On 21 Dec 2015, at 12:38, Alex wrote:
Perhaps the ordering of restrictions is not correct?
smtpd_client_restrictions = permit_mynetworks,
check_client_access hash:/etc/postfix/client_checks,
check_reverse_client_hostname_access
pcre:/etc/postfix/fqrdns-042715a.pcre,
check_reverse_client_hostname_access
pcre:/etc/postfix/reverse_client_hostname_access.pcre,
check_client_access cidr:/etc/postfix/client_access_blocklist
smtpd_recipient_restrictions = reject_non_fqdn_recipient,
reject_non_fqdn_sender,
reject_unlisted_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
reject_unauth_destination,
reject_unknown_sender_domain,
reject_rhsbl_reverse_client mykey.dbl.dq.spamhaus.net,
reject_rhsbl_sender mykey.dbl.dq.spamhaus.net,
reject_rhsbl_helo mykey.dbl.dq.spamhaus.net
check_helo_access pcre:/etc/postfix/helo_checks.pcre,
check_helo_access hash:/etc/postfix/helo_checks,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
check_policy_service inet:127.0.0.1:2501,
check_recipient_access pcre:/etc/postfix/relay_recips_access,
permit
smtpd_sender_restrictions = permit_mynetworks,
check_sender_access hash:/etc/postfix/sender_checks,
check_sender_ns_access hash:/etc/postfix/blacklist_ns.cf
reject_unknown_sender_domain
It does not matter what order the various lists of restrictions have in
main.cf, they are always evaluated in the same order:
http://www.postfix.org/SMTPD_ACCESS_README.html#timing
Each restriction list is evaluated independently but a REJECT or DEFER
result from any list causes later lists to be skipped. Note that
http://www.postfix.org/SMTPD_ACCESS_README.html#lists does not say
OK/PERMIT from one list is carried forward to whitelist against
restrictions in later lists *because it is not.*
Individual restriction rules inside a list are evaluated in order, so
the above applies your check_sender_access whitelist inside
smtpd_sender_restrictions, protecting it from the
reject_unknown_sender_domain in that list. This allows the message to
proceed and be evaluated by the smtpd_recipient_restrictions list, which
has its own reject_unknown_sender_domain. You can tell that this is what
rejected your message by noting the log entry wording:
Dec 21 12:30:16 mail02 postfix/smtpd[1560]: NOQUEUE: reject: RCPT from
mailout.example.com[64.123.123.200]: 450 4.1.8
<u...@invalid.example.com>: Sender address rejected: Domain not found;
from=<u...@invalid.example.com> to=<notificat...@mydomain.com>
proto=ESMTP helo=<mailout.example.com>
Strictly speaking, the domain is not "invalid" (containing characters
not allowed in hostnames or otherwise technically malformed) but simply
"unknown" (not found in DNS). Presumably it has a dot in it so it's
nominally fully-qualified.
