Bobcares

Postfix Smtpd_Sender_Restrictions: Explained.

by | Aug 15, 2022

Let us take a closer look at the postfix smtpd_sender_restrictions. With our Server management support services, Bobcares can give you a detailed note on postfix smtpd_sender_restrictions in detail.

Sender Restrictions

postfix smtpd_sender_restrictions

Enter the following command code to filter out invalid senders with postfix smtpd_sender_restrictions:

# /etc/postfix/main.cf
# Sender restrictions:
smtpd_sender_restrictions =
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
permit

Firstly, allow email from network senders. The following two lines reject messages if the sender’s email address is incorrect or nonexistent, as there is no reason to accept mail from them. When the MAIL FROM address is not in the full qualification stage of the domain form by the RFC, the reject_non_fqdn sender will reject the email. When the MAIL FROM address lacks a DNS A or MX record or has a malformed MX record, such as a record with a zero-length MX hostname, the reject unknown sender domain will reject the email.

The response code for reject_unknown_sender_domain is 450 (try again later) in case of a temporary DNS error. Further, the MAIL FROM address is the address that bounces notifications that must be sent. So It is not apt to receive mail from an unknown domain. The final line allows every other message to move on to the next filtering phase.  Now lets us take a deeper look into the postfix smtpd_sender_restrictions.

smtpd_sender_restrictions (default: empty)

Optional constraints imposed by the Postfix_smtp server in the context of a client MAIL FROM command.The default setting is to allow everything. Separate a list of postfix smtpd_sender_restrictions with commas and/or whitespace.

Proceed to the Long lines by beginning the next line with whitespace. The restriction is applicable only in the specified order; the first restriction that matches wins.

postfix smtpd_sender_restrictions

The following restrictions are specific to the sender address received with the MAIL FROM command.

check_sender_access type: table:

Find the MAIL FROM address, domain, parent domains, or localpart@ in the specified database and perform the appropriate action.

check_sender_a_accesstype: table:

Search the specified database for IP addresses for the MAIL FROM domain, and then perform the appropriate action. For safety reasons, a result of “OK” is restricted. Use DUNNO instead to exclude specific hosts from denylists. Postfix 3.0 and later include this feature for postfix smtpd_sender_restrictions.

check_sender_mx_access type:table:

Find the database for MX hosts for the MAIL FROM domain. Perform the appropriate action. It won’t permit, a result of “OK” for safety reasons. Use DUNNO instead to exclude specific hosts from denylists. Postfix 2.1 and later include this feature.

check_sender_ns_accesstype:table:

Find the DNS servers for the MAIL FROM domain in the provided access(5) database and do the relevant action. The OK is in the restriction stage and use DUNNO instead to exclude particular hosts.

reject_authenticated_sender_login_mismatch:

When the client is in authentication using the SASL but the MAIL FROM address in postfix smtpd_sender_restrictions login maps or the SASL login name is not an owner for that address, reject the request. This prevents an authenticated client from sending email from a MAIL FROM address that they do not explicitly own.

reject_known_sender_login_mismatch

When the client is in SASL- authentication, reject the request if the MAIL FROM address is in smtpd sender login maps but the SASL login name is not an owner of that address. When SASL is in activation and the MAIL FROM address is in listing on postfix smtpd_sender_restrictions maps, reject the request if the client authentication fails. with SASL. This protects any MAIL FROM address listed in $smtpd sender login maps while enabling a client to utilize any MAIL FROM address not listed.

reject_non_fqdn_sender:

When the MAIL FROM address provides a domain that is not in fully-qualified domain form, reject the request. The argument non fqdn reject code sets the response code for denied requests (default: 504).

reject_rhsbl_sender rbl_domain=d.d.d.d:

When the MAIL FROM domain is specified with the A record “d.d.d.d” under rbl domain, reject the request. Each “d” represents a number or a pattern within “[]” that contains one or more “;”-separated numbers or number ranges (Postfix version 2.8 and later). When the MAIL FROM domain is mentioned with any A record under rbl domain and no “=d.d.d.d” is given, refuse the request.

