Loading ...
Sorry, an error occurred while loading the content.

Sender Verification

Expand Messages
  • Brad C
    Hey There, Im not sure if im on the right track, with sender verification in my mind it would be logical to do a MX lookup of the domain in the mail from:
    Message 1 of 6 , Jun 1, 2007
    • 0 Attachment
      Hey There,

      Im not sure if im on the right track, with sender verification in my mind it would be logical to do a MX lookup of the domain in the " mail from: " field, connect to that server and do a check that way too see if the user exists, but I think postfix is in my instance is connecting the the exact same server that is connecting to it, this is great 80% of the time as most people relay mail out the same server they receive on, but the other 20% relay out other mail server, which dont have their accounts located on them... is there something im missing.. (brain) :)

      Here is my config ( currently hashed out )
      # Sender Verification - Brad 29/05/2007
      smtpd_sender_restrictions = reject_unknown_sender_domain,
              hash:/etc/postfix/access,
              permit_mynetworks,
              check_sender_access hash:/etc/postfix/domain.whitelist,
      #        warn_if_reject reject_unverified_sender,
              reject_unverified_sender,
      #       address_verify_map = btree:/var/spool/postfix/verify

      Pointers would be most welcome,
      BraD

    • Willem de Groot
      ... It shouldn t... Please check your maillogs for proof of this behaviour! Willem
      Message 2 of 6 , Jun 1, 2007
      • 0 Attachment
        On 6/1/07, Brad C <bradleydanecook@...> wrote:
        > exists, but I think postfix is in my instance is connecting the the exact
        > same server that is connecting to it,

        It shouldn't... Please check your maillogs for proof of this behaviour!

        Willem
      • Brad C
        Hello Willem The bounce message: /var/log/maillog:May 30 15:57:56 mail postfix/smtpd[1667]: NOQUEUE: reject: RCPT from ctb-mesg-2-2.saix.net[196.25.240.87]:
        Message 3 of 6 , Jun 1, 2007
        • 0 Attachment
          Hello Willem

          The bounce message:
          /var/log/maillog:May 30 15:57:56 mail postfix/smtpd[1667]: NOQUEUE: reject: RCPT from ctb-mesg-2-2.saix.net[196.25.240.87]: 450 <noshc(at)telkomsa.net>: Sender address rejected: unverified address: Address verification in progress; from=<noshc(at)telkomsa.net> to=< jon@...> proto=ESMTP helo=<ctb-mesg-2-2.saix.net>

          I know that ctb-mesg-2-2.saix.net is a relay out only for an telkomsa.net

          Dig mx on the senders domain telkomsa.net.          
          305     IN      MX      10 mail.telkomsa.net

          So I manually checked that the email address exists..
          telnet mail.telkomsa.net 25
          Trying 196.25.211.150...
          Connected to mail.telkomsa.net.
          Escape character is '^]'.
          220 telkomsa.net ESMTP Welcome to the TelkomSA SMTP Server.
          ehlo mail.finescrap.co.za
          250-telkomsa.net Welcome to the TelkomSA SMTP Server.
          250-PIPELINING
          250-SIZE 11048576
          250-DATAZ
          250 8BITMIME
          mail from: jon(at)finescrap.co.za
          250 ok
          rcpt to: noshc(at)telkomsa.net
          250 ok

          hmm... what am i missing?
          here is my sender verification config.

          smtpd_sender_restrictions = reject_unknown_sender_domain,
                  hash:/etc/postfix/access,
                  permit_mynetworks,
                  check_sender_access hash:/etc/postfix/domain.whitelist,
          #        warn_if_reject reject_unverified_sender,
                  reject_unverified_sender,
          #       address_verify_map = btree:/var/spool/postfix/verify

          Kind Regards
          Brad

          On 6/1/07, Willem de Groot <willem@...> wrote:
          On 6/1/07, Brad C <bradleydanecook@...> wrote:
          > exists, but I think postfix is in my instance is connecting the the exact
          > same server that is connecting to it,

          It shouldn't... Please check your maillogs for proof of this behaviour!

          Willem

        • Willem de Groot
          ... This is not the sender verification itself. This is only the result of the verification still being in progress. The SAV is another mail (with its own
          Message 4 of 6 , Jun 1, 2007
          • 0 Attachment
            On 6/1/07, Brad C <bradleydanecook@...> wrote:
            > /var/log/maillog:May 30 15:57:56 mail postfix/smtpd[1667]: NOQUEUE: reject:
            > RCPT from ctb-mesg-2-2.saix.net[196.25.240.87]: 450 <noshc(at)telkomsa.net>:
            > Sender address rejected: unverified address: Address verification in
            > progress; from=<noshc(at)telkomsa.net> to=< jon@...> proto=ESMTP
            > helo=<ctb-mesg-2-2.saix.net>
            >
            > I know that ctb-mesg-2-2.saix.net is a relay out only for an telkomsa.net

            This is not the sender verification itself. This is only the result of
            the verification still being in progress. The SAV is another mail
            (with its own queue id).

            Grep your logs for telkomsa.net.

            Willem
          • Wietse Venema
            ... Please do not spread false information. Postfix sends a SEPARATE email message into the mail queue, and then connects to the mail server(s) of the sender s
            Message 5 of 6 , Jun 1, 2007
            • 0 Attachment
              Brad C:
              > Hey There,
              >
              > Im not sure if im on the right track, with sender verification in my mind it
              > would be logical to do a MX lookup of the domain in the " mail from: "
              > field, connect to that server and do a check that way too see if the user
              > exists, but I think postfix is in my instance is connecting the the exact
              > same server that is connecting to it,

              Please do not spread false information.

              Postfix sends a SEPARATE email message into the mail queue, and
              then connects to the mail server(s) of the sender's domain.

              To find these messages, search the maillog file for

              $ grep status=deliverable /var/log/maillog
              $ grep status=undeliverable /var/log/maillog

              Only broken servers connect to the SMTP client for verification.

              Wietse
            • Jan P. Kessler
              ... No, assuming you did not configure any strange probe transports (see http://www.postfix.org/ADDRESS_VERIFICATION_README.html#probe_routing ) it uses the
              Message 6 of 6 , Jul 4 1:15 AM
              • 0 Attachment
                Brad C schrieb:
                > Hey There,
                >
                > but I think postfix is in my instance is connecting the the exact same
                > server that is connecting to it
                No, assuming you did not configure any strange probe transports (see
                http://www.postfix.org/ADDRESS_VERIFICATION_README.html#probe_routing )
                it uses the normal mail delivery mechanisms (which includes mx lookups).
                > , this is great 80% of the time as most people relay mail out the same
                > server they receive on, but the other 20% relay out other mail server,
                > which dont have their accounts located on them... is there something
                > im missing.. (brain) :)
                No, anything else would have been 100% crap ;-)
                >
                > Here is my config ( currently hashed out )
                > # Sender Verification - Brad 29/05/2007
                > smtpd_sender_restrictions = reject_unknown_sender_domain,
                > hash:/etc/postfix/access,
                > permit_mynetworks,
                > check_sender_access hash:/etc/postfix/domain.whitelist,
                > # warn_if_reject reject_unverified_sender,
                > reject_unverified_sender,
                > # address_verify_map = btree:/var/spool/postfix/verify
                >
                If your domain.whitelist contains any OK or PERMIT actions you will
                become an open-relay for anyone claiming to come from these domains
                (sender address forging is really easy). Put reject_unauth_destination
                somewhere before and really do not try to verify every sender address.
                This is dangerous and could be used to attack others through your host.
              Your message has been successfully submitted and would be delivered to recipients shortly.