On 2016-10-25 07:00, Bill Cole wrote:
On 25 Oct 2016, at 2:04, mro...@insiberia.net wrote:
Hi,
Reading the postconf explanation of reject_unknown_recipient_domain
and reject_unknown_sender_domain, I'm having trouble understanding
where these find their use.
For incoming mail: The first test criteria for both is that Postfix
not be the final destination for the recipient/sender domain, so when
Postfix is not set up with a catchall and rejects unknown users, am I
correct to think there is no use for these here?
Not exactly. It isn't very helpful to group these 2 restrictions
together despite their similar names, because they act on completely
independent attributes of a SMTP transaction.
Fair enough, and you've nicely explained the usefulness (albeit limited
in this day and age) of reject_unknown_sender_domain.
However, can you speak to reject_unknown_recipient_domain? Trying to
re-think but I can't find a scenario where it would be redundant. ??
reject_unknown_sender_domain prevents Postfix from accepting mail that
cannot be bounced. That may seem like an antique idea in a time when
"blowback" from bouncing messages with forged senders is a big
headache, but there remain generally safe circumstances where bounces
are useful. More importantly in common modern MTAs, using
reject_unknown_sender_domain as the first restriction in
smtp_sender_restrictions spares a system from doing any further
logical processing on that session when the sender is obviously bogus:
no lookups of anything in any maps, no determination of recipient
validity, no bandwidth/memory/disk wasted on receiving the actual
message data and passing it to a content filter.
reject_unknown_sender_domain is just about the cheapest and most
reliable anti-spam policies possible, which is part of why it catches
relatively little spam: for 20 years no sanely-configured MTA with
Internet access has NOT used an equivalent restriction so spammers
almost universally have given up on using domains that don't resolve.
Likewise for outgoing messages: The criteria for the domain needing to
have valid, well formed MX -- even without
reject_unknown_sender_domain, Postfix won't be able to send such mail
anyway. Is this a matter of instantaneous rejection vs. queue and
bounce after retries?
Yes. For "outgoing" mail (which is presumably arriving via
authenticated port 587 submission and if it isn't: *WHY NOT???*)
there's no realistic scenario where the MSA isn't in a fundamentally
broken state where it has a realistic hope of eventually being able to
pass along mail to a recipient whose domain cannot be resolved at the
time of submission.
Are these two settings more applicable to relay scenarios?
Not really, except in the sense that outgoing mail submission is a
relay scenario.
