Loading ...
Sorry, an error occurred while loading the content.

smtpd_{recipient,relay}_restrictions for sendmail?

Expand Messages
  • Nilesh Govindrajan
    I have a postfix server configured with following restrictions - smtpd_reject_unlisted_sender = yes smtpd_relay_restrictions = reject_unverified_recipient,
    Message 1 of 10 , Dec 4, 2013
    • 0 Attachment
      I have a postfix server configured with following restrictions -

      smtpd_reject_unlisted_sender = yes

      smtpd_relay_restrictions = reject_unverified_recipient,
      permit_mynetworks, permit_sasl_authenticated, permit_auth_destination,
      reject

      smtpd_recipient_restrictions =
      reject_rbl_client zen.spamhaus.org, reject_rbl_client
      bl.spamcop.net, reject_rhsbl_helo dbl.spamhaus.org, reject_rhsbl_sender
      dbl.spamhaus.org,
      reject_unknown_recipient_domain, reject_unlisted_recipient,
      reject_unverified_recipient, permit

      smtpd_sender_restrictions = permit_mynetworks,
      reject_sender_login_mismatch, reject_unknown_sender_domain,
      reject_unlisted_sender, warn_if_reject reject_unverified_sender, permit

      ------------------

      When I try to send mail using telnet to a failing address (aka
      unverified) it properly fails.
      But when PHP sends mail (which uses sendmail -t -i), it queues the mail.

      What am I missing?
    • Noel Jones
      ... Note that sendmail(1) is not an SMTP interface. -- Noel Jones
      Message 2 of 10 , Dec 4, 2013
      • 0 Attachment
        On 12/4/2013 12:24 PM, Nilesh Govindrajan wrote:
        > I have a postfix server configured with following restrictions -
        >
        > smtpd_reject_unlisted_sender = yes
        >
        > smtpd_relay_restrictions = reject_unverified_recipient,
        > permit_mynetworks, permit_sasl_authenticated, permit_auth_destination,
        > reject
        >
        > smtpd_recipient_restrictions =
        > reject_rbl_client zen.spamhaus.org, reject_rbl_client
        > bl.spamcop.net, reject_rhsbl_helo dbl.spamhaus.org, reject_rhsbl_sender
        > dbl.spamhaus.org,
        > reject_unknown_recipient_domain, reject_unlisted_recipient,
        > reject_unverified_recipient, permit
        >
        > smtpd_sender_restrictions = permit_mynetworks,
        > reject_sender_login_mismatch, reject_unknown_sender_domain,
        > reject_unlisted_sender, warn_if_reject reject_unverified_sender, permit
        >
        > ------------------
        >
        > When I try to send mail using telnet to a failing address (aka
        > unverified) it properly fails.
        > But when PHP sends mail (which uses sendmail -t -i), it queues the mail.
        >
        > What am I missing?
        >


        Note that sendmail(1) is not an SMTP interface.



        -- Noel Jones
      • Nilesh Govindrajan
        That s what I concluded. Posted just to clear my doubt. What s the fix or workaround? All php applications use the mail function.
        Message 3 of 10 , Dec 4, 2013
        • 0 Attachment

          That's what I concluded. Posted just to clear my doubt.
          What's the fix or workaround? All php applications use the mail function.

          On 05-Dec-2013 12:02 am, "Noel Jones" <njones@...> wrote:
          On 12/4/2013 12:24 PM, Nilesh Govindrajan wrote:
          > I have a postfix server configured with following restrictions -
          >
          > smtpd_reject_unlisted_sender = yes
          >
          > smtpd_relay_restrictions = reject_unverified_recipient,
          > permit_mynetworks, permit_sasl_authenticated, permit_auth_destination,
          > reject
          >
          > smtpd_recipient_restrictions =
          >         reject_rbl_client zen.spamhaus.org, reject_rbl_client
          > bl.spamcop.net, reject_rhsbl_helo dbl.spamhaus.org, reject_rhsbl_sender
          > dbl.spamhaus.org,
          >         reject_unknown_recipient_domain, reject_unlisted_recipient,
          > reject_unverified_recipient, permit
          >
          > smtpd_sender_restrictions = permit_mynetworks,
          > reject_sender_login_mismatch, reject_unknown_sender_domain,
          > reject_unlisted_sender, warn_if_reject reject_unverified_sender, permit
          >
          > ------------------
          >
          > When I try to send mail using telnet to a failing address (aka
          > unverified) it properly fails.
          > But when PHP sends mail (which uses sendmail -t -i), it queues the mail.
          >
          > What am I missing?
          >


          Note that sendmail(1) is not an SMTP interface.



