OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: $smtpd_recipient_restrictions = reject_unauth_destination vs. check_relay_domains...
From: LaMont Jones (lamontsecurity.hp.com)
Date: Fri Feb 11 2000 - 13:00:09 CST

> But there are far too
> many people out there that own their own reverse DNS, and could use
> this to lie to our server and claim to be local.

Which was why reject_unauth_destination came to be.

> If I use $smtpd_recipient_restrictions =
> reject_unauth_destination, then the entire envelope recipient address
> is checked against $relay_domains, and if it's not found then the
> message is rejected. But at this level, we don't know what users are
> valid for what domains, and I don't have a complete list of all the
> hundreds of thousands of aliases, etc... that would more properly
> exist in $virtual_maps anyway.

The code is identical between the two (actually they call a common
subroutine). The difference is that check_relay_domains also does a
domain_list_match against the sender's domain and returns OK or FAIL.
reject_unauth_destination checks the recipient, and returns DUNNO
(found it) or FAIL.

In other words, reject_unauth_destination should do what you want (it's
what we're using, with lots of domains to relay). Is there a
documentation problem that needs to be resolved??

lamont