Accept unlisted recipient for authentified users and my network

Prev: Creation of Message-ID
Next: Relayhost to multiple hosts

From: Pascal Maes on 16 Nov 2009 13:46

---

Helo,

I would like that authentified users and users from my network could send email to wrong adresses because it could be worse to find a wrong address if the mail is rejected at the smtp connection.

# postconf -n
address_verify_sender = verify_address(a)uclouvain.be
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
bounce_size_limit = 50000
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
disable_vrfy_command = yes
empty_address_recipient = MAILER-DAEMON
hash_queue_depth = 1
hash_queue_names = deferred defer incoming hold
header_checks = regexp:/etc/postfix/rules/header_checks
html_directory = no
mail_owner = postfix
mailbox_size_limit = 250000000
mailq_path = /usr/bin/mailq
manpage_directory = /usr/local/man
message_size_limit = 250000000
milter_default_action = tempfail
milter_protocol = 6
mydestination = $myhostname, localhost, localhost.$mydomain
mydomain = sipr-dc.ucl.ac.be
myhostname = smtp1.sgsi.ucl.ac.be
mynetworks = 127.0.0.0/8,10.0.0.0/8,130.104.0.0/16,192.168.128.0/17,193.190.89.0/24
newaliases_path = /usr/bin/newaliases
parent_domain_matches_subdomains = debug_peer_list
mynetworks
queue_directory = /var/spool/postfix
readme_directory = no
relay_domains = hash:/etc/postfix/relais/relay_domains
relay_recipient_maps = hash:/etc/postfix/relais/transport
hash:/etc/postfix/relais/virtual_relais
hash:/etc/postfix/relais/virtual_aliases
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP
smtpd_client_connection_rate_limit = 20
smtpd_client_message_rate_limit = 300
smtpd_client_recipient_rate_limit = 1000
smtpd_data_restrictions = check_sender_access hash:/etc/postfix/rules/check_backscatterer
smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10040
smtpd_hard_error_limit = ${stress?3}${stress:20}
smtpd_helo_required = yes
smtpd_helo_restrictions = check_client_access hash:/etc/postfix/rules/access
check_recipient_access pcre:/etc/postfix/rules/listes_client_access
permit_mynetworks
permit_sasl_authenticated
reject_invalid_hostname
check_client_access hash:/etc/postfix/rules/helo_whitelist
check_recipient_access hash:/etc/postfix/rules/roleaccount_exceptions
reject_non_fqdn_hostname
check_client_access hash:/etc/postfix/files_access/spammers
check_helo_access pcre:/etc/postfix/rules/helo_checks
check_sender_mx_access cidr:/etc/postfix/rules/bogus_mx_checks
permit
smtpd_milters = unix:/var/run/clamav/milter-clamav.socket
local:/var/run/milter/milter-spiff.socket
smtpd_recipient_restrictions = reject_non_fqdn_recipient
reject_non_fqdn_sender
check_recipient_access hash:/etc/postfix/rules/ucllouvain
check_recipient_access hash:/etc/postfix/rules/invalid
check_recipient_access hash:/etc/postfix/rules/phishing_reply_adresses
permit_sasl_authenticated
permit_mynetworks
reject_unlisted_recipient
reject_unknown_recipient_domain
reject_unauth_destination
reject_multi_recipient_bounce
check_recipient_access hash:/etc/postfix/rules/roleaccount_exceptions
check_client_access cidr:/etc/postfix/rules/hi-med-dnswl-header
check_client_access cidr:/etc/postfix/rules/hi-med-dnswl-permit
check_sender_access hash:/etc/postfix/rules/sender_whitelist
check_client_access hash:/etc/postfix/rules/client_whitelist
check_sender_access pcre:/etc/postfix/rules/pcre_sender_whitelist
check_recipient_access hash:/etc/postfix/rules/recipient_whitelist
reject_rbl_client zen.dnsbl
reject_rbl_client sip.invaluement.dnsbl
reject_rbl_client cbl.abuseat.org
reject_rbl_client bl.spamcop.net
reject_rbl_client safe.dnsbl.sorbs.net
permit_auth_destination
reject
smtpd_restriction_classes = must_be_valid_squirrel_sender
restrict_list_client_access
restrict_list_sender_accesrestrict_list_cluster_access
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = check_recipient_access pcre:/etc/postfix/rules/listes_sender_access
check_client_access hash:/etc/postfix/rules/squirrel_ip
check_sender_access hash:/etc/postfix/rules/access
permit_sasl_authenticated
permit_mynetworks
reject_unknown_recipient_domain
check_sender_access hash:/etc/postfix/rules/stluc
check_client_access hash:/etc/postfix/rules/access
reject_unknown_sender_domain
smtpd_soft_error_limit = ${stress?1}${stress:10}
smtpd_tls_CAfile = /etc/postfix/ssl/ct_root.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/ssl/smtp.sgsi.ucl.ac.be-cert.pem
smtpd_tls_key_file = /etc/postfix/ssl/smtp.sgsi.ucl.ac.be-key.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:/var/spool/postfix/.cache/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/relais/transport
hash:/etc/postfix/relais/virtual_relais
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/relais/virtual_aliases