            -- Noel Jones
        • Nilesh Govindrajan
          ... mail. ... Sorry for top posting. Stupid Gmail app.
          Message 4 of 10 , Dec 4, 2013
          • 0 Attachment

            On 05-Dec-2013 12:03 am, "Nilesh Govindrajan" <me@...> wrote:

            >
            > That's what I concluded. Posted just to clear my doubt.
            > What's the fix or workaround? All php applications use the mail function.
            >
            > On 05-Dec-2013 12:02 am, "Noel Jones" <njones@...> wrote:
            >>
            >> On 12/4/2013 12:24 PM, Nilesh Govindrajan wrote:
            >> > I have a postfix server configured with following restrictions -
            >> >
            >> > smtpd_reject_unlisted_sender = yes
            >> >
            >> > smtpd_relay_restrictions = reject_unverified_recipient,
            >> > permit_mynetworks, permit_sasl_authenticated, permit_auth_destination,
            >> > reject
            >> >
            >> > smtpd_recipient_restrictions =
            >> >         reject_rbl_client zen.spamhaus.org, reject_rbl_client
            >> > bl.spamcop.net, reject_rhsbl_helo dbl.spamhaus.org, reject_rhsbl_sender
            >> > dbl.spamhaus.org,
            >> >         reject_unknown_recipient_domain, reject_unlisted_recipient,
            >> > reject_unverified_recipient, permit
            >> >
            >> > smtpd_sender_restrictions = permit_mynetworks,
            >> > reject_sender_login_mismatch, reject_unknown_sender_domain,
            >> > reject_unlisted_sender, warn_if_reject reject_unverified_sender, permit
            >> >
            >> > ------------------
            >> >
            >> > When I try to send mail using telnet to a failing address (aka
            >> > unverified) it properly fails.
            >> > But when PHP sends mail (which uses sendmail -t -i), it queues the mail.
            >> >
            >> > What am I missing?
            >> >
            >>
            >>
            >> Note that sendmail(1) is not an SMTP interface.
            >>
            >>
            >>
            >>   -- Noel Jones

            Sorry for top posting. Stupid Gmail app.

          • Noel Jones
            ... Change your PHP to use SMTP or a sendmail-compatible wrapper such as mini_smtp rather than sendmail(1). -- Noel Jones
            Message 5 of 10 , Dec 4, 2013
            • 0 Attachment
              On 12/4/2013 12:33 PM, Nilesh Govindrajan wrote:
              > That's what I concluded. Posted just to clear my doubt.
              > What's the fix or workaround? All php applications use the mail
              > function.


              Change your PHP to use SMTP or a sendmail-compatible wrapper such as
              mini_smtp rather than sendmail(1).


              -- Noel Jones




              >
              > On 05-Dec-2013 12:02 am, "Noel Jones" <njones@...
              > <mailto:njones@...>> wrote:
              >
              > On 12/4/2013 12:24 PM, Nilesh Govindrajan wrote:
              > > I have a postfix server configured with following restrictions -
              > >
              > > smtpd_reject_unlisted_sender = yes
              > >
              > > smtpd_relay_restrictions = reject_unverified_recipient,
              > > permit_mynetworks, permit_sasl_authenticated,
              > permit_auth_destination,
              > > reject
              > >
              > > smtpd_recipient_restrictions =
              > > reject_rbl_client zen.spamhaus.org
              > <http://zen.spamhaus.org>, reject_rbl_client
              > > bl.spamcop.net <http://bl.spamcop.net>, reject_rhsbl_helo
              > dbl.spamhaus.org <http://dbl.spamhaus.org>, reject_rhsbl_sender
              > > dbl.spamhaus.org <http://dbl.spamhaus.org>,
              > > reject_unknown_recipient_domain,
              > reject_unlisted_recipient,
              > > reject_unverified_recipient, permit
              > >
              > > smtpd_sender_restrictions = permit_mynetworks,
              > > reject_sender_login_mismatch, reject_unknown_sender_domain,
              > > reject_unlisted_sender, warn_if_reject
              > reject_unverified_sender, permit
              > >
              > > ------------------
              > >
              > > When I try to send mail using telnet to a failing address (aka
              > > unverified) it properly fails.
              > > But when PHP sends mail (which uses sendmail -t -i), it queues
              > the mail.
              > >
              > > What am I missing?
              > >
              >
              >
              > Note that sendmail(1) is not an SMTP interface.
              >
              >
              >
              > -- Noel Jones
              >
            • Nilesh Govindrajan
              ... Thanks will try that.
              Message 6 of 10 , Dec 4, 2013
              • 0 Attachment

