Just like reports of undeliverable mail, DSN reports of
successful delivery can give away more information about the
internal infrastructure than desirable. Unfortunately, disallowing
"success" notification requests requires disallowing other DSN
requests as well. The RFCs do not offer the option to negotiate
feature subsets.
This is not as bad as it sounds. When you turn off DSN for
remote inbound mail, remote senders with DSN support will still be
informed that their mail reached your Postfix gateway successfully;
they just will not get successful delivery notices from your internal
systems. Remote senders lose very little: they can no longer specify
how Postfix should report delayed or failed delivery.
Use the
smtpd_discard_ehlo_keyword_address_maps feature if you
wish to allow DSN requests from trusted clients but not from random
strangers (see below for how to turn this off for all clients):
/etc/postfix/
main.cf:
smtpd_discard_ehlo_keyword_address_maps =
cidr:/etc/postfix/esmtp_access
/etc/postfix/esmtp_access:
# Allow DSN requests from local subnet only
192.168.0.0/28 silent-discard
0.0.0.0/0 silent-discard, dsn
::/0 silent-discard, dsn
If you want to disallow all use of DSN requests from the network,
use the
smtpd_discard_ehlo_keywords feature:
/etc/postfix/
main.cf:
smtpd_discard_ehlo_keywords = silent-discard, dsn