In smtpd_recipient_restrictions, I have put the lines

permit_sasl_authenticated
permit_mynetworks

before
reject_unlisted_recipient


but when I send an email from 10.1.5.2 (within my networks) I get the following in the logfile :

Nov 16 19:32:31 smtp-1 postfix/smtpd[8626]: connect from smtp-2.sipr-dc.ucl.ac.be[10.1.5.2]
Nov 16 19:32:43 smtp-1 postfix/smtpd[8626]: NOQUEUE: reject: RCPT from smtp-2.sipr-dc.ucl.ac.be[10.1.5.2]: 550 5.1.1 <toto(a)uclouvain.be>: Recipient address rejected: User unknown in relay recipient table; from=<tutu(a)uclouvain.be> to=<toto(a)uclouvain.be> proto=SMTP helo=<smtp2.sgsi.ucl.ac.be>
Nov 16 19:32:51 smtp-1 postfix/smtpd[8626]: disconnect from smtp-2.sipr-dc.ucl.ac.be[10.1.5.2]


What's wrong ?

Thanks
--
Pascal

From: Pascal Maes on 16 Nov 2009 14:14

---

Le 16 nov. 2009 à 19:46, Pascal Maes a écrit :

> Helo,
>
> I would like that authentified users and users from my network could send email to wrong adresses because it could be worse to find a wrong address if the mail is rejected at the smtp connection.
>
> # postconf -n
> address_verify_sender = verify_address(a)uclouvain.be
> alias_database = hash:/etc/postfix/aliases
> alias_maps = hash:/etc/postfix/aliases
> bounce_size_limit = 50000
> broken_sasl_auth_clients = yes
> command_directory = /usr/sbin
> config_directory = /etc/postfix
> daemon_directory = /usr/libexec/postfix
> data_directory = /var/lib/postfix
> disable_vrfy_command = yes
> empty_address_recipient = MAILER-DAEMON
> hash_queue_depth = 1
> hash_queue_names = deferred defer incoming hold
> header_checks = regexp:/etc/postfix/rules/header_checks
> html_directory = no
> mail_owner = postfix
> mailbox_size_limit = 250000000
> mailq_path = /usr/bin/mailq
> manpage_directory = /usr/local/man
> message_size_limit = 250000000
> milter_default_action = tempfail
> milter_protocol = 6
> mydestination = $myhostname, localhost, localhost.$mydomain
> mydomain = sipr-dc.ucl.ac.be
> myhostname = smtp1.sgsi.ucl.ac.be
> mynetworks = 127.0.0.0/8,10.0.0.0/8,130.104.0.0/16,192.168.128.0/17,193.190.89.0/24
> newaliases_path = /usr/bin/newaliases
> parent_domain_matches_subdomains = debug_peer_list
> mynetworks
> queue_directory = /var/spool/postfix
> readme_directory = no
> relay_domains = hash:/etc/postfix/relais/relay_domains
> relay_recipient_maps = hash:/etc/postfix/relais/transport
> hash:/etc/postfix/relais/virtual_relais
> hash:/etc/postfix/relais/virtual_aliases
> sample_directory = /etc/postfix
> sendmail_path = /usr/sbin/sendmail
> setgid_group = postdrop
> smtpd_banner = $myhostname ESMTP
> smtpd_client_connection_rate_limit = 20
> smtpd_client_message_rate_limit = 300
> smtpd_client_recipient_rate_limit = 1000
> smtpd_data_restrictions = check_sender_access hash:/etc/postfix/rules/check_backscatterer
> smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10040
> smtpd_hard_error_limit = ${stress?3}${stress:20}
> smtpd_helo_required = yes
> smtpd_helo_restrictions = check_client_access hash:/etc/postfix/rules/access
> check_recipient_access pcre:/etc/postfix/rules/listes_client_access
> permit_mynetworks
> permit_sasl_authenticated
> reject_invalid_hostname
> check_client_access hash:/etc/postfix/rules/helo_whitelist
> check_recipient_access hash:/etc/postfix/rules/roleaccount_exceptions
> reject_non_fqdn_hostname
> check_client_access hash:/etc/postfix/files_access/spammers
> check_helo_access pcre:/etc/postfix/rules/helo_checks
> check_sender_mx_access cidr:/etc/postfix/rules/bogus_mx_checks
> permit
> smtpd_milters = unix:/var/run/clamav/milter-clamav.socket
> local:/var/run/milter/milter-spiff.socket
> smtpd_recipient_restrictions = reject_non_fqdn_recipient
