On 2021-11-09 at 09:23:13 UTC-0500 (Tue, 9 Nov 2021 14:23:13 +0000)
White, Daniel E. (GSFC-770.0)[NICS] <daniel.e.wh...@nasa.gov>
is rumored to have said:
Clarifying:
The relay did not reject the message. The MDA did the rejection. Is
this correct ?
Yes. LOCAL_MDA replied with a 4xx code, indicating to the relay that the
rejection was possibly transient, i.e. that trying the exact same
message the exact same way a little later might work without human
intervention.
That is itself probably an incorrect configuration. If you control
LOCAL_MDA you should fix it so that it sends a 5xx reply code for
unauthorized relay attempts, unless the rejection really might be
transient.
How do I stop the empty sender address at the relay ?
The empty sender address is the only correct sender for a non-delivery
notification message. If something can't handle a standard NDN, the
reasonable fix is not to generate improper NDNs, it is to either not
generate NDNs or to figure out some way to handle them.
If you think you can't remove the scanner from $mynetworks you may be
even less willing to consider removing permit_mynetworks from your
configuration altogether, but that's really the core of the best
solution. NOTHING should be allowing SMTP relay based on IP addresses in
2021, even inside RFC1918 networks. Anything sending mail that can't do
proper authentication at initial submission is unfit for sending mail at
all. Whatever legitimate mail actually travels via your "relay" and then
to "LOCAL_MDA" probably should be skipping the relay altogether and
talking directly to LOCAL_MDA with authentication.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
