On Sat, Jan 21, 2017 at 04:38:57AM -0700, Postfix User wrote:
> Bastian Blank-3 wrote
> > On Fri, Jan 20, 2017 at 02:01:27PM -0700, Postfix User wrote:
> >> check_sender_access $virtual_alias_maps,
> >
> > You are creating an open relay, don't do that.
>
> Actually I am not creating an open relay,
Actually, if when a sender-address access(5) table appears before
reject_unauth_destination in smtpd_relay_restrictions (Postfix >=
2.10) or in smtpd_recipient_restrictions (Postfix <= 2.9) then you
would be creating an open-relay, since the attacker can forge any
sender address of his choice.
However, more critically, the virtual(5) table is NOT an access(5)
table. The result associated with each lookup key in virtual(5)
is an email address, not "OK", "REJECT", "DUNNO", which are in
turn not especially valid email addresses.
Secondly if "$virtual_alias_maps" where to list contains multiple
tables or no tables, you get unexpected results or syntax errors
respectively.
Therefore, "check_sender_access $virtual_alias_maps" is rather
wrong.
--
Viktor.
