Bob Proulx wrote:
mouss wrote:
Bob Proulx wrote:
I don't think that any of those should match and therefore is safe by
default.
the trouble comes from the default (compatibility) value of
relay_domains and relay_recipient_maps. For this reason, it is
recommended to set
parent_domain_matches_subdomains =
This parameter is deprecated and setting it to an empty value is now
recommended.
But the default values for those are:
relay_domains = $mydestination
relay_recipient_maps =
Again, both of those should be safe enough. Of course those come into
play when configuring virtual host domains and mx relays. Certainly
at the point that someone sets that up then they would need specific
configuration along with it. But by default it looks okay to me.
look at the value of parent_domain_matches_subdomains. It means every
subdomain of a relay domain is a relay domain, and since you have
relay_recipient_maps=, recipient validation is disabled for these
subdomains (except those that are in mydestination).
these defaults are historical and should be overriden if you don't need
compatibility...
but as you said, the postfix-users list is a better place...
It is also recommended to set relay_domains explictely. and if you have
the list of relay recipients, set relay_recipient_maps. otherwise, use
reject_unverified_recipient in access checks (only for relay domains,
not for every domain).
Unfortunately this is probably about as much drift off-topic onto mta
configuration that we should have on this list.
But thanks for the hints anyway. It gives me a trail to follow.
Bob
