On Wed, 18 Feb 2004, Len Conrad wrote: |->I see frequently 80 to 90+% msgs to unknown users. 10's or 100's of 1000's |->per day. Accepting all that volume, then generating a delivery failure |->msgs for them (to often forged, non-deliverable senders) would quickly |->swamp postfix deferred queue. insane
Ya there was a time last week when rejects for unknown users was beating the acl for dsl/cable subscriber networks. But now that has gone the other way were subscriber nets are beating out unknown users. Just today alone: 6348 Bad Username 8717 ACL Subscriber Network |->but there is another situation where rejecting a msg is worse that |->DISCARDing it. |->new msg back to the undeliverable forged or deliverable joe-jobbed innocent |->sender. Since you have already accepted the DATA, it's best to DISCARD the |->msg to prevent any more repercussions. Ok. Postfix is setup to REJECT on body/header checks. Better go back and review that. |->spam-l is really a "watch me while I bring up a highly obscure point of |->discovery to demonstrate how overwhelmingly laser-like and encyclopedic my |->intelligence and knowledge are" debating club. When people use "I fear |->..." or "I'm distressed that ...", I outta there. Yes there have been some disussions there that are a little whacked out and some I just dont get at all. But there does end up to be some good tidbit of info come up once in a while to make it worth reading, or at least skimming. |->The whole point of check_reicipient_access used as early as possible in the |->smtpd restrictions is specifically to reject as soon as possible msgs to |->unknown recipients, (and CRA is different from other access maps in that it |->never returns an OK, only REJECT or DUNNO). This is the ONLY policy to |->follow. best for you, best for the (perhaps legit) sender (no DATA |->command), best for Internet. Looking over some other config's CRA always is in smtpd_recip_restrictions but somehow I ended up putting mine here: smtpd_client_restrictions = check_recipient_access hash:/etc/postfix/to_recip.map, hash:/etc/postfix/bad_ip.map, permit_mynetworks, reject Seems to work but dont know if its better under recipient_restrictions. Thanks for the insight Len. Keith
