Re: using the character @ in the local part
- Thanks a lot for the help. There is no firewall messing with SMTP
inbetween. With both options
resolve_dequoted_address = no
allow_untrusted_routing = yes
it finally works. Because I don't have a backup MX, this set-up should
be fairly safe to use.
Am 03.01.2013 22:08, schrieb Wietse Venema:
> Michael Blessenohl:
>> I'm sorry, I'll try not to use my smartphone again to answer mails from
>> this list.
>> I ment using a remote machine as client to connect to the postfix server
>> as opposed to connect to the machine itself. I don't know why it does
>> matter, but apparently it does. Using the hostname, IP or localhost
>> makes no difference at all. That's the same for me.
> You may want to look into the following parameter.
> allow_untrusted_routing (default: no)
> Forward mail with sender-specified routing (user[@%!]remote[@%!]site)
> from untrusted clients to destinations matching $relay_domains.
> By default, this feature is turned off. This closes a nasty
> open relay loophole where a backup MX host can be tricked
> into forwarding junk mail to a primary MX host which then spams
> it out to the world.
> Postfix flags an address with @ in the local-part as an address
> with sender-specified routing, regardless of whether it is quoted.
> Postfix will not relay such an address unless the above safety
> feature is turned off.
- Michael Blessenohl:
> The security issue is, as far as I understand, that a backup MX uses anCome on, don't be so naive. The backup MX scenario is an EXAMPLE
> @ in the local part for internal purposes. Which, in theory, can be
> exploited to use the server as open relay. As long as I don't use a
> backup MX, I don't have an open relay and everything is fine, isn't it?
of how @ in local-part can result in trouble. The same problem may
happen in ANY piece of software that decisions based on the content
of an email address.