Understanding reject_unknown_(recipient|sender)_domain


Reading the postconf explanation of reject_unknown_recipient_domain and
reject_unknown_sender_domain, I'm having trouble understanding where
these find their use.

For incoming mail: The first test criteria for both is that Postfix not
be the final destination for the recipient/sender domain, so when
Postfix is not set up with a catchall and rejects unknown users, am I
correct to think there is no use for these here?

Likewise for outgoing messages: The criteria for the domain needing to
have valid, well formed MX -- even without reject_unknown_sender_domain,
Postfix won't be able to send such mail anyway. Is this a matter of
instantaneous rejection vs. queue and bounce after retries?

Are these two settings more applicable to relay scenarios?


Re: Understanding reject_unknown_(recipient|sender)_domain

By Bill Cole at 10/25/2016 - 09:00

Not exactly. It isn't very helpful to group these 2 restrictions
together despite their similar names, because they act on completely
independent attributes of a SMTP transaction.

reject_unknown_sender_domain prevents Postfix from accepting mail that
cannot be bounced. That may seem like an antique idea in a time when
"blowback" from bouncing messages with forged senders is a big headache,
but there remain generally safe circumstances where bounces are useful.
More importantly in common modern MTAs, using
reject_unknown_sender_domain as the first restriction in
smtp_sender_restrictions spares a system from doing any further logical
processing on that session when the sender is obviously bogus: no
lookups of anything in any maps, no determination of recipient validity,
no bandwidth/memory/disk wasted on receiving the actual message data and
passing it to a content filter. reject_unknown_sender_domain is just
about the cheapest and most reliable anti-spam policies possible, which
is part of why it catches relatively little spam: for 20 years no
sanely-configured MTA with Internet access has NOT used an equivalent
restriction so spammers almost universally have given up on using
domains that don't resolve.

Yes. For "outgoing" mail (which is presumably arriving via authenticated
port 587 submission and if it isn't: *WHY NOT???*) there's no realistic
scenario where the MSA isn't in a fundamentally broken state where it
has a realistic hope of eventually being able to pass along mail to a
recipient whose domain cannot be resolved at the time of submission.

Not really, except in the sense that outgoing mail submission is a relay

Re: Understanding reject_unknown_(recipient|sender)_domain

By mrobti at 10/25/2016 - 14:15

On 2016-10-25 07:00, Bill Cole wrote:
Fair enough, and you've nicely explained the usefulness (albeit limited
in this day and age) of reject_unknown_sender_domain.

However, can you speak to reject_unknown_recipient_domain? Trying to
re-think but I can't find a scenario where it would be redundant. ??

Re: Understanding reject_unknown_(recipient|sender)_domain

By Bill Cole at 10/25/2016 - 15:05

If a user provides a "To:" address to their mail client with an
unresolvable domain, Postfix will reject it immediately, when the user
attempts to send the message if reject_unknown_recipient_domain is in
smtp_recipient_restrictions (or any other smtpd_*_restrictions list, if
smtpd_delay_reject is enabled.)

If reject_unknown_recipient_domain is not in any restriction list,
Postfix will accept the message provided the user has done whatever else
is required to relay, such as successful authentication. It will defer
the message for later retry, and retry repeatedly until the message has
been queued for maximal_queue_lifetime (5 days, by default.) If the
domain becomes resolvable before Postfix gives up, then the message will
get delivered.

Because unresolvable domains in recipient addresses are usually due to
user error (i.e. incorrect entry of an address) it is usually better to
have the attempt to send such a message fail immediately instead of
taking 5 days to fail. That also allows the failure to be handled by the
user's mail client rather than having Postfix send the user a DSN
message documenting the failure in precise but not entirely
user-friendly detail.

Re: Understanding reject_unknown_(recipient|sender)_domain

By mrobti at 10/25/2016 - 18:35

Many thanks for the concise explanation Bill!

On 2016-10-25 13:05, Bill Cole wrote: