(no email)
Date: Mon Apr 01 2002 - 12:56:45 EST
On Mon, 1 Apr 2002, Bill Landry wrote:
> On Mon, 1 Apr 2002, Victor Duchovni wrote:
>
> >Indeed. The problem lies elsewhere, specifically a misguided use of
> >"check_sender_access" in "smtpd_recipient_restrictions". In this case it
> >should just be dropped. More generally it *must* only contain "REJECT"
> >entries for blacklisted sender addresses, it may not contain "OK" or
> >"RELAY" entries.
>
> Victor, this seem to imply otherwise (from the Postfix UCE Controls page):
>
...
>
> I use the check_sender_access maptype under the smtpd_recipient_restrictions
> for customers that do not want their e-mail spam filtered by setting the
> "OK" flag after their e-mail address and it works great.
>
Unless "check_sender_access" follows "reject_unauth_destination"
it must not return OK if used in smtpd_recipient_restrictions (sorry about
the multiple conditionals).
Returning OK in "check_sender_access" prior to checking relay
access makes your host an open relay, because the envelope sender is
easily forged.
I am contemplating a patch to Postfix that would ignore OK results
based on forgeable information (helo or sender) in the recipient
restrictions unless it occurs after reject_unauth_destination.
This would need to work correctly for recursive restrictions, it may take
some time to come up with the right specification.
-- Viktor. - To unsubscribe, send mail to with content (not subject): unsubscribe postfix-users
|
|
|