Postfix : How to reject sender addresses that don't exist only for local domains

postfix

On my Postfix I'm trying to reject senders that use fake addresses from domains managed locally. But I only want to perform the check for the local domains, not for every senders.

So if example.com is managed locally, I want to block [email protected] and let [email protected] and [email protected] pass.

I looked into smtpd_sender_restrictions with reject_unverified_sender but I don't see how to do the check only for the local domains.


Solution 1:

The parameter that you are looking for is smtpd_reject_unlisted_sender

smtpd_reject_unlisted_sender (default: no)

Request that the Postfix SMTP server rejects mail from unknown sender addresses, even when no explicit reject_unlisted_sender access restriction is specified. This can slow down an explosion of forged mail from worms or viruses.

An address is always considered "known" when it matches a virtual(5) alias or a canonical(5) mapping.

  • The sender domain matches $mydestination, $inet_interfaces or $proxy_interfaces, but the sender is not listed in $local_recipient_maps, and $local_recipient_maps is not null.
  • The sender domain matches $virtual_alias_domains but the sender is not listed in $virtual_alias_maps.
  • The sender domain matches $virtual_mailbox_domains but the sender is not listed in $virtual_mailbox_maps, and $virtual_mailbox_maps is not null.
  • The sender domain matches $relay_domains but the sender is not listed in $relay_recipient_maps, and $relay_recipient_maps is not null.

This feature is available in Postfix 2.1 and later.

You can enable it by specify smtpd_reject_unlisted_sender = yes in main.cf. Another way is put reject_unlisted_sender in smtpd_*_restriction stack.

Additional note: what's difference between reject_unverified_sender and reject_unlisted_sender?

The difference of both method lies on how it perform verification.

  • Postfix with parameter reject_unverified_sender will verifies the sender by telnet to remote MX server and perform unfinished SMTP transaction with recipient = unverified_sender. If the remote server doesn't reject the recipient, then postfix assume that the sender was verified. See How address verification works in postfix documentation.
  • Postfix with parameter reject_unlisted_sender will verifies the sender by looking into valid recipient in ALL domain classes (local, virtual alias, virtual mailbox and relay.

Related

In server 2008 R2, if I run an app in administrator's mode, will child process still be in the same mode?
Centos 7 autofs mount doesn't work right after reboot
probing EDD boot message stays for ten minutes on centos 6.6
openshift : unable to write 'random state'
How to trace file access with dtrace on solaris
TCP timeout for established connections in Windows
lxd container: port forwarding like docker
How to extend LVM PV to the beginning of disk?
SSH X11 forwarding is extremely slow over VPN
How to configure Fedora / RedHat / CentOS to delete files in /tmp on boot
how to match a whitespace in a bash variable
How to enable debug logs in OpenSwan?