Jonathan Tripathy: [The backup MX host accepts mail from forged local sender addresses, but the backup MX does not support SASL].
> > Actually, the MAILER-DAEMON message doesn't get queued at all! It just > > discards it when it can't find the user (If the from address was > > notarealaddr...@mydomain.com). So I guess it all good... > > Oops I'm confusing myself here. The above is true if the spoofed from > address was from my domain, but the user didn't exsist. If the user is > real, then that user gets the MAILER-DAEMON message.. a) Don't use a backup MX host. Really. b) Don't accept mail "from your domain" on the backup MX host. /etc/postfix/main.cf: smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access /etc/postfix/sender_access: example.com reject Or the equivalent if the machine does not run Postfix. Wietse