OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: *Hobbit* (hobbit_at_avian.org)
Date: Fri Sep 20 2002 - 07:41:46 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I know this was discussed relatively recently when Ralf was having trouble
    with avcheck and recipient addresses of the form userotherhostmyhost
    not being blocked -- but the issues there were more complex and the
    discussion devolved into philosophy and in searching through my own
    archives I couldn't find anything like an actual *solution*.

    I have a much more immediate problem in that incoming recipients of the
    form victimother.domainmy-own.domain are being ACCEPTED and RELAYED.
    As in, "RCPT TO: <victimaol.comsanitized.com>" returns an immediate
    "250 Ok" and the mail is forwarded. This is BAD.

    Relevant pieces of postconf -n:

      allow_percent_hack = no
      allow_untrusted_routing = no
      mydestination = $myhostname, localhost.$mydomain, $mydomain,
            mx.$mydomain, mail.$mydomain, www.$mydomain, relay.$mydomain,
            inbound.$mydomain
      mydomain = sanitized.com
      myhostname = inbound.sanitized.com
      mynetworks = 10.0.0.0/8, 127.0.0.0/8
      myorigin = $mydomain
      relay_domains = $mydestination, $mydomain
      smtpd_recipient_restrictions =
            check_recipient_access regexp:$config_directory/recip_acl,
            check_relay_domains,
            reject_unauth_destination
      smtpd_sender_restrictions = reject_non_fqdn_sender,
            check_sender_access regexp:$config_directory/sender_acl,
            reject_unknown_sender_domain

    And dropping

      /.*/ 550 Bad routing

    into recip_acl has NO EFFECT, either -- the stuff just sails on through with
    an immediate "250 ok", which baffles the crap out of me since recip_acl
    is checked first and I can verify that all the *other* rules therein are
    definintely being applied. Why would that rule not match such a recipient?!

    What is the common pitfall I'm missing that allows the source-routed syntax
    to permit relaying despite all attempts to set things up correctly? It must
    stem from that special "shortcut" treatment of sender-specified routing
    scattered through the code, but I haven't found exactly what's going on in
    there yet. [When I do, it's going to be #ifdefed out with extreme prejudice.]

    _H*
    -
    To unsubscribe, send mail to majordomopostfix.org with content
    (not subject): unsubscribe postfix-users