Postfix: Rejecting emails based on envelope sender requires "check_sender_access"

Webmin uses the Postfix directive "check_client_access" in "smtpd_client_restrictions" in the "SMTP Client Restrictions" dialog.

Problem is: To block incoming mail based on envelope sender address, you need "check_sender_access" in "smtpd_sender_restrictions". In "client_access", only rejection based on IP address and hostnames is possible.

The Webmin help text says though that I can also put email addresses in the client_access hash map, which does not work -- I just tested that.

So Webmin should have an option to edit a sender_access map, and the proper map should be used for IP addresses, hostnames and email addresses.



That sounds do-able. But just to make sure I am on the right track, can you post the specific Postfix directives you would use to set this up?

Yes certainly, will post them as soon as I'm on my PC! I set up a proper map for that and added it to Postfix manually, I'll post the directives shortly.

Okay here's what I did.

I created a file /etc/postfix/sender-reject with the contents

user@domain.tld REJECT Blacklisted - UCE sender address

I ran postmap hash:sender-reject and added this to

smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender-reject

Ok .. and so presumably you add known spammer addresses to that blacklist map?

Yes that's right... on the rather rare occasion when a "mild spammer" always uses the same sender address, I'd like to be able to block them this way.

And of course I reported this because the present information In Webmin is incorrect, since it says I can put addresses in check_client_access.

Where exactly are you seeing that incorrect doc in Webmin?

The help text reachable via the link "SMTP Client Restrictions: Click on any mapping to edit its properties: What format should I use?" says that I can add "Email address mappings" to that map.

Since that map is added as check_client_access though, that does not work. You need check_sender_access to do email address mapping.

In check_client_access, the "user@domain" and "user@" formats are ignored, and "domain.tld" is interpreted as the delivering host, as opposed to the domain of the envelope sender.

Coming to think of it, this makes perfect sense. How should Postfix know if by "domain.tld" in that map you mean a hostname, or an envelope sender domain? :) That's why you need different maps for that.