Does the canonical_maps rewriting apply before the restrictions in smtpd_relay_restrictions?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Does the canonical_maps rewriting apply before the restrictions in smtpd_relay_restrictions?

deoren
Hi,

I'm likely overlooking this (I'm still digging), but do the restrictions
in smtpd_relay_restrictions apply before the rewriting configured for
canonical_maps takes place?

I'm trying to rewrite the sender address for a system before its mail is
relayed and it appears that the reject_non_fqdn_sender restriction is
applying before the rewrite can be completed. I assume I'm just doing
something wrong, but wanted to double-check on the timing/ordering
before I continued to troubleshoot much further.

Thanks in advance for your help!
Reply | Threaded
Open this post in threaded view
|

Re: Does the canonical_maps rewriting apply before the restrictions in smtpd_relay_restrictions?

Wietse Venema
deoren:
> Hi,
>
> I'm likely overlooking this (I'm still digging), but do the restrictions
> in smtpd_relay_restrictions apply before the rewriting configured for
> canonical_maps takes place?

Before. The smtpd_mumble_restrictions peek at the canonical and
virtual maps to determine if the before-rewriting address could match.
The actual rewriting happens later, in the cleanup daemon.

> I'm trying to rewrite the sender address for a system before its mail is
> relayed and it appears that the reject_non_fqdn_sender restriction is
> applying before the rewrite can be completed. I assume I'm just doing
> something wrong, but wanted to double-check on the timing/ordering
> before I continued to troubleshoot much further.

If the system is allowed to relay (definition: send mail through a
Postfix server to remote destinations) then it should not be subject
to reject_non_fqdn_sender and such.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Does the canonical_maps rewriting apply before the restrictions in smtpd_relay_restrictions?

deoren
On 8/1/2020 8:43 AM, Wietse Venema wrote:

> deoren:
>> Hi,
>>
>> I'm likely overlooking this (I'm still digging), but do the restrictions
>> in smtpd_relay_restrictions apply before the rewriting configured for
>> canonical_maps takes place?
>
> Before. The smtpd_mumble_restrictions peek at the canonical and
> virtual maps to determine if the before-rewriting address could match.
> The actual rewriting happens later, in the cleanup daemon.

Thanks for that pointer, I'll look further in that direction.

>
>> I'm trying to rewrite the sender address for a system before its mail is
>> relayed and it appears that the reject_non_fqdn_sender restriction is
>> applying before the rewrite can be completed. I assume I'm just doing
>> something wrong, but wanted to double-check on the timing/ordering
>> before I continued to troubleshoot much further.
>
> If the system is allowed to relay (definition: send mail through a
> Postfix server to remote destinations) then it should not be subject
> to reject_non_fqdn_sender and such.

Fair point.

We had a good bit of abuse on a web form a number of years back which
generated some garbage sender values. To help prevent that spam from
leaving our relays, we dropped in the reject_non_fqdn_sender restriction
and that helped until the root cause (since fixed) could be eliminated.

We've found that having the directive in place helps flag
systems/software with misconfigured settings.