                On 05-Dec-2013 12:09 am, "Noel Jones" <njones@...> wrote:

                >
                > On 12/4/2013 12:33 PM, Nilesh Govindrajan wrote:
                > > That's what I concluded. Posted just to clear my doubt.
                > > What's the fix or workaround? All php applications use the mail
                > > function.
                >
                >
                > Change your PHP to use SMTP or a sendmail-compatible wrapper such as
                > mini_smtp rather than sendmail(1).
                >
                >
                >   -- Noel Jones
                >
                >
                >
                >
                > >
                > > On 05-Dec-2013 12:02 am, "Noel Jones" <njones@...
                > > <mailto:njones@...>> wrote:
                > >
                > >     On 12/4/2013 12:24 PM, Nilesh Govindrajan wrote:
                > >     > I have a postfix server configured with following restrictions -
                > >     >
                > >     > smtpd_reject_unlisted_sender = yes
                > >     >
                > >     > smtpd_relay_restrictions = reject_unverified_recipient,
                > >     > permit_mynetworks, permit_sasl_authenticated,
                > >     permit_auth_destination,
                > >     > reject
                > >     >
                > >     > smtpd_recipient_restrictions =
                > >     >         reject_rbl_client zen.spamhaus.org
                > >     <http://zen.spamhaus.org>, reject_rbl_client
                > >     > bl.spamcop.net <http://bl.spamcop.net>, reject_rhsbl_helo
                > >     dbl.spamhaus.org <http://dbl.spamhaus.org>, reject_rhsbl_sender
                > >     > dbl.spamhaus.org <http://dbl.spamhaus.org>,
                > >     >         reject_unknown_recipient_domain,
                > >     reject_unlisted_recipient,
                > >     > reject_unverified_recipient, permit
                > >     >
                > >     > smtpd_sender_restrictions = permit_mynetworks,
                > >     > reject_sender_login_mismatch, reject_unknown_sender_domain,
                > >     > reject_unlisted_sender, warn_if_reject
                > >     reject_unverified_sender, permit
                > >     >
                > >     > ------------------
                > >     >
                > >     > When I try to send mail using telnet to a failing address (aka
                > >     > unverified) it properly fails.
                > >     > But when PHP sends mail (which uses sendmail -t -i), it queues
                > >     the mail.
                > >     >
                > >     > What am I missing?
                > >     >
                > >
                > >
                > >     Note that sendmail(1) is not an SMTP interface.
                > >
                > >
                > >
                > >       -- Noel Jones
                > >
                >

                Thanks will try that.

              • Viktor Dukhovni
                ... You ll have implement this control in the PHP application or submit email via SMTP, rather than the sendmail(1) command. Submission with sendmail(1) is
                Message 7 of 10 , Dec 4, 2013
                • 0 Attachment
                  On Wed, Dec 04, 2013 at 11:54:11PM +0530, Nilesh Govindrajan wrote:

                  > I have a postfix server configured with following restrictions -
                  >
                  > smtpd_reject_unlisted_sender = yes

                  You'll have implement this control in the PHP application or submit email
                  via SMTP, rather than the sendmail(1) command. Submission with sendmail(1)
                  is asynchronous, and works even when Postfix is not running. Messages in
                  the "maildrop" directory are processed once Postfix is running, but it is
                  too late to tell the application that the message is not acceptable.

                  > smtpd_relay_restrictions = reject_unverified_recipient,
                  > permit_mynetworks, permit_sasl_authenticated, permit_auth_destination,
                  > reject

                  Why is your PHP application allowing users to send messages to
                  arbitrary recipients? You should not need "reject_unverified_recipient"
                  unless you have an open-relay web-form, fix the real problem.

                  > smtpd_recipient_restrictions =
                  > reject_rbl_client zen.spamhaus.org, reject_rbl_client
                  > bl.spamcop.net, reject_rhsbl_helo dbl.spamhaus.org, reject_rhsbl_sender
                  > dbl.spamhaus.org,
                  > reject_unknown_recipient_domain, reject_unlisted_recipient,
                  > reject_unverified_recipient, permit

                  Your own machine is probably not on any RBL, so you won't get much help
                  here.

