I recently migrated from Courier to Dovecot. The main guide I followed for configuring Postfix + MySQL + Dovecot was this one: https://library.linode.com/email/postfix/postfix2.9.6-dovecot2.0.19-mysql
Everything works perfect, but when I change the mail address in the mail client, leaving the correct login and password for the servers, and send an email with that fake mail (and domain) address, Postfix just sends it, without verifying if that email address existed in the database and without verifying if that email address was even mine.
So, there must be something wrong with my SMTP configuration. This is my actual configuration:
# Requirements for the sender details
smtpd_reject_unlisted_sender = yes
smtpd_reject_unlisted_recipient = yes
smtpd_sender_restrictions =
warn_if_reject,
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unauth_pipelining,
reject_unlisted_sender,
reject_unverified_sender,
permit
# Requirements for the connecting server
smtpd_client_restrictions =
reject_rbl_client zen.spamhaus.org,
reject_rbl_client blackholes.easynet.nl,
reject_rbl_client bl.spamcop.net,
permit
# Requirement for the recipient address
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_pipelining,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unauth_destination,
reject_unlisted_recipient,
reject_unverified_recipient,
check_policy_service inet:127.0.0.1:10023,
permit
smtpd_data_restrictions =
reject_unauth_pipelining
# require proper helo at connections
smtpd_helo_required = yes
# waste spammers time before rejecting them
smtpd_delay_reject = yes
isable_vrfy_command = yes
Anyone?
The
reject_unlisted_sender
restriction listed insmtpd_sender_restrictions
is listed afterpermit_mynetworks
andpermit_sasl_authenticated
. Postfix traverses the restriction list in order and terminates when it hits the first permit/reject and hence never reachesreject_unlisted_sender
. Since your message wasn't rejected byreject_unauth_destination
it must've been accepted because ofpermit_mynetworks
orpermit_sasl_authenticated
.Additionally, unless the sender address you used had a domain part that was actually "owned" by Postfix (i.e. listed in
mydestination
,virtual_mailbox_domains
,virtual_alias_domains
, orrelay_domains
), it can't be validated andreject_unlisted_sender
won't work. See details in the postconf(5) man page.Other observations:
warn_if_reject
restriction is placed beforepermit_mynetworks
. Because the latter never rejects anything thewarn_if_reject
restriction serves no purpose.reject_unlisted_recipient
andreject_unlisted_sender
, settingsmtpd_reject_unlisted_sender
andsmtpd_reject_unlisted_recipient
isn't necessary.permit
at the end of (nearly) every list is implicit and can be dropped.disable_vrfy_command
.smtpd_recipient_restrictions
. Withsmtpd_delay_reject
enabled all restrictions will be evaluated at the recipient stage anyway, and a single list usually makes the configuration easier to understand.