Am 15.06.2014 23:53, schrieb Eliezer Croitoru: > On 06/15/2014 11:11 PM, li...@rhsoft.net wrote: >> what you describe is*the minimum* requirement of a sane MTA >> you must not allow senders you would not accept incoming messages >> and no - there are no exceptions for whatever user > I am not sure you understand it but there is little doubt we are talking > about the same thing or not
i talk about how a mailserver should work * allow no unauthentciated relay * allow only own addresses as sender for authenticated users > The postix server is allowing for now to relay any email by from any email if > the user is locally authenticated. > Others are just blocked and the "from any mail" is wrong > A local user can send as itself... and as otherusern...@google.com which is wrong he must not send as @google.com > Other servers might not like it and will enforce SPF the same way this server > uses it if you setup your server correctly SPF or not don't matter just don't allow sender adresses you don't accept incoming mail for > I want to force only on authenticated users (since there are other automated > systems that rely on the service) a > rule that will force them to only use the local domains in the "From:" header > of the mail body you make a fundamental mistake here the From: header don't matter on SMTP level, read some basic docs for SMTP the envelope and only the envelope counts and there is no but or if - you are talking about SMTP and even if you don't realize it that means you are talking about envelopes but that has little to nothing to do with your question i answered how to control allowed senders > For now I enforce rate limiting and other means of enforcement on the service > usage to prevent and detect abnormal > usage and abuse of the local network SMTP relay service.(which works so good > that people who abuse it are stuck in > one sec to more then 24 hours no matter if they scream shout or anything > else...) complete different topic > For now the users and authenticate and send a mail as "u...@google.com" or > "u...@hotmail.com" since the SPF rules > of these providers allow a SOFT SPF enforcement you can't control who is threating soft / hard SPF how even if some domain is using soft SPF *anybody* is allowed to reject your messages pretending to be from that domain > I would like to harden the service one level up and not allow this unless > strictly > allowed by the admin of the service not related to SPF the part you strippe dfrom the quote ensures that you are not allow senders which you are not hosting - accept it or not: that is the only sane way and if you need exceptions add the addresses to the list of "reject_authenticated_sender_login_mismatch" and allow it