                  > When I try to send mail using telnet to a failing address (aka
                  > unverified) it properly fails.
                  > But when PHP sends mail (which uses sendmail -t -i), it queues the mail.
                  >
                  > What am I missing?

                  Don't let your PHP applications send mail to arbitrary addresses
                  unless they are restricted to authenticated trusted users. If the
                  latter, make sure you have valid sender addresses recorded for each
                  such user, and use these rather than webform input as the sender
                  address. If a submitted message from a trusted user bounces, the
                  right user receives the bounce.

                  If some of your users are spammers, solve that problem, just
                  filtering out messages to invalid recipients is not the right
                  answer.

                  --
                  Viktor.
                • Nilesh Govindrajan
                  On 05-Dec-2013 12:17 am, Viktor Dukhovni ... sendmail(1) ... I have sufficient spam and virus protection using amavisd. That s
                  Message 8 of 10 , Dec 4, 2013
                  • 0 Attachment

                    On 05-Dec-2013 12:17 am, "Viktor Dukhovni" <postfix-users@...> wrote:

                    >
                    > On Wed, Dec 04, 2013 at 11:54:11PM +0530, Nilesh Govindrajan wrote:
                    >
                    > > I have a postfix server configured with following restrictions -
                    > >
                    > > smtpd_reject_unlisted_sender = yes
                    >
                    > You'll have implement this control in the PHP application or submit email
                    > via SMTP, rather than the sendmail(1) command.  Submission with sendmail(1)
                    > is asynchronous, and works even when Postfix is not running.  Messages in
                    > the "maildrop" directory are processed once Postfix is running, but it is
                    > too late to tell the application that the message is not acceptable.
                    >
                    > > smtpd_relay_restrictions = reject_unverified_recipient,
                    > > permit_mynetworks, permit_sasl_authenticated, permit_auth_destination,
                    > > reject
                    >
                    > Why is your PHP application allowing users to send messages to
                    > arbitrary recipients?  You should not need "reject_unverified_recipient"
                    > unless you have an open-relay web-form, fix the real problem.
                    >
                    > > smtpd_recipient_restrictions =
                    > >         reject_rbl_client zen.spamhaus.org, reject_rbl_client
                    > > bl.spamcop.net, reject_rhsbl_helo dbl.spamhaus.org, reject_rhsbl_sender
                    > > dbl.spamhaus.org,
                    > >         reject_unknown_recipient_domain, reject_unlisted_recipient,
                    > > reject_unverified_recipient, permit
                    >
                    > Your own machine is probably not on any RBL, so you won't get much help
                    > here.
                    >
                    > > When I try to send mail using telnet to a failing address (aka
                    > > unverified) it properly fails.
                    > > But when PHP sends mail (which uses sendmail -t -i), it queues the mail.
                    > >
                    > > What am I missing?
                    >
                    > Don't let your PHP applications send mail to arbitrary addresses
                    > unless they are restricted to authenticated trusted users.  If the
                    > latter, make sure you have valid sender addresses recorded for each
                    > such user, and use these rather than webform input as the sender
                    > address.  If a submitted message from a trusted user bounces, the
                    > right user receives the bounce.
                    >
                    > If some of your users are spammers, solve that problem, just
                    > filtering out messages to invalid recipients is not the right
                    > answer.
                    >
                    > --
                    >         Viktor.

                    I have sufficient spam and virus protection using amavisd. That's not the issue.
                    Some applications keep trying to send mail to addresses which keep failing and it fills the queue. Plus gets the server IP a bad name because of frequent failure.

                    And as a hosting service provider I can't control each and every aspect. So chose this method.

                    I guess it's right?

                    Regarding the sender restrictions looks like I missed permit_mynetworks there, thanks for pointing it out.

