76
76
<h2><a name="how">How address verification works</a></h2>
78
<p> A sender or recipient address is verified by probing the nearest
78
<p> A Postfix MTA verifies a sender or recipient address by probing
79
80
MTA for that address, without actually delivering mail. The nearest
80
MTA could be Postfix itself, or it could be a remote MTA (SMTP
81
MTA could be the Postfix MTA itself, or it could be a remote MTA
81
83
interruptus). Probe messages are like normal mail, except that
82
84
they are never delivered, deferred or bounced; probe messages are
83
85
always discarded. </p>
249
251
<a href="postconf.5.html#reject_unknown_recipient_domain">reject_unknown_recipient_domain</a>
250
252
<a href="postconf.5.html#reject_unverified_recipient">reject_unverified_recipient</a>
254
# Postfix 2.6 and later privacy feature.
255
# <a href="postconf.5.html#unverified_recipient_reject_reason">unverified_recipient_reject_reason</a> = Address lookup failed
257
261
avoids the overhead of generating unnecessary probe messages. </p>
259
263
<p> The <a href="postconf.5.html#unverified_recipient_reject_code">unverified_recipient_reject_code</a> parameter (default 450)
260
specifies how Postfix replies when a recipient address is known to
264
specifies the numerical Postfix SMTP server reply code when a
265
recipient address is known to
261
266
bounce. Change this setting into 550 when you trust Postfix's
269
<p> The following features are available in Postfix 2.6 and later.
272
<p> The <a href="postconf.5.html#unverified_recipient_defer_code">unverified_recipient_defer_code</a> parameter (default 450)
273
specifies the numerical Postfix SMTP server reply code when a
274
recipient address probe fails with some temporary error. Some sites
275
insist on changing this into 250. NOTE: This change turns MX servers
276
into backscatter sources when the load is high. </p>
278
<p> The <a href="postconf.5.html#unverified_recipient_reject_reason">unverified_recipient_reject_reason</a> parameter (default:
279
empty) specifies fixed text that Postfix will send to remote SMTP
280
clients, instead of sending actual address verification details.
281
Do not specify the SMTP status code or enhanced status code. </p>
283
<p> The <a href="postconf.5.html#unverified_recipient_tempfail_action">unverified_recipient_tempfail_action</a> parameter (default:
284
<a href="postconf.5.html#defer_if_permit">defer_if_permit</a>) specifies the Postfix SMTP server action when a
285
recipient address verification probe fails with some temporary
264
288
<h2><a name="forged_sender">Sender address verification for mail from frequently forged domains</a></h2>
266
<p> It is relatively safe to turn on sender address verification for
267
specific domains that often appear in forged email. </p>
290
<p> Only for very small sites, it is relatively safe to turn on
291
sender address verification for specific domains that often appear
292
in forged email. </p>
271
296
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
272
297
<a href="postconf.5.html#smtpd_sender_restrictions">smtpd_sender_restrictions</a> = hash:/etc/postfix/sender_access
273
298
<a href="postconf.5.html#unverified_sender_reject_code">unverified_sender_reject_code</a> = 550
299
# Postfix 2.6 and later.
300
# <a href="postconf.5.html#unverified_sender_defer_code">unverified_sender_defer_code</a> = 250
274
302
# Note 1: Be sure to read the "<a href="#caching">Caching</a>" section below!
275
303
# Note 2: Avoid hash files here. Use btree instead.
276
304
<a href="postconf.5.html#address_verify_map">address_verify_map</a> = btree:/var/lib/postfix/verify
313
341
<a href="postconf.5.html#reject_unknown_sender_domain">reject_unknown_sender_domain</a>
314
342
<a href="postconf.5.html#warn_if_reject">warn_if_reject</a> <a href="postconf.5.html#reject_unverified_sender">reject_unverified_sender</a>
344
# Postfix 2.6 and later.
345
# <a href="postconf.5.html#unverified_sender_reject_reason">unverified_sender_reject_reason</a> = Address verification failed
316
347
# Note 1: Be sure to read the "<a href="#caching">Caching</a>" section below!
317
348
# Note 2: Avoid hash files here. Use btree instead.
318
349
<a href="postconf.5.html#address_verify_map">address_verify_map</a> = btree:/var/lib/postfix/verify
346
377
avoids the overhead of generating unnecessary probe messages. </p>
348
379
<p> The <a href="postconf.5.html#unverified_sender_reject_code">unverified_sender_reject_code</a> parameter (default 450)
349
specifies how Postfix replies when a sender address is known to
380
specifies the numerical Postfix server reply code when a sender
350
382
bounce. Change this setting into 550 when you trust Postfix's
385
<p> The following features are available in Postfix 2.6 and later.
388
<p> The <a href="postconf.5.html#unverified_sender_defer_code">unverified_sender_defer_code</a> parameter (default 450) specifies
389
the numerical Postfix SMTP server reply code when a sender address
390
verification probe fails with some temporary error. Specify a valid
391
2xx or 4xx code. </p>
393
<p> The <a href="postconf.5.html#unverified_sender_reject_reason">unverified_sender_reject_reason</a> parameter (default:
394
empty) specifies fixed text that Postfix will send to remote SMTP
395
clients, instead of sending actual addres verification details.
396
Do not specify the SMTP status code or enhanced status code. </p>
398
<p> The <a href="postconf.5.html#unverified_sender_tempfail_action">unverified_sender_tempfail_action</a> parameter (default:
399
<a href="postconf.5.html#defer_if_permit">defer_if_permit</a>) specifies the Postfix SMTP server action when a
400
sender address verification probe fails with some temporary error.
353
403
<h2><a name="caching">Address verification database</a></h2>
355
405
<p> NOTE: By default, address verification information is not stored