> reject_non_fqdn_sender
> check_recipient_access hash:/etc/postfix/rules/ucllouvain
> check_recipient_access hash:/etc/postfix/rules/invalid
> check_recipient_access hash:/etc/postfix/rules/phishing_reply_adresses
> permit_sasl_authenticated
> permit_mynetworks
> reject_unlisted_recipient
> reject_unknown_recipient_domain
> reject_unauth_destination
> reject_multi_recipient_bounce
> check_recipient_access hash:/etc/postfix/rules/roleaccount_exceptions
> check_client_access cidr:/etc/postfix/rules/hi-med-dnswl-header
> check_client_access cidr:/etc/postfix/rules/hi-med-dnswl-permit
> check_sender_access hash:/etc/postfix/rules/sender_whitelist
> check_client_access hash:/etc/postfix/rules/client_whitelist
> check_sender_access pcre:/etc/postfix/rules/pcre_sender_whitelist
> check_recipient_access hash:/etc/postfix/rules/recipient_whitelist
> reject_rbl_client zen.dnsbl
> reject_rbl_client sip.invaluement.dnsbl
> reject_rbl_client cbl.abuseat.org
> reject_rbl_client bl.spamcop.net
> reject_rbl_client safe.dnsbl.sorbs.net
> permit_auth_destination
> reject
> smtpd_restriction_classes = must_be_valid_squirrel_sender
> restrict_list_client_access
> restrict_list_sender_accesrestrict_list_cluster_access
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_authenticated_header = yes
> smtpd_sasl_local_domain = $myhostname
> smtpd_sasl_security_options = noanonymous
> smtpd_sender_restrictions = check_recipient_access pcre:/etc/postfix/rules/listes_sender_access
> check_client_access hash:/etc/postfix/rules/squirrel_ip
> check_sender_access hash:/etc/postfix/rules/access
> permit_sasl_authenticated
> permit_mynetworks
> reject_unknown_recipient_domain
> check_sender_access hash:/etc/postfix/rules/stluc
> check_client_access hash:/etc/postfix/rules/access
> reject_unknown_sender_domain
> smtpd_soft_error_limit = ${stress?1}${stress:10}
> smtpd_tls_CAfile = /etc/postfix/ssl/ct_root.pem
> smtpd_tls_auth_only = yes
> smtpd_tls_cert_file = /etc/postfix/ssl/smtp.sgsi.ucl.ac.be-cert.pem
> smtpd_tls_key_file = /etc/postfix/ssl/smtp.sgsi.ucl.ac.be-key.pem
> smtpd_tls_loglevel = 1
> smtpd_tls_received_header = yes
> smtpd_tls_session_cache_database = btree:/var/spool/postfix/.cache/smtpd_scache
> smtpd_tls_session_cache_timeout = 3600s
> smtpd_use_tls = yes
> tls_random_source = dev:/dev/urandom
> transport_maps = hash:/etc/postfix/relais/transport
> hash:/etc/postfix/relais/virtual_relais
> unknown_local_recipient_reject_code = 550
> virtual_alias_maps = hash:/etc/postfix/relais/virtual_aliases
>
>
> In smtpd_recipient_restrictions, I have put the lines
>
> permit_sasl_authenticated
> permit_mynetworks
>
> before
> reject_unlisted_recipient
>
>
> but when I send an email from 10.1.5.2 (within my networks) I get the following in the logfile :
>
> Nov 16 19:32:31 smtp-1 postfix/smtpd[8626]: connect from smtp-2.sipr-dc.ucl.ac.be[10.1.5.2]
> Nov 16 19:32:43 smtp-1 postfix/smtpd[8626]: NOQUEUE: reject: RCPT from smtp-2.sipr-dc.ucl.ac.be[10.1.5.2]: 550 5.1.1 <toto(a)uclouvain.be>: Recipient address rejected: User unknown in relay recipient table; from=<tutu(a)uclouvain.be> to=<toto(a)uclouvain.be> proto=SMTP helo=<smtp2.sgsi.ucl.ac.be>
> Nov 16 19:32:51 smtp-1 postfix/smtpd[8626]: disconnect from smtp-2.sipr-dc.ucl.ac.be[10.1.5.2]
>
>
> What's wrong ?
>
> Thanks
> --
> Pascal
>

It seems that I have to add

smtpd_reject_unlisted_recipient = no

to the main.cf

And if I will only permit authentified users to use wrong addresses (by mistake), I have to declare :

permit_sasl_authenticated
reject_unlisted_recipient
permit_mynetworks

Correct ?

Thanks,
--
Pascal

 | 
Pages: 1
Prev: Creation of Message-ID
Next: Relayhost to multiple hosts