Hi,
I hoped someone could clarify for me the difference between
check_sender_access and check_client_access? I don't know why the docs
are unclear to me.
When is a sender_access restriction used and when is a client_access
restriction used? I thought the client_access was based on the
envelope information (MAIL FROM:), but I've read so much contradictory
information that I'm confused.
If I wanted to block mail from a specific remote user, as we normally
think of the "From:" field, it would go in client_access, I believe.
sender_access would be based on the RCPT TO: information, then?
I'm not sure how the flow works; whether it's the client_access first
or sender_access, or vice-versa.
Would it be better to put check_sender_access in the
sender_restrictions instead? I currently have no sender_restrictions.
I have the following in my logs from yesterday that I'm concerned about:
Nov 10 00:06:33 smtp01 postfix_1/qmgr[12340]: 24A2B5603A6:
from=<i...@compensation.com>, size=3082, nrcpt=50 (qu
eue active)
Nov 10 00:06:33 smtp01 postfix_1/qmgr[12340]: 24A2B5603A6:
to=<mac...@yahoo.com>, relay=none, delay=14656, sta
tus=deferred (connect to b.mx.mail.yahoo.com[66.196.82.7]: server
refused mail service)
I removed all the active, defer'd and deferred files from the second
instance so they would no longer try to be delivered.
This is not good. We are not responsible for the compensation.com
domain. It also looks like there's 50 recipients, and the data from
the queue file is obvious spam. It also looks like yahoo has now
greylisted this server because it's refusing service, and other mail
servers have blocked us outright.
I know this mail came from 81.169.130.185, h1372645.stratoserver.net,
based on the information in the queue data, but the first occurrence I
can find of this IP address in the logs is embedded in the message-id.
There is no occurrence of this IP address in the pop-before-smtp logs,
so it didn't come from an authorized user there.
Below is my smtpd_recipient_restrictions again. Hopefully someone has
some ideas while I work on upgrading to a more recent version?
smtpd_recipient_restrictions =
reject_non_fqdn_sender
reject_non_fqdn_recipient
permit_mynetworks
check_client_access hash:/etc/postfix/pop-before-smtp
reject_unauth_destination
reject_invalid_hostname
reject_non_fqdn_hostname
reject_unknown_sender_domain
# reject_unknown_recipient_domain
# reject_unauth_pipelining
check_client_access hash:/etc/postfix/client_checks
check_client_access pcre:/etc/postfix/client_checks.pcre
check_recipient_access pcre:/etc/postfix/recipient_checks
check_helo_access hash:/etc/postfix/helo_checks
check_sender_access hash:/etc/postfix/sender_checks
check_sender_access hash:/etc/postfix/disallow_my_domain
check_recipient_access pcre:/etc/postfix/recipient_checks.pcre
Below is the other relevant information from main.cf. Please excuse
the obscuring of my real domain with 'exxample.com' in its place.
mydestination = $myhostname, localhost.$mydomain, smtp0.exxample.com
mydomain = exxample.com
myhostname = smtp0.exxample.com
Thanks so much.
Best regards,
Alex
On Wed, Nov 11, 2009 at 12:05 PM, Alex <mysqlstud...@gmail.com> wrote:
> Hi,
>
>>> I'm still using postfix-1.x,
>>
>> Most people here would stop reading there and press/click delete (or
>> some might simply click 'Reply' and add the words 'upgrade').
>>
>> So... UPGRADE. It is time.
>
> Thanks for hitting me with the well-deserved clue-bat. Advice well taken.
>
> Now, what if I said I was still using bind-4? Heh, just joking :-)
>
> Thanks again,
> Alex
>
