On 29 April 2018 at 17:16, Wietse Venema <wie...@porcupine.org> wrote: > Dominic Raferd: >> Checking my logs I see that some senders are trying to fake our domain >> and use our server to send mails to third parties masquerading as one >> of our own domains (without authenticating first). >> >> They are stopped by smtpd with response 'Relay access denied', but >> instead of 5xx permanent rejection smtpd gives 454 4.7.1 temporary >> rejection, which surely encourages them to keep trying. Why is this, >> and can I change it? > > postconf -x smtpd_relay_restrictions > > As a safety for sites migrating from Postfix 2.x, the default > is to defer instead of reject.
Thanks Wietse. I was not defining smtpd_relay_restrictions and relying instead on smtpd_recipient_restrictions (which contained reject_unauth_destination), but presumably this was never activated because the default defer_unauth_destination in smtpd_relay_restrictions took precedence. Have now explicitly defined: smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
