SRS and Relay Blocking

Prior to the 8.0 release, decoding of SRS addresses happened invisibly before all other address processing (including probing of access mapping tables such as  ),  with the result that when a remote site bounced a message from an SRS encoded sender address, the notification message returning to the encoded SRS address came to the MTA which decoded the address to (typically) discover a remote sender address and potentially reject the notification message as an attempt to "relay" (a notification message from a remote site to a remote original sender, in its attempt to pass through the MTA). As of 8.0, the still-SRS-encoded address is used in the  probe, nullifying this problem. Meantime, in earlier versions, there is an  approach to work around this problem.

Configuring with the  and modifying the entries of the   mapping table to expect an ORCPT field in each probe is one way to work around such an issue. In the following example, all the "usual" entries of  have been modified to expect an additional field in the probe, the "orcpt" field, and an initial entry (prior to the basic   -&#x3e;    block entry) has been added to allow passing through addresses that turn out to be "remote" when the MTA&#x27;s own SRS encoding is removed: ORIG_SEND_ACCESS ! Allow "relaying" of responses (such as notification messages) back to ! those original messages that came from remote senders to originally local ! recipients which the MTA relayed onwards, SRS-encoded, to remote recipients. ! That is, these are messages (notification messages) from remote sites to ! which local users had forwarded their e-mail, back to original senders to ! those (forwarding) local users: ! such messages that come in addressed using an SRS encoding with this MTA&#x27;s ! own srs_domain, but which (once SRS encoding is removed) end up addressed ! back to a "remote" address. !  tcp_local&#x7c;&#x2a;&#x7c;tcp_local&#x7c;&#x2a;&#x7c;rfc822;SRS0=&#x2a;&#x3c;srs_domain&#x3e;    $Y ! ! Normal relay blocking entry !  tcp_local&#x7c;&#x2a;&#x7c;tcp_local&#x7c;&#x2a;&#x7c;&#x2a;               $NRelaying$ not$ permitted ! ! Block direct submission to MTA "intermediate" channels !  tcp_&#x2a;&#x7c;&#x2a;&#x7c;native&#x7c;&#x2a;&#x7c;&#x2a;       $N tcp_&#x2a;&#x7c;&#x2a;&#x7c;hold&#x7c;&#x2a;&#x7c;&#x2a;        $N tcp_&#x2a;&#x7c;&#x2a;&#x7c;pipe&#x7c;&#x2a;&#x7c;&#x2a;        $N ! ! Block direct submission to Message Store delivery channels; ! routing to such channel should only occur due to MTA address/alias ! processing !  tcp_&#x2a;&#x7c;&#x2a;&#x7c;ims-ms&#x7c;&#x2a;&#x7c;&#x2a;        $N tcp_&#x2a;&#x7c;tcp_lmtpcs&#x2a;&#x7c;&#x2a;&#x7c;&#x2a;    $N ! ! Block "external" submissions of explicitly source-routed "internal" addresses !   tcp_local&#x7c;&#x2a;&#x7c;tcp_intranet&#x7c;@&#x2a;:&#x2a;.&#x2a;&#x7c;&#x2a;   $N$D30&#x7c;Explicit$ routing$ not$ allowed tcp_local&#x7c;&#x2a;&#x7c;tcp_intranet&#x7c;&#x2a;$%&#x2a;@&#x2a;&#x7c;&#x2a;  $N$D30&#x7c;Explicit$ routing$ not$ allowed tcp_local&#x7c;&#x2a;&#x7c;tcp_intranet&#x7c;&#x2a;.&#x2a;!&#x2a;@&#x2a;&#x7c;&#x2a; $N$D30&#x7c;Explicit$ routing$ not$ allowed tcp_local&#x7c;&#x2a;&#x7c;tcp_intranet&#x7c;"&#x2a;@&#x2a;"@&#x2a;&#x7c;&#x2a; $N$D30&#x7c;Explicit$ routing$ not$ allowed

See also:
 * access_orcpt MTA Option
 * Recipient access mapping tables
 * srs_domain MTA Option
 * SRS MTA options
 * Blocking SMTP relaying