Bob Proulx wrote:
> decoder wrote:
>
>> We recently discovered that even our own mailserver (Postfix) was a
>> backscatter source (and 1-2 weeks ago spammers started to actively use
>> it), there were several reasons and I'd like to share these points with
>> the list so nobody does the same mistakes.
>>

>
> Thanks for the discussion.
>
>
>> 2) By default, Postfix happily seems to accept email addresses refering
>> to subdomains of domains listed in $mydestination. The option
>> responsible for this cruel behavior is
>> "parent_domain_matches_subdomains" which is by default not empty. We've
>> set it to an empty string and after that, Postfix finally rejected mails
>> to bogus recipients on our subdomains.
>>

>
> The default value is:
>
> parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,perm it_mx_backup_networks,qmqpd_authorized_clients,rel ay_domains,smtpd_access_maps
>
> I don't think that any of those should match and therefore is safe by
> default.


the trouble comes from the default (compatibility) value of
relay_domains and relay_recipient_maps. For this reason, it is
recommended to set
parent_domain_matches_subdomains =
This parameter is deprecated and setting it to an empty value is now
recommended.

It is also recommended to set relay_domains explictely. and if you have
the list of relay recipients, set relay_recipient_maps. otherwise, use
reject_unverified_recipient in access checks (only for relay domains,
not for every domain).


> I poked at my server and couldn't trick it into accepting
> mail to subdomains. If yours is allowing messages through by matching
> one of them then I suspect that the configurations for it is the
> problem and should be fixed. In other words, you might not be done
> debugging yet and may still have another problem to figure out. :-}
>