Let us take a closer look at the postfix smtpd_sender_restrictions. With our Server management support services, Bobcares can give you a detailed note on postfix smtpd_sender_restrictions in detail.

Sender Restrictions

Enter the following command code to filter out invalid senders with postfix smtpd_sender_restrictions:

# /etc/postfix/main.cf
# Sender restrictions:
smtpd_sender_restrictions =
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
permit

Firstly, allow email from network senders. The following two lines reject messages if the sender’s email address is incorrect or nonexistent, as there is no reason to accept mail from them. When the MAIL FROM address is not in the full qualification stage of the domain form by the RFC, the reject_non_fqdn sender will reject the email. When the MAIL FROM address lacks a DNS A or MX record or has a malformed MX record, such as a record with a zero-length MX hostname, the reject unknown sender domain will reject the email.

The response code for reject_unknown_sender_domain is 450 (try again later) in case of a temporary DNS error. Further, the MAIL FROM address is the address that bounces notifications that must be sent. So It is not apt to receive mail from an unknown domain. The final line allows every other message to move on to the next filtering phase.  Now lets us take a deeper look into the postfix smtpd_sender_restrictions.

smtpd_sender_restrictions (default: empty)

Optional constraints imposed by the Postfix_smtp server in the context of a client MAIL FROM command.The default setting is to allow everything. Separate a list of postfix smtpd_sender_restrictions with commas and/or whitespace.

Proceed to the Long lines by beginning the next line with whitespace. The restriction is applicable only in the specified order; the first restriction that matches wins.

postfix smtpd_sender_restrictions

The following restrictions are specific to the sender address received with the MAIL FROM command.

check_sender_access type: table:

Find the MAIL FROM address, domain, parent domains, or localpart@ in the specified database and perform the appropriate action.

check_sender_a_accesstype: table:

Search the specified database for IP addresses for the MAIL FROM domain, and then perform the appropriate action. For safety reasons, a result of “OK” is restricted. Use DUNNO instead to exclude specific hosts from denylists. Postfix 3.0 and later include this feature for postfix smtpd_sender_restrictions.

check_sender_mx_access type:table:

Find the database for MX hosts for the MAIL FROM domain. Perform the appropriate action. It won’t permit, a result of “OK” for safety reasons. Use DUNNO instead to exclude specific hosts from denylists. Postfix 2.1 and later include this feature.

check_sender_ns_accesstype:table:

Find the DNS servers for the MAIL FROM domain in the provided access(5) database and do the relevant action. The OK is in the restriction stage and use DUNNO instead to exclude particular hosts.

reject_authenticated_sender_login_mismatch:

When the client is in authentication using the SASL but the MAIL FROM address in postfix smtpd_sender_restrictions login maps or the SASL login name is not an owner for that address, reject the request. This prevents an authenticated client from sending email from a MAIL FROM address that they do not explicitly own.

reject_known_sender_login_mismatch

When the client is in SASL- authentication, reject the request if the MAIL FROM address is in smtpd sender login maps but the SASL login name is not an owner of that address. When SASL is in activation and the MAIL FROM address is in listing on postfix smtpd_sender_restrictions maps, reject the request if the client authentication fails. with SASL. This protects any MAIL FROM address listed in $smtpd sender login maps while enabling a client to utilize any MAIL FROM address not listed.

reject_non_fqdn_sender:

When the MAIL FROM address provides a domain that is not in fully-qualified domain form, reject the request. The argument non fqdn reject code sets the response code for denied requests (default: 504).

reject_rhsbl_sender rbl_domain=d.d.d.d:

When the MAIL FROM domain is specified with the A record “d.d.d.d” under rbl domain, reject the request. Each “d” represents a number or a pattern within “[]” that contains one or more “;”-separated numbers or number ranges (Postfix version 2.8 and later). When the MAIL FROM domain is mentioned with any A record under rbl domain and no “=d.d.d.d” is given, refuse the request.

The maps rbl reject code parameter defines the response code for refused queries (default: 554); the default rbl reply parameter specifies the default server reply; and the rbl reply maps parameter specifies tables indexed by rbl domain with server answers. Postfix 2.0 and later include this feature. This feature enforces the postfix smtpd_sender_restrictions even further.

reject_sender_login_mismatch:

This is an alias for as of Postfix 2.1: “reject_authenticated_sender_login_mismatch, reject_unauthenticated_sender_login_mismatch”.

reject_unauthenticated_sender_login_mismatch:

When SASL is enabled and the MAIL FROM address is listed in pOSTFIX smtpd_sender login maps, but the client is not authenticated with SASL, reject the request. With SASL enabled, an unauthenticated client cannot use any MAIL FROM address listed in Postfix smtpd_sender login maps.This feature is only accessible in Postfix 2.1 and later.

reject_unknown_sender_domain:

If Postfix is not the final destination for the sender address and the MAIL FROM domain has 1) no DNS MX and no DNS A record, or 2) a malformed MX record, such as a record with a zero-length MX hostname, reject the request (Postfix version 2.3 and later). The unknown address rejects code (default: 450), unknown address tempfail action, or 550 parameters can specify the response.

reject_unlisted_sender:

Reject the request if the MAIL FROM address is not among the valid recipients for the domain class. Postfix 2.1 and later include this feature.

reject_unverified_sender:

When mail to the MAIL FROM address is known to bounce, or when the sender address destination is not reachable, reject the request. The verify(8) server manages to address verification information;  When an address bounces, the unverified sender_restricts the code parameter that specifies the numerical response code, the default is 450. When an address probe fails due to a temporary problem, the unverified sender defers code specifies the numerical response code.

The unverified sender tempfail action parameter specifies what happens if an address probe fails due to a temporary issue. This feature is in disable stage for aliased addresses when “enable original recipient = no” is specified (Postfix 3.2). Postfix 2.1 and later include this feature. These are the main postfix smtpd_sender_restrictions. There are other modes of restrictions also applicable in this scenario.

Other restrictions

1. SMTP client restrictions describe generic restrictions, usable in any SMTP command context.
2. Specific SMTP command restrictions: Shown in SMTP client restrictions and SMTP helo restrictions.
3. Specific SMTP command restrictions: Shown in postfix_smtpd recipient restrictions. When recipient restrictions are specified in postfix smtpd_sender_restrictions, they take effect only if “smtpd delay reject = yes,” which means that postfix smtpd_sender_restrictions are evaluated when the RCPT TO command is issued.

Examples

smtpd_sender_restrictions=reject_unknown_sender_domain
smtpd_sender_restrictions = reject_unknown_sender_domain, check_sender_access hash:/etc/postfix/access

[Need assistance with similar queries? We are here to help]

Conclusion

To conclude, the postfix smtpd_sender_restrictions are easy to manage and overview. The smtpd recipient restrictions feature regulates how Postfix responds to the RCPT TO command. If the restriction list evaluates to REJECT or DEFER, it will reject the recipient address. If the result is PERMIT, it will accept the recipient’s address.