-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Luc MAIGNAN wrote: > Thanks for your response : You're welcome. Luc, do me a favour and don't top-post to the list - it makes context much harder to follow. For me, at least (before we start that particular troll-fest again) > > I've put in main.cf : > > smtpd_helo_required = yes which will only reject a few weird clients. > smtpd_recipient_restrictions = reject_unknown_recipient_domain, > reject_unauth_destination man 5 postconf will tell you that smtpd_recipient_restrictions stops at the first matching restriction and that neither reject_unknown_recipient_domain or reject_unauth_destination match any mail with sender-specified routing. If you have no blanket reject, they will probably be permitted to relay. AIUI your restrictions are not matching the email that you wish to stop... this is probably due to 'sender-specified routing' as mentioned above. This may be why it is getting through. It is possible thay are using the 'percent hack' to achieve this: try setting allow_percent_hack = no in main.cf to disallow this. (it's an old relaying trick. Postfix permits it by default) so, have you tried finishing with a blanket reject rule? smtpd_recipient_restrictions = permit_auth_destination, reject Will allow users/hosts to send to your domains, but should reject everything else (including the 'unknown destination' stuff) The problem with this is allowing certain hosts to relay. How is this mailserver intended to work? is it simply a final destination for email for your virtual domains? Or do you also have to permit relaying from some users/hosts? > Result of postconf -n is : <snipped for my random commentary> > manpage_directory = /usr/local/man seriously? is this running on Fedora? > mynetworks = 192.168.26.0/24, 192.168.62.0/24, 127.0.0.0/8 Incidentally IMHO there is no real reason to set mynetworks to anything if you aren't using it in restrictions... (/me waits to be shot down on that one.) My internet-facing server just has mynetworks_style=host and mynetworks is not set at all. Works fine... or you can just set it to the localhost address, > mynetworks_style = host /me likes using this > relay_domains = mydomain1.com mydomain2.com mydomain3.com so this is the parameter used by reject_unauth_destination. ## original example for context: >>>> 24BDEE7918: to=<donna@xxxxxxxxxxxxxx>, >>>> relay=smtp1.msp.securence.com[216.17.3.48]:25, delay=3.3, >>>> delays=0.02/0.01/1.2/2.1, dsn=2.0.0, status=sent (250 OK, queued as >>>> <20070429143657.24BDEE7918@ >>>> >>>> How can I deny these mails, and deny use of another relay ? - -- Stuart Sears RHCA RHCSS PDF ODT DUI "The PM's claims on this subject are not exactly lies, so much as fact-free." http://www.no2id.net/news/pressRelease/release.php?name=Blair_Fact-Free -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFGNOrvamPtx1brPQ4RAj1iAJ9HddeNcaS2j2Lt8qJSq0MvpV7chwCfQBnd R1Bmwb5D9jU23LeK7GjKvls= =TR5t -----END PGP SIGNATURE-----
