Adding single-domain address verification
in [Postfix]
|
Prev: forwarding already sent mails back to server results in: 553 5.7.1Sender address rejected: not logged in
Next: authorized_submit_users, system password file
From: Michael Orlitzky on 18 Jun 2010 21:48 Our MX currently relays to one of two boxes (mail1, mail2) based on a list of domains in transport_maps. Both mail1 and mail2 are ours, and we have a full list of domains and recipients in relay_domains and relay_recipient maps respectively. Now, I would like to add a third, external, relay destination for one domain. I can add the domain to relay_domains, but would prefer to use address verification for the recipients (in that domain only). My current restrictions: smtpd_recipient_restrictions = reject_unauth_destination, reject_unlisted_recipient, check_recipient_access hash:/etc/postfix/maps/rfc_addresses, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_non_fqdn_sender, check_client_access pcre:/etc/postfix/maps/reverse_dns.pcre, reject_unknown_sender_domain, check_client_access pcre:/etc/postfix/maps/generic_rbl_clients.pcre, check_sender_access hash:/etc/postfix/maps/backscatter_senders, reject_rhsbl_client dbl.spamhaus.org, reject_rhsbl_helo dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org, check_policy_service unix:private/policyd-spf, check_policy_service unix:private/postgrey, permit My first question is, what effect does reject_unverified_recipient actually have? For example, if the recipient is verified, do the restrictions continue to be evaluated, or is it the equivalent of an OK? If the other restrictions are evaluated, wouldn't the address still be rejected by either reject_unlisted_recipient or the default smtpd_reject_unlisted_recipient=yes? Regardless of the answer to that question, where is the smartest place to stick that restriction in my current list? I would prefer to add something like, check_recipient_access hash:/.../recipient_verify_domains containing, example.com reject_unverified_recipient so that only that domain's addresses are verified. However, this depends on whether or not the reject_unlisted_recipient is skipped. If it isn't, should I move the reject_unlisted/unverified restrictions to the end? Or create a separate (almost-identical) restrictions class for the domain in question?
From: Noel Jones on 19 Jun 2010 12:08 On 6/18/2010 8:48 PM, Michael Orlitzky wrote: > Our MX currently relays to one of two boxes (mail1, mail2) based on a > list of domains in transport_maps. Both mail1 and mail2 are ours, and we > have a full list of domains and recipients in relay_domains and > relay_recipient maps respectively. > > Now, I would like to add a third, external, relay destination for one > domain. I can add the domain to relay_domains, but would prefer to use > address verification for the recipients (in that domain only). > > My current restrictions: > > smtpd_recipient_restrictions = > reject_unauth_destination, > reject_unlisted_recipient, > check_recipient_access hash:/etc/postfix/maps/rfc_addresses, > reject_non_fqdn_helo_hostname, > reject_invalid_helo_hostname, > reject_non_fqdn_sender, > check_client_access pcre:/etc/postfix/maps/reverse_dns.pcre, > reject_unknown_sender_domain, > check_client_access pcre:/etc/postfix/maps/generic_rbl_clients.pcre, > check_sender_access hash:/etc/postfix/maps/backscatter_senders, > reject_rhsbl_client dbl.spamhaus.org, > reject_rhsbl_helo dbl.spamhaus.org, > reject_rhsbl_sender dbl.spamhaus.org, > check_policy_service unix:private/policyd-spf, > check_policy_service unix:private/postgrey, > permit > > My first question is, what effect does reject_unverified_recipient > actually have? For example, if the recipient is verified, do the > restrictions continue to be evaluated, or is it the equivalent of an OK? > If the other restrictions are evaluated, wouldn't the address still be > rejected by either reject_unlisted_recipient or the default > smtpd_reject_unlisted_recipient=yes? > > Regardless of the answer to that question, where is the smartest place > to stick that restriction in my current list? I would prefer to add > something like, > > check_recipient_access