please avoid top-posting Am 22.03.2014 12:04, schrieb Pau Peris: > Thanks for the explanation but i think i'm not understanding you. I > understand MX records are not mandatory but i'm > wondering what am i supposed to do when someone tries to send an email and > the from address is not valid but an A > or CNAME RR exists? By not valid i mean replying to the from address will > never reach any mailbox. > > My worries are: > * I'm responsible for sending email for domain.com <http://domain.com> but > not for *.domain.com <http://domain.com>. > * I'm only signing and following the rules - like DKIM, SPF, DMARC - for > domain.com <http://domain.com> but haven't > done anything special for *.domain.com <http://domain.com>. And i don't want > my server to be responsible for > sending not signed emails, etc.
you did not make clear that you talk about sending mail > * I do not want to send emails if the from address is not reachable. > Probably the best solution should be to make sure the from address matches > the login address? yes, you should not allow non-existent senders you need some rules before "permit_sasl_authenticated" in most cases that should be enough: http://www.postfix.org/postconf.5.html#reject_unlisted_sender ___________________________________________________ that is complexer to implement but if done properly the perfect solution however, you need to consider also aliases be listed here which may have not a own login but are allowed for the user/password combination reject_authenticated_sender_login_mismatch http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps reject_authenticated_sender_login_mismatch Enforces the reject_sender_login_mismatch restriction for authenticated clients only. This feature is available in Postfix version 2.1 and later. ___________________________________________________ that's how it looks in "main.cf" while you need a way for "smtpd_sender_login_maps" matching your environment, "reject_non_fqdn_recipient" and "reject_non_fqdn_sender" is highly recommended and rejects user mistakes and prevents auto-add "myhostname" if someone sends to "johnny" smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-senderaccess.cf smtpd_recipient_restrictions = permit_mynetworks reject_non_fqdn_recipient reject_non_fqdn_sender reject_unlisted_sender reject_authenticated_sender_login_mismatch permit_sasl_authenticated > I'm already using reject_unknown_sender_domain. > Thank you so much. > On Sat, Mar 22, 2014 at 11:21 AM, li...@rhsoft.net <mailto:li...@rhsoft.net> > <li...@rhsoft.net > <mailto:li...@rhsoft.net>> wrote: > > Am 22.03.2014 10:29, schrieb Pau Peris: > > The issue here is mail.domain.com <http://mail.domain.com> > <http://mail.domain.com> is responsible of sending > email for domain.com <http://domain.com> > > <http://domain.com> but not *.domain.com <http://domain.com> > <http://domain.com> so the latter are not DKIM > signed and obviously are > > not valid recipient addresses as those domains are not able to recieve > email so i would like to reject clients > > using a from domain address which is not able to receive email like > *.domain.com <http://domain.com> > <http://domain.com>. > > please don't post in HTML, i destroys quoting in a thread and has no > benefit > > "domains without MX records" is a bad idea, there is no RFC saying > that a MX record is mandatory, that is why any MTA falls back to the > A-record of the domain if there is no MX > > and to avoid Stan jumping out and shout "but in this decade there are no > domains > without MX": they exists and they are used, i learned that after a > customer complaint > becausem y email-verification on the webserver rejected addresses > without MX > > not sure how it does in case if non-existing subdomains > however, that should be enabled on any public MX and catchs spam > http://www.postfix.org/postconf.5.html#reject_unknown_sender_domain > >
