Re: virtual_alias_domains accept mail for unknown domain
- On Thu, Oct 05, 2006 at 10:21:03AM +0700, beast wrote:
> >> check_recipient_access hash:/etc/postfix/local_domains,access(5) by default does parent domain matching, but you have a much
> > This likely permits the domain(s) in question. See
> > access(5).
> Correct, it contains all (acceptable) local domains as well as :
> example.com OK
> Do I need to remove smtpd_access_maps fromNo, you need to stop allowing relay access by sender address on an
> parent_domain_matches_subdomains, what would be the effect other than I
> need to explicitly to pt dot to match the subdomains?
MTA reachable via the public Internet. Your server is an open relay.
> >> check_sender_access ldap:outbound_restriction,Anyone forging the unobfuscated address is able to relay through your
> > This MUST not contain any "OK" rules, or you are an open relay,
> > but since it is pointless (given the "reject" below) unless
> > it does contain "OK" rules, it is wrong either way. Fix this
> > ASAP.
> root# postmap -q 'beast@...' ldap:outbound_restriction
> This was an internal server, which only accept mail submision using smtpYes, because your server is also connected to the public Internet.
> auth. Any user which has RELAY access will has permission to send email
> to the internet, otherwise it will reject.
> Did this still open a hole for open relay?
> On the external interface, I have tese config (master.cf) :These don't repair the inappropriate recipient rules. You need
> 192.168.0.2:smtp inet n - n - - smtpd
> -o smtpd_use_tls=no
> -o smtpd_sasl_auth_enable=no
> -o content_filter=viruswall:127.0.0.1:2500
> -o smtpd_client_restrictions=
> -o smtpd_sender_restrictions=
provided that on the external interface there are no clients that
may legitimately submit outbound email.
> -o disable_dns_lookups=yesThese have no effect and should be removed.
> -o syslog_facility=local5
> -o syslog_name=postext
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.