                  • Viktor Dukhovni
                    ... Why are the applications doing this? Sending recipient verification probes may also be detrimental to your server s reputation. ... You re hosting PHP
                    Message 9 of 10 , Dec 4, 2013
                    • 0 Attachment
                      On Thu, Dec 05, 2013 at 12:23:50AM +0530, Nilesh Govindrajan wrote:

                      > > > What am I missing?
                      > >
                      > > Don't let your PHP applications send mail to arbitrary addresses
                      > > unless they are restricted to authenticated trusted users. If the
                      > > latter, make sure you have valid sender addresses recorded for each
                      > > such user, and use these rather than webform input as the sender
                      > > address. If a submitted message from a trusted user bounces, the
                      > > right user receives the bounce.
                      > >
                      > > If some of your users are spammers, solve that problem, just
                      > > filtering out messages to invalid recipients is not the right
                      > > answer.
                      >
                      > I have sufficient spam and virus protection using amavisd. That's
                      > not the issue. Some applications keep trying to send mail to
                      > addresses which keep failing and it fills the queue. Plus gets
                      > the server IP a bad name because of frequent failure.

                      Why are the applications doing this? Sending recipient verification
                      probes may also be detrimental to your server's reputation.

                      > And as a hosting service provider I can't control each and every aspect.
                      > So chose this method.

                      You're hosting PHP applications for clients that send mail? And
                      the ones that repeatedly send email to invalid addresses are not
                      spamming?

                      You're solving the problem at the wrong layer. Route all mail from
                      the local submission MSA via an intermediate MTA that performs
                      content analysis for spam and log analysis for repeated bounces.

                      Disconnect customers that violate sender best practices or your AUP.

                      Is hosting PHP apps that send bulk email worth the trouble? I
                      would severely rate limit mail submission from each client's hosted
                      site sent to any address outside a small white-list they can change
                      at most once a week intended to allow unlimited mail to the website
                      owner. Users who want to send bulk email can work with a legitimate
                      bulk email provider.

                      --
                      Viktor.
                    • Nilesh Govindrajan
                      On 05-Dec-2013 12:40 am, Viktor Dukhovni ... Probes may not be that much of a issue because it doesn t probe more than thrice a
                      Message 10 of 10 , Dec 4, 2013
                      • 0 Attachment

                        On 05-Dec-2013 12:40 am, "Viktor Dukhovni" <postfix-users@...> wrote:

                        >
                        > On Thu, Dec 05, 2013 at 12:23:50AM +0530, Nilesh Govindrajan wrote:
                        >
                        > > > > What am I missing?
                        > > >
                        > > > Don't let your PHP applications send mail to arbitrary addresses
                        > > > unless they are restricted to authenticated trusted users.  If the
                        > > > latter, make sure you have valid sender addresses recorded for each
                        > > > such user, and use these rather than webform input as the sender
                        > > > address.  If a submitted message from a trusted user bounces, the
                        > > > right user receives the bounce.
                        > > >
                        > > > If some of your users are spammers, solve that problem, just
                        > > > filtering out messages to invalid recipients is not the right
                        > > > answer.
                        > >
                        > > I have sufficient spam and virus protection using amavisd. That's
                        > > not the issue.  Some applications keep trying to send mail to
                        > > addresses which keep failing and it fills the queue. Plus gets
                        > > the server IP a bad name because of frequent failure.
                        >
                        > Why are the applications doing this?  Sending recipient verification
                        > probes may also be detrimental to your server's reputation.
                        >

                        Probes may not be that much of a issue because it doesn't probe more than thrice a day. For one address. Presently there are 2-3 failing addresses.

                        > > And as a hosting service provider I can't control each and every aspect.
                        > > So chose this method.
                        >
                        > You're hosting PHP applications for clients that send mail?  And
                        > the ones that repeatedly send email to invalid addresses are not
                        > spamming?
                        >

                        Spam in technical sense not in human sense.

                        > You're solving the problem at the wrong layer.  Route all mail from
                        > the local submission MSA via an intermediate MTA that performs
                        > content analysis for spam and log analysis for repeated bounces.
                        >

                        Postfix is already clubbed to amavisd because the server has virtual domains too. Know of some software which can be used for this purpose?

                        > Disconnect customers that violate sender best practices or your AUP.
                        >
                        > Is hosting PHP apps that send bulk email worth the trouble?  I
                        > would severely rate limit mail submission from each client's hosted
                        > site sent to any address outside a small white-list they can change
                        > at most once a week intended to allow unlimited mail to the website
                        > owner.  Users who want to send bulk email can work with a legitimate
                        > bulk email provider.
                        >
                        > --
                        >         Viktor

                        These aren't bulk mail. Some misconfiguration on application operator's part.
                        Invalid addresses to which the application is supposed to send legitimate messages.

                      Your message has been successfully submitted and would be delivered to recipients shortly.