Im talking about this: smtpd_sender_restrictions = check_sender_access hash:/etc/file
/etc/file (before postmap) mydomain.com permit_sasl_authenticated, reject The result is that if sender domain is mydomain.com, the policy applied will be "permit_sasl_authenticated, reject". This will result in any unauthenticated mail claiming to be from mydomain.com to be rejected (, reject), even if the destination is authorized since the policy stack will see a plain "reject" before "reject_unauth_destination". BUT, if the sender is NOT mydomain.com, the check_sender_access will return nothing, thus there will be no "permit_sasl_authenticated" on the policy stack, thus the mail will be rejected with "Relay access denied" even for authenticated users, as the policy stack will end up on "reject_unauth_destination" without seeing any permit_sasl_authenticated. (Note that this means that every instance of "permit_sasl_authenticated" need to be replaced with "check_sender_access hash:/etc/file") You understand the idea now? -----Ursprungligt meddelande----- Från: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] För /dev/rob0 Skickat: den 19 november 2016 19:34 Till: postfix-users@postfix.org Ämne: Re: SV: SV: block emails which pretend to originate from my domain On Thu, Nov 17, 2016 at 05:31:43PM +0100, Sebastian Nielsen wrote: > The advantage with using "permit_sasl_authenticated, reject" as > check_sender_access in the global config, is that authenticated > senders won't be able to send with a adress outside of your domain > either, thus achieving both local spoof prevention for unauthenticated > users, but also prevents foregin spoof from authenticated users. That's not true. "permit_sasl_authenticated" does exactly what it says, regardless of sender address. If the client successfully authenticated, the mail is accepted. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
smime.p7s
Description: S/MIME Cryptographic Signature
