gerrit wrote:
Hi All,
Recently i implemented the sender check. First i made a split for the
processing and put some restrictions under smtpd_sender_restrictions and
some under stmpd_recipient_restrictions.
This resulted in too many rejections, so i left the sender restrictions
emtpy and put all under the recipient restrictions.
smtpd_helo_restrictions =
reject_invalid_hostname
reject_non_fqdn_hostname
smtpd_sender_restrictions =
smtpd_recipient_restrictions =
reject_non_fqdn_recipient
reject_non_fqdn_sender
reject_unknown_sender_domain
reject_unknown_recipient_domain
permit_mynetworks
put
reject_unauth_destination
here. never put reject_unauth_destination after maps that return OK
based on easily forged information (such as sender).
check_sender_access hash:/etc/postfix/sender_whitelist
check_recipient_access hash:/etc/postfix/recipient_whitelist
reject_unauth_destination
reject_unverified_sender
sender verification callbacks are not very appreciated. many people
consider them abusive. now every time a spammer hits your server with a
forged sender, you're hitting an innocent server. and you don't even
have anti-spam checks to mitigate this.
One question is now : In which order are the sender restrictions and
recipient restrictions applied ? So when a mail comes in, are first all
the rules applied from the recipient restrictions and
then the sender restrictions or just the other way ?
the other way, but why do you care? put all your restrictions under
smtpd_recipient_restrictions so that you don't need to repeat permit_*
checks.
Another question :
The mailserver (latest centos version 2.3.3) does virtual mailbox hosting.
I have a few "catch-all" network wide email adresses : postmaster@,
apache@ and some more. My goal is, if there isn't a explicit (real)
mailbox for a postmaster in a domain, then this catch-all has to catch
those mails.
But... Since i forward these now, i put a table under
virtual_alias_maps. But when a real mailbox is defined, the mail is
picked up by the virtual_alias_maps first since the processing order is
first virtual_alias_maps and then virtual_mailbox_maps.. Right ?
it's catch all, not catch some :)
you need to add "identity mappings" to your virtual_alias_maps:
[EMAIL PROTECTED] [EMAIL PROTECTED]
...
so that they don't get redirected to your catchall aliases.
Is there any way to work around this ? Putting the table with these
regular expressions under virtual_mailbox_maps at the end isn't a
solution, because this mapping does a mailbox lookup instead of
forwarding. Note : the mail are forwarded to a mailbox which is hosted
on the same server.