hash:/.../recipient_verify_domains > > containing, > > example.com reject_unverified_recipient > > so that only that domain's addresses are verified. However, this depends > on whether or not the reject_unlisted_recipient is skipped. If it isn't, > should I move the reject_unlisted/unverified restrictions to the end? Or > create a separate (almost-identical) restrictions class for the domain > in question? All postfix reject_* restrictions return the equivelent of either REJECT or DUNNO; if the transaction is not rejected it will continue with the next defined restriction. (Rules that can return DEFER_IF_PERMIT, such as reject_unverified_[sender,recipient], are slightly more complicated since a later restriction can cause a reject rather than a deferral, but the general rule still applies -- if the connection isn't rejected, processing continues with the next defined restriction.) To exempt a relay domain from the reject_unlisted_recipient checks, add a wildcard for that domain to your relay_recipient_maps table. http://www.postfix.org/postconf.5.html#relay_recipient_maps To verify recipients at a specific domain, I would put a check_recipient_access map just after where you have reject_unlisted_recipients -- Noel Jones
From: Michael Orlitzky on 19 Jun 2010 18:12
On 06/19/2010 12:08 PM, Noel Jones wrote: > On 6/18/2010 8:48 PM, Michael Orlitzky wrote: >> Our MX currently relays to one of two boxes (mail1, mail2) based on a >> list of domains in transport_maps. Both mail1 and mail2 are ours, and we >> have a full list of domains and recipients in relay_domains and >> relay_recipient maps respectively. >> >> Now, I would like to add a third, external, relay destination for one >> domain. I can add the domain to relay_domains, but would prefer to use >> address verification for the recipients (in that domain only). >> >> My current restrictions: >> >> smtpd_recipient_restrictions = >> reject_unauth_destination, >> reject_unlisted_recipient, >> check_recipient_access hash:/etc/postfix/maps/rfc_addresses, >> reject_non_fqdn_helo_hostname, >> reject_invalid_helo_hostname, >> reject_non_fqdn_sender, >> check_client_access pcre:/etc/postfix/maps/reverse_dns.pcre, >> reject_unknown_sender_domain, >> check_client_access pcre:/etc/postfix/maps/generic_rbl_clients.pcre, >> check_sender_access hash:/etc/postfix/maps/backscatter_senders, >> reject_rhsbl_client dbl.spamhaus.org, >> reject_rhsbl_helo dbl.spamhaus.org, >> reject_rhsbl_sender dbl.spamhaus.org, >> check_policy_service unix:private/policyd-spf, >> check_policy_service unix:private/postgrey, >> permit >> >> My first question is, what effect does reject_unverified_recipient >> actually have? For example, if the recipient is verified, do the >> restrictions continue to be evaluated, or is it the equivalent of an OK? >> If the other restrictions are evaluated, wouldn't the address still be >> rejected by either reject_unlisted_recipient or the default >> smtpd_reject_unlisted_recipient=yes? >> >> Regardless of the answer to that question, where is the smartest place >> to stick that restriction in my current list? I would prefer to add >> something like, >> >> check_recipient_access hash:/.../recipient_verify_domains >> >> containing, >> >> example.com reject_unverified_recipient >> >> so that only that domain's addresses are verified. However, this depends >> on whether or not the reject_unlisted_recipient is skipped. If it isn't, >> should I move the reject_unlisted/unverified restrictions to the end? Or >> create a separate (almost-identical) restrictions class for the domain >> in question? > > > All postfix reject_* restrictions return the equivelent of either REJECT > or DUNNO; if the transaction is not rejected it will continue with the > next defined restriction. > > (Rules that can return DEFER_IF_PERMIT, such as > reject_unverified_[sender,recipient], are slightly more complicated > since a later restriction can cause a reject rather than a deferral, but > the general rule still applies -- if the connection isn't rejected, > processing continues with the next defined restriction.) > > To exempt a relay domain from the reject_unlisted_recipient checks, add > a wildcard