Postfix Configuration: The argument against reject_unverified_sender
When configuring a mail server there techniques available which can help you to reduce spam.
A popular spam reduction technique is to ‘greylist’ emails. This method temporarily rejects an email if the server has never seen a prior attempt to send the same combination of From Email, To Email and From IP address , legitimate emails are tried again after a few moments and the email goes through no problem.
Another option in the postfix system which can be used to reduce spam is the ‘reject_unverified_sender’ option. As postfix confirming that the ‘Sender’ is a valid user, a connection is made to the server associated with the Senders domain (by MX record). It goes through the email sending process far enough to find out if the server accepts or rejects the Sender email (RCPT TO: firstname.lastname@example.org).
While it seems like a good idea to confirm that the email address that is sending email to us is valid, if the sender’s server has greylisting on their domain they would reject the ‘verification’ connection, which would then ‘reject’ the attempted message.
For this reason, we choose not to globally install postfix servers with reject_unverified_sender.
There is some argument though that this does not cause a permanent problem, because when the reject_unverified_sender_code is set to 450. Because the rejection of the email will only be temporary and when the email is attempted again, the sender verification should pass the grey listing.
However, this is not good enough for me because there are other reasons that the sender verification could fail. Such as the fact that the server does not accept the MAIL FROM email from the verifying server. This could be because the doublebounce@ email address used for verification is not accepted by the server for other reasons such as the fact that THEY may be doing some sender verification, which would fail when an email is attempted to doublebounce, additionally the verifying server could end up getting a bad ‘reputation’ by only checking to see if email addresses are deliverable, but then never actually delivering a mail message.
For these reasons, I recommend skipping this setting and perhaps only using the reject_unknown_sender_domain which just checks whether there is a valid MX record for a domain.
While postfix is powerful with a plethora of options, not all of them immediately helpful.