On Wed, Sep 02, 2020 at 01:16:43PM +0100, Nick wrote:
> > If you want to prevent bounces from leaking out to forged sender
> > addresses you need to accept and discard messages, rather than reject
> > them.
>
> instead of this -
>
> -o { smtpd_sender_restrictions =
> check_sender_access
> regexp:/etc/postfix/check-sender-access-outbound,
> reject_unverified_sender
> }
>
> ? For check_sender_access I can use the DISCARD action instead of
> REJECT, but what should replace reject_unverified_sender?
Don't use "reject_unverified_sender", have a definitive list of valid
addresses accessible to the MTA (indexed tables, LDAP, ...). There is
no mechanism to tie sender verification failure to a DISCARD action.
--
Viktor.
