Thanks for the tips Viktor, For some reason the order of restrictions in smtpd_relay_restrictions (Postfix 2.11.0) was wrong. Luckily expected check_sender_access values are not valid email addresses. After I fix both problems I will post a new postconf -n output.
Robin Viktor Dukhovni wrote > On Sat, Jan 21, 2017 at 04:38:57AM -0700, Postfix User wrote: > >> Bastian Blank-3 wrote >> > On Fri, Jan 20, 2017 at 02:01:27PM -0700, Postfix User wrote: >> >> check_sender_access $virtual_alias_maps, >> > >> > You are creating an open relay, don't do that. >> >> Actually I am not creating an open relay, > > Actually, if when a sender-address access(5) table appears before > reject_unauth_destination in smtpd_relay_restrictions (Postfix >= > 2.10) or in smtpd_recipient_restrictions (Postfix <= 2.9) then you > would be creating an open-relay, since the attacker can forge any > sender address of his choice. > > However, more critically, the virtual(5) table is NOT an access(5) > table. The result associated with each lookup key in virtual(5) > is an email address, not "OK", "REJECT", "DUNNO", which are in > turn not especially valid email addresses. > > Secondly if "$virtual_alias_maps" where to list contains multiple > tables or no tables, you get unexpected results or syntax errors > respectively. > > Therefore, "check_sender_access $virtual_alias_maps" is rather > wrong. > > -- > Viktor. -- View this message in context: http://postfix.1071664.n5.nabble.com/Prevent-Backscatter-tp88359p88384.html Sent from the Postfix Users mailing list archive at Nabble.com.
