Demi Marie Obenour:
Checking application/pgp-signature: FAILURE
-- Start of PGP signed section.
> On 2/18/22 12:20, Wietse Venema wrote:
> > Jaroslaw Rafa:
> >> Dnia 18.02.2022 o godz. 11:17:13 Wietse Venema pisze:
> >>> Starting to wonder if reject_unverified_recipient should be given
> >>> more publicity.
> >>
> >> Definitely should. I always thought of reject_unverified_recipient only in
> >> context of a front-end server relaying mail to the final server, which is a
> >> pretty rare case for me (I usually work with single-server setups). I did
> >> not think that it can be used in such context as rewriting by canonical
> >> maps.
> >
> > Upon closer reading, address verification has limits some of
> > which are intentional.
> >
> > Address verification will validate addresses that result from
> > canonical mappings and of 1-to-1 virtual aliases.
> >
> > Address verification will not validate addresses that result from
> > the expansion of 1-to-many virtual aliases. It will just report
> > that the address before alias expansion is valid.
> >
> > It does not validate 1-to-many expansions because that would result
> > in an explosive behavior, because the result would ambiguous if
> > some addresses in the expansion result are valid and some not, and
> > because it could be undesirable to reveal what 1-to-many aliases
> > expand into.
> >
> > Address verification will also not validate addresses that result
> > from local aliasing/forwarding with alias_maps or ~/.forward files,
> > because I was too lazy to write code that determines if these are
> > 1-to-1 or 1-to-many, but also because it might reveal too much
> > information. It will just report that the address before alias
> > expansion or forwarding is valid.
>
> Is reject_unverified_recipient the correct approach for a standard
> Postfix/Dovecot setup?
Probably. I do not use Dovecot myself.
Address verification adds a bit of aditional load, but Postfix has
a safety mechanism to limit the number of address verification
probes that can be in flight at the same time (it will reply with
SMTP code 4XX for excess requests).
Wietse
