 2 restrictions
together despite their similar names, because they act on completely
independent attributes of a SMTP transaction.
reject_unknown_sender_domain prevents Postfix from accepting mail that
cannot be bounced. That may seem like an antique idea in a time when
"blowback" from bouncing messages with forged senders is a big headache,
but there remain generally safe circumstances where bounces are useful.
More importantly in common modern MTAs, using
reject_unknown_sender_domain as the first restriction in
smtp_sender_restrictions spares a system from doing any further logical
processing on that session when the sender is obviously bogus: no
lookups of anything in any maps, no determination of recipient validity,
no bandwidth/memory/disk wasted on receiving the actual message data and
passing it to a content filter. reject_unknown_sender_domain is just
about the cheapest and most reliable anti-spam policies possible, which
is part of why it catches relatively little spam: for 20 years no
sanely-configured MTA with Internet access has NOT used an equivalent
restriction so spammers almost universally have given up on using
domains that don't resolve.
Likewise for outgoing messages: The criteria for the domain needing to
have valid, well formed MX -- even without
reject_unknown_sender_domain, Postfix won't be able to send such mail
anyway. Is this a matter of instantaneous rejection vs. queue and
bounce after retries?
Yes. For "outgoing" mail (which is presumably arriving via authenticated
port 587 submission and if it isn't: *WHY NOT???*) there's no realistic
scenario where the MSA isn't in a fundamentally broken state where it
has a realistic hope of eventually being able to pass along mail to a
recipient whose domain cannot be resolved at the time of submission.
Are these two settings more applicable to relay scenarios?
Not really, except in the sense that outgoing mail submission is a relay
scenario.
