Jim Wright pisze:
On Jan 26, 2009, at 4:05 PM, Paweł Leśniak wrote:
I may be wrong, but I think I should not block sender on helo basis?
Most of what will be blocked are zombie systems that send no
legitimate mail, a very small number of legitimate mails 'may' be
blocked. It's a personal preference, I bounce these with
unknown_hostname_reject_code = 450 in case it's a transient error on
their end.
OK
As you've suggested I've changed smtpd_recipient_restrictions to include
reject_unknown_*_hostname, so now I have:
smtpd_recipient_restrictions =
check_recipient_access hash:/etc/postfix/spam_lovers.map,
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_invalid_hostname,
reject_unauth_destination,
reject_unlisted_sender,
check_sender_access hash:/etc/postfix/restricted_senders.map,
reject_sender_login_mismatch,
check_client_access pcre:/etc/postfix/check_client_fqdn.pcre,
check_client_access cidr:/etc/postfix/postfix-dnswl-permit,
check_recipient_access hash:/etc/postfix/restricted_recipients.map,
reject_unknown_reverse_client_hostname,
reject_unknown_client_hostname,
reject_unknown_helo_hostname,
reject_rbl_client zen.spamhaus.org,
check_policy_service unix:private/policy,
check_greylist,
reject_unauth_pipelining
permit
Default action of reject_unknown_*_hostname is 450, so sender's mailer
should try to deliver message again after some time. As far as I can see
now in my logs, nothing like this happens.
Mostly mails rejected (for future delivery) are being sent in bulks of 4
emails at once to different email addresses. This almost definitely
solves my problem for now. No more forged returned mails right now
(after 13 hours of tests). And if something bad happens (when some mail
get rejected for future delivery) I hope I'll be able to find it.
Thank you for help
Regards
Pawel Lesniak
