Loading ...
Sorry, an error occurred while loading the content.
 

Re: How Do I Whitelist a reject_unknown_sender_domain

Expand Messages
  • Noel Jones
    ... Once you add in the missing permit_mynetworks, the above won t prevent internal users from using a bogus sender domain. If: a) you want to prevent internal
    Message 1 of 5 , Jun 30, 2006
      At 12:42 AM 7/1/2006, Devdas Bhagat wrote:
      >smtpd_recipient_restriction =
      > reject_unauth_destination
      > check_sender_access
      > hash:/etc/postfix/sender_whitelist
      > reject_non_fqdn_sender
      >
      >should work too.

      Once you add in the missing permit_mynetworks, the above
      won't prevent internal users from using a bogus sender domain.

      If:
      a) you want to prevent internal users from using an unknown
      sender domain - a reasonable policy
      **and**
      b) you need to whitelist some bogus domain you must accept
      mail from
      the safest thing is to put the whitelist and
      reject_unknown_sender_domain under
      smtpd_sender_restrictions. (I mistakenly used
      reject_non_fqdn_sender in earlier examples, but the same
      principle applies). While it is possible to do this safely
      under smtpd_recipient_restrictions by using
      permit_auth_destination rather than OK, I think it best to
      not tempt fate.

      --
      Noel Jones
    • Devdas Bhagat
      ... True. That can be handled with sasl authentication and smtpd_sender_login_maps. However, this is a policy decision and the choice to add a little bit more
      Message 2 of 5 , Jul 1 12:01 AM
        On 01/07/06 01:21 -0500, Noel Jones wrote:
        > At 12:42 AM 7/1/2006, Devdas Bhagat wrote:
        > >smtpd_recipient_restriction =
        > > reject_unauth_destination
        > > check_sender_access
        > >hash:/etc/postfix/sender_whitelist
        > > reject_non_fqdn_sender
        > >
        > >should work too.
        >
        > Once you add in the missing permit_mynetworks, the above
        > won't prevent internal users from using a bogus sender domain.
        >
        True. That can be handled with sasl authentication and
        smtpd_sender_login_maps. However, this is a policy decision and the
        choice to add a little bit more complexity to the configuration over
        controlling user configurations is left to the poster.

        Devdas Bhagat
      Your message has been successfully submitted and would be delivered to recipients shortly.