Jonathan Tripathy:
[The backup MX host accepts mail from forged local sender
addresses, but the backup MX does not support SASL].
> > Actually, the MAILER-DAEMON message doesn't get queued at all! It just
> > discards it when it can't find the user (If the from address was
> > notarealaddr...@mydomain.com). So I guess it all good...
>
> Oops I'm confusing myself here. The above is true if the spoofed from
> address was from my domain, but the user didn't exsist. If the user is
> real, then that user gets the MAILER-DAEMON message..
a) Don't use a backup MX host. Really.
b) Don't accept mail "from your domain" on the backup MX host.
/etc/postfix/main.cf:
smtpd_sender_restrictions =
check_sender_access hash:/etc/postfix/sender_access
/etc/postfix/sender_access:
example.com reject
Or the equivalent if the machine does not run Postfix.
Wietse
