Unfortunately, sender address verification cannot simply be
turned on for all email - you are likely to lose legitimate mail
from mis-configured systems. You almost certainly will have to set
up white lists for specific addresses, or even for entire domains.
To find out how sender address verification would affect your
mail, specify "
warn_if_reject
reject_unverified_sender" so that
you can see what mail would be blocked:
/etc/postfix/
main.cf:
smtpd_sender_restrictions =
permit_mynetworks
...
check_sender_access hash:/etc/postfix/sender_access
reject_unknown_sender_domain
warn_if_reject
reject_unverified_sender
...
# Note 1: Be sure to read the "
Caching" section below!
# Note 2: Avoid hash files here. Use btree instead.
address_verify_map = btree:/var/mta/verify
This is also a good way to populate your cache with address
verification results before you start to actually reject mail.
The sender_access restriction is needed to whitelist domains
or addresses that are known to be OK. Although Postfix will not
mark a known-to-be-good address as bad after a probe fails, it is
better to be safe than sorry.
NOTE: You will have to whitelist sites such as securityfocus.com
and other sites that operate mailing lists that use a different
sender address for each posting (VERP). Such addresses pollute
the address verification cache quickly, and generate unnecessary
sender verification probes.
/etc/postfix/sender_access
securityfocus.com OK
...
The "
reject_unknown_sender_domain" restriction blocks mail from
non-existent domains. Putting this before "
reject_unverified_sender"
avoids the overhead of generating unnecessary probe messages.
The
unverified_sender_reject_code parameter (default 450)
specifies how Postfix replies when a sender address is known to
bounce. Change this setting into 550 when you trust Postfix's
judgments.