The maps rbl reject code parameter defines the response code for refused queries (default: 554); the default rbl reply parameter specifies the default server reply; and the rbl reply maps parameter specifies tables indexed by rbl domain with server answers. Postfix 2.0 and later include this feature. This feature enforces the postfix smtpd_sender_restrictions even further.

reject_sender_login_mismatch:

This is an alias for as of Postfix 2.1: “reject_authenticated_sender_login_mismatch, reject_unauthenticated_sender_login_mismatch”.

reject_unauthenticated_sender_login_mismatch:

When SASL is enabled and the MAIL FROM address is listed in pOSTFIX smtpd_sender login maps, but the client is not authenticated with SASL, reject the request. With SASL enabled, an unauthenticated client cannot use any MAIL FROM address listed in Postfix smtpd_sender login maps.This feature is only accessible in Postfix 2.1 and later.

reject_unknown_sender_domain:

If Postfix is not the final destination for the sender address and the MAIL FROM domain has 1) no DNS MX and no DNS A record, or 2) a malformed MX record, such as a record with a zero-length MX hostname, reject the request (Postfix version 2.3 and later). The unknown address rejects code (default: 450), unknown address tempfail action, or 550 parameters can specify the response.

reject_unlisted_sender:

Reject the request if the MAIL FROM address is not among the valid recipients for the domain class. Postfix 2.1 and later include this feature.

reject_unverified_sender:

When mail to the MAIL FROM address is known to bounce, or when the sender address destination is not reachable, reject the request. The verify(8) server manages to address verification information;  When an address bounces, the unverified sender_restricts the code parameter that specifies the numerical response code, the default is 450. When an address probe fails due to a temporary problem, the unverified sender defers code specifies the numerical response code.

The unverified sender tempfail action parameter specifies what happens if an address probe fails due to a temporary issue. This feature is in disable stage for aliased addresses when “enable original recipient = no” is specified (Postfix 3.2). Postfix 2.1 and later include this feature. These are the main postfix smtpd_sender_restrictions. There are other modes of restrictions also applicable in this scenario.

Other restrictions
  1. SMTP client restrictions describe generic restrictions, usable in any SMTP command context.
  2. Specific SMTP command restrictions: Shown in SMTP client restrictions and SMTP helo restrictions.
  3. Specific SMTP command restrictions: Shown in postfix_smtpd recipient restrictions. When recipient restrictions are specified in postfix smtpd_sender_restrictions, they take effect only if “smtpd delay reject = yes,” which means that postfix smtpd_sender_restrictions are evaluated when the RCPT TO command is issued.

Examples

smtpd_sender_restrictions=reject_unknown_sender_domain
smtpd_sender_restrictions = reject_unknown_sender_domain, check_sender_access hash:/etc/postfix/access

[Need assistance with similar queries? We are here to help]

Conclusion

To conclude, the postfix smtpd_sender_restrictions are easy to manage and overview. The smtpd recipient restrictions feature regulates how Postfix responds to the RCPT TO command. If the restriction list evaluates to REJECT or DEFER, it will reject the recipient address. If the result is PERMIT, it will accept the recipient’s address.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

2 Comments

  1. Nato

    how do you restrict an email from being sent from your postfix email server, when the email account that is used to send the email is not listed in your server and was using a Gmail email account?

    sample this email from= is sending spam using my postfix email server.

    Reply
    • Hiba Razak

      Hi,
      Please contact our support team via live chat(click on the icon at right-bottom)

      Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

Never again lose customers to poor
server speed! Let us help you.

Privacy Preference Center

Necessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]
PHPSESSID
WHMCSpKDlPzh2chML

Statistics

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

_ga, _gat, _gid
_ga, _gat, _gid
smartlookCookie
_clck, _clsk, CLID, ANONCHK, MR, MUID, SM

Marketing

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

_reb2bgeo - The visitor's geographical location

_reb2bloaded - Whether or not the script loaded for the visitor

_reb2bref - The referring URL for the visit

_reb2bsessionID - The visitor's RB2B session ID

_reb2buid - The visitor's RB2B user ID

IDE, test_cookie, 1P_JAR, NID, DV, NID
IDE, test_cookie
1P_JAR, NID, DV
NID
hblid
_reb2bgeo, _reb2bloaded, _reb2bref, _reb2bsessionID, _reb2buid

Security

These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.

SID, APISID, HSID, NID, PREF
SID, APISID, HSID, NID, PREF