On 2022-11-23 at 11:54:19 UTC-0500 (Wed, 23 Nov 2022 16:54:19 +0000)
Juan Smitt Jr <juan.smitt...@proton.me>
is rumored to have said:
Hi Viktor,
These restrictions only make (modest) sense on an outbound relay MTA
Yes, this is exactly the case. Tons of customers sending tons of
emails to various addresses. Some are just entirely made up, some just
contain typos.
We are trying to fix this on different levels of the business
(restricting the customers, etc. etc.) but one possible point is the
relay server that sends out the emails at the end.
So can we say that on a relay server such as ours it won't do any harm
to enable these options?
No.
Enabling reject_unknown_recipient_domain could in theory cause your
relay to reject incoming messages because the accepting (smtpd) process
sees DNS differently than the outgoing process (smtp) would, if given a
chance. That's rare, unless you try to chroot smtpd.
Enabling reject_unverified_recipient WILL cause your system to block
acceptance while it attempts to verify the recipient, using a test SMTP
session for remote domains. This behavior may appear suspicious to
receiving domains, so you may end up being blocked just for doing this.
Your outbound mail will be made slower because of the external outbound
SMTP sessions being synchronous with inbound.
Cheers,
jsjr
Sent with Proton Mail secure email.
------- Original Message -------
On Wednesday, November 23rd, 2022 at 17:16, Viktor Dukhovni
<postfix-us...@dukhovni.org> wrote:
On 23 Nov 2022, at 10:58 am, Juan Smitt Jr juan.smitt...@proton.me
wrote:
I'm just wondering, what's the risk in adding
'reject_unknown_recipient_domain'
and 'reject_unverified_recipient' to the config.
That's generally the wrong question. You should be asking how to
simplify
your configuration, not add bells and whistles for no clear purpose.
Is that because of the packager just didn't want to add them or is
there a good
reason I can't figure out?
These restrictions only make (modest) sense on an outbound relay MTA
when internal
hosts are generating bounces to unreachable sender addresses, and you
don't want
to accept and queue mail for unreachable external recipients.
Otherwise, they
are not very useful. Perhaps another scenario (misconfiguration) is
if you
relay mail for arbitrary subdomains of an internal domain (don't do
that):
# Ideally empty, but for backwards compatible access(5) tables
# Allow dot-prefixless subdomain matching there.
#
parent_domain_matches_subdomains = smtpd_access_maps
# Do not list ".xyz.example" subtree wildcards.
#
relay_domains = foo.example, bar.example
--
Viktor.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
