[I've lost track of this thread a bit, so I am going to try and
reinforce what the problem is an some suggested fixes....]
On 29 May 2007, at 12:23, Zbigniew Szalbot wrote:
> This is the content of the file:
>
> accept hosts = +relay_from_hosts
>
> accept
> senders = :
> condition = ${if >{$recipients_count}{1}{0}{1}}
[ rest of ACLs snipped]
The bottom ACL there is the problem. It is accepting any mail with
empty senders and only one recipient.
There are a number of potential solutions to this...
1. Do not treat empty senders any different to other mail
coming through the box - ie delete this ACL entirely.
2. Add a check within the same ACL to ensure that recipients
are local (and another ACL for remote recipients caused
by a locally generated bounce)
3. Reverse the test to reject bounces to multiple recipients
(not quite safe - aliasing can legitimately cause multi recipient
bounces).
Really in your RCPT ACL you want to:-
+ ACCEPT if locally generated
+ ACCEPT if authenticated
+ REJECT if destination cannot be verified
+ ACCEPT if in relay networks (ie local network)
+ REJECT (or WARN) if sender host is on DNS lists you use
+ REJECT if bounce to (remote/non-local) address
*** legitimate locally generated bounces are accepted by earlier
rules
+ ACCEPT everything else
there are variations on this, including ordering things to get the
best use of your CPU...
Nigel.
--
[ Nigel Metheringham Nigel.Metheringham@??? ]
[ - Comments in this message are my own and not ITO opinion/policy - ]
