-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 20-12-13 20:54, Bernardo Pons wrote: > On these days where theft of credentials of legitimate e-mail > server users in order to send spam checking the MAIL FROM: using > smtpd_reject_unlisted_sender would be a helping Postfix feature. > > Perhaps it is a misunderstanding from my side about the actual > meaning of parameter smtpd_reject_unlisted_sender but if > "smtpd_reject_unlisted_sender = yes" is present on main.cf... > > How is it possible for an user to send an mail from an unknown > sender addresses neither listed in virtual nor canonical? > > The user is connecting to the smtp server and authenticates itself > correctly but he's sending e-mails from an absolutely alien e-mail > address (both user and domain part of the e-mail address) > > If the authenticated user tries to send e-mail from a non-existent > e-mail address (user part) of a local domain the e-mail is rejected > but if he/she uses a non-existent e-mail address of an alien domain > the e-mail message is accepted by smtpd server. > > Shouldn't ALL those mails be rejected by smtpd? >
The problem is that postfix cannot look up localparts for domains that are not hosted locally. For domains that the server is configured to handle using local/virtual/etc, the localparts are also available (i.e. 'listed'). For random offsite domains, the localpart cannot be verified other than using a VRFY call, which is disable at most sites because it enabled spammers to verify existance of addresses, and usage is considered abusive by many admins. In order to force authenticated senders to use a limited set of MAIL FROM addresses, you'll probably need to use reject_sender_login_mismatch in smtpd_mumble_restrictions. Regards, Tom -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJStKTaAAoJEJPfMZ19VO/1o5sQAJZlWimP2XWy6Ion5NvZtn3v BIxvWuHQSvaytAeL6NyrjjL3eA+p9z8WpOqj1IUZGjL2Egvag8vU34HM8a64gRCF Js8WlE5vop6yLDyDgmo8BdTDLmy00YI67jXCEWFn/H9ivTp8fbRL8QjWw+tDFWNB bPJmWVRx43Qbf5TTl/H2idi/ZTftMIYDaL7cZ7pgG1w2o69r2bzj/uv/bKL7/Mvr niKM4Rcw+zkvOVS9DmEfge8Eh7ZTHPL2nsQm4+pTkk1tgxgjW602i9mgfvjVK/CV o073sF1lbfvMV/77Wm+dSoi4i7nC0A/A7sS4HXpRku9KNoSVfj+gJV2cb1ft5/6F QnyRi/m33654SyzWvChC4UZWg3NleoAnwHTxfIYnoTCiEwdRzk7PczINuXkIZfDC fpZmtu4DSs9jHMCuEA7On0lgDOxdwBCJz3guk3rxOcWvC+2m38vXW9txcjNgfeoE QimyLC1d2sAQV7PVvPpquHmgJQyiiD536WDMwT2V05W13jXSZ7fwEUuXDb29/EIS 2O7dpYe/BiWut7gCwgdbU5jfVxgaJESIPp3kmsI4Zn/nViJH5cR2HaScLSWBjCdz Bf3bVc3FYSZrXCRZyp6bc6ZFNJGCcIo4jmvawZEBSl2ToFTMUSDyG01NFHwu1csN Oll9fk0E/wxupS2/TJKM =OH5l -----END PGP SIGNATURE-----