-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 20-12-13 20:54, Bernardo Pons wrote:
> On these days where theft of credentials of legitimate e-mail
> server users in order to send spam checking the MAIL FROM: using
> smtpd_reject_unlisted_sender would be a helping Postfix feature.
>
> Perhaps it is a misunderstanding from my side about the actual
> meaning of parameter smtpd_reject_unlisted_sender but if
> "smtpd_reject_unlisted_sender = yes" is present on main.cf...
>
> How is it possible for an user to send an mail from an unknown
> sender addresses neither listed in virtual nor canonical?
>
> The user is connecting to the smtp server and authenticates itself
> correctly but he's sending e-mails from an absolutely alien e-mail
> address (both user and domain part of the e-mail address)
>
> If the authenticated user tries to send e-mail from a non-existent
> e-mail address (user part) of a local domain the e-mail is rejected
> but if he/she uses a non-existent e-mail address of an alien domain
> the e-mail message is accepted by smtpd server.
>
> Shouldn't ALL those mails be rejected by smtpd?
>
The problem is that postfix cannot look up localparts for domains that
are not hosted locally. For domains that the server is configured to
handle using local/virtual/etc, the localparts are also available
(i.e. 'listed'). For random offsite domains, the localpart cannot be
verified other than using a VRFY call, which is disable at most sites
because it enabled spammers to verify existance of addresses, and
usage is considered abusive by many admins.
In order to force authenticated senders to use a limited set of MAIL
FROM addresses, you'll probably need to use
reject_sender_login_mismatch in smtpd_mumble_restrictions.
Regards,
Tom
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJStKTaAAoJEJPfMZ19VO/1o5sQAJZlWimP2XWy6Ion5NvZtn3v
BIxvWuHQSvaytAeL6NyrjjL3eA+p9z8WpOqj1IUZGjL2Egvag8vU34HM8a64gRCF
Js8WlE5vop6yLDyDgmo8BdTDLmy00YI67jXCEWFn/H9ivTp8fbRL8QjWw+tDFWNB
bPJmWVRx43Qbf5TTl/H2idi/ZTftMIYDaL7cZ7pgG1w2o69r2bzj/uv/bKL7/Mvr
niKM4Rcw+zkvOVS9DmEfge8Eh7ZTHPL2nsQm4+pTkk1tgxgjW602i9mgfvjVK/CV
o073sF1lbfvMV/77Wm+dSoi4i7nC0A/A7sS4HXpRku9KNoSVfj+gJV2cb1ft5/6F
QnyRi/m33654SyzWvChC4UZWg3NleoAnwHTxfIYnoTCiEwdRzk7PczINuXkIZfDC
fpZmtu4DSs9jHMCuEA7On0lgDOxdwBCJz3guk3rxOcWvC+2m38vXW9txcjNgfeoE
QimyLC1d2sAQV7PVvPpquHmgJQyiiD536WDMwT2V05W13jXSZ7fwEUuXDb29/EIS
2O7dpYe/BiWut7gCwgdbU5jfVxgaJESIPp3kmsI4Zn/nViJH5cR2HaScLSWBjCdz
Bf3bVc3FYSZrXCRZyp6bc6ZFNJGCcIo4jmvawZEBSl2ToFTMUSDyG01NFHwu1csN
Oll9fk0E/wxupS2/TJKM
=OH5l
-----END PGP SIGNATURE-----
