On 10/31/2011 12:31 PM, Simon Brereton wrote: > Hi > > I was evaluating my smptd_recipient_restrictions last week and decided that > it made no sense to have reject_sender_login_mismatch after > permit_sasl_authenticated. So I changed it. At the time I was reviewing the > documentation I wasn't able to figure out the difference between > reject_authenticated_sender_login_mismatch and reject_sender_login_mismatch.
Did you see this? http://www.postfix.org/postconf.5.html#reject_authenticated_sender_login_mismatch With the "authenticated" version, the sender address is only checked if the user has authenticated. This allows unauthenticated mail to use a protected sender address, which may be needed for notification/invitation services etc. that "spoof" the sender address for incoming mail. > > Since then I have a few items in the logs like: > > Oct 30 17:59:40 mail postfix/smtpd[21281]: connect from > cpc17cable-connection.cableprovider.com[12.34.56.78] > Oct 30 17:59:40 mail postfix/smtpd[21281]: setting up TLS connection from > cpc17cable-connection.cableprovider.com[12.34.56.78] > Oct 30 17:59:40 mail postfix/smtpd[21281]: Anonymous TLS connection > established from cpc17cable-connection.cableprovider.com[12.34.56.78]: TLSv1 > with cipher AES128-SHA (128/128 bits) > Oct 30 17:59:43 mail postfix/smtpd[21281]: NOQUEUE: reject: RCPT from > cpc17cable-connection.cableprovider.com[12.34.56.78]: 553 5.7.1 > <[email protected]>: Sender address rejected: not owned by user > [email protected]; from=<[email protected]> to=<[email protected]> > proto=ESMTP helo=<jemima> > Oct 30 17:59:43 mail postfix/smtpd[21281]: NOQUEUE: reject: RCPT from > cpc17cable-connection.cableprovider.com[12.34.56.78]: 553 5.7.1 > <[email protected]>: Sender address rejected: not owned by user > [email protected]; from=<[email protected]> to=<[email protected]> > proto=ESMTP helo=<jemima> > Oct 30 17:59:43 mail postfix/smtpd[21281]: NOQUEUE: reject: RCPT from > cpc17cable-connection.cableprovider.com[12.34.56.78]: 553 5.7.1 > <[email protected]>: Sender address rejected: not owned by user > [email protected]; from=<[email protected]> to=<[email protected]> > proto=ESMTP helo=<jemima> > Oct 30 17:59:43 mail postfix/smtpd[21281]: NOQUEUE: reject: RCPT from > cpc17cable-connection.cableprovider.com[12.34.56.78]: 553 5.7.1 > <[email protected]>: Sender address rejected: not owned by user > [email protected]; from=<[email protected]> to=<[email protected]> > proto=ESMTP helo=<jemima> > Oct 30 17:59:43 mail postfix/smtpd[21281]: NOQUEUE: reject: RCPT from > cpc17cable-connection.cableprovider.com[12.34.56.78]: 553 5.7.1 > <[email protected]>: Sender address rejected: not owned by user > [email protected]; from=<[email protected]> to=<[email protected]> > proto=ESMTP helo=<jemima> > Oct 30 17:59:43 mail postfix/smtpd[21281]: NOQUEUE: reject: RCPT from > cpc17cable-connection.cableprovider.com[12.34.56.78]: 553 5.7.1 > <[email protected]>: Sender address rejected: not owned by user > [email protected]; from=<[email protected]> to=<[email protected]> > proto=ESMTP helo=<jemima> > Oct 30 17:59:43 mail postfix/smtpd[21281]: NOQUEUE: reject: RCPT from > cpc17cable-connection.cableprovider.com[12.34.56.78]: 553 5.7.1 > <[email protected]>: Sender address rejected: not owned by user > [email protected]; from=<[email protected]> to=<[email protected]> > proto=ESMTP helo=<jemima> > Oct 30 18:09:43 mail postfix/smtpd[21281]: timeout after RCPT from > cpc17cable-connection.cableprovider.com[12.34.56.78] > Oct 30 18:09:43 mail postfix/smtpd[21281]: disconnect from > cpc17cable-connection.cableprovider.com[12.34.56.78] > > Googling led me to this thread: > http://comments.gmane.org/gmane.mail.postfix.user/210413 > > But I don't understand how [email protected] is not owned by > [email protected] Apparently this user didn't authenticate. You define who owns what address in smtpd_sender_login_maps. There are no "automatic" mappings. > mail:~# postconf -n | grep smtpd_recipient_restrictions > smtpd_recipient_restrictions = > reject_non_fqdn_sender, > reject_non_fqdn_recipient, > reject_sender_login_mismatch, > permit_sasl_authenticated, This should be followed by "permit_mynetworks, reject_unauth_destination," followed by your other UCE checks. > check_helo_access hash:/etc/postfix/helo_checks, > check_sender_access hash:/etc/postfix/ip_whitelist, check_sender_access is to check the sender email address, and will never match an IP. You must use check_client_access to whitelist by IP. > check_recipient_access hash:/etc/postfix/laxdomains, > reject_unknown_sender_domain, > reject_unknown_recipient_domain, > reject_invalid_helo_hostname, > reject_non_fqdn_helo_hostname, > reject_unknown_helo_hostname, > check_sender_access hash:/etc/postfix/backscatter > check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre, > permit_mynetworks, > reject_unauth_destination, This is dangerously late for reject_unauth_destination. You should move it above any check_*_access maps. > reject_unlisted_recipient, > check_policy_service unix:private/policy-spf, > check_policy_service inet:127.0.0.1:10031, > reject_rbl_client bl.spamcop.net, > reject_rbl_client zen.spamhaus.org, > reject_rbl_client cbl.abuseat.org, cbl is included in zen, so this is a duplicate. > reject_rbl_client blackholes.mail-abuse.org, Do you pay for a subscription to mail-abuse.org? Otherwise this won't work. > reject_rbl_client tw.countries.nerd.dk, > reject_rbl_client kr.countries.nerd.dk, > reject_rbl_client cn.countries.nerd.dk, > reject_rbl_client relays.mail-abuse.org, Do you pay for a subscription to mail-abuse.org? Otherwise this won't work. > warn_if_reject, reject_unknown_client, > warn_if_reject, reject_rhsbl_client dsn.rfc-ignorant.org, > warn_if_reject, reject_rbl_client dnsbl.sorbs.net, > warn_if_reject, reject_rbl_client dnsbl.njabl.org, > warn_if_reject, reject_rbl_client dul.dnsbl.sorbs.net, > permit -- Noel Jones
