>|->but there is another situation where rejecting a msg is worse that >|->DISCARDing it. >|->new msg back to the undeliverable forged or deliverable joe-jobbed >innocent >|->sender. Since you have already accepted the DATA, it's best to DISCARD >the >|->msg to prevent any more repercussions. > >Ok. Postfix is setup to REJECT on body/header checks. Better go back and >review that.
DISCARD rather than REJECT is only for msg that are definitely worm spew, and NOT for all header/body REJECTs >|->The whole point of check_reicipient_access used as early as possible in >the >|->smtpd restrictions is specifically to reject as soon as possible msgs to >|->unknown recipients, (and CRA is different from other access maps in >that it >|->never returns an OK, only REJECT or DUNNO). This is the ONLY policy to >|->follow. best for you, best for the (perhaps legit) sender (no DATA >smtpd_client_restrictions = > check_recipient_access hash:/etc/postfix/to_recip.map, > hash:/etc/postfix/bad_ip.map, > permit_mynetworks, > reject it's simpler to put all in smtp_recipient_restrictions, and I'm not talking about check_recipient_access, but check_recipient_maps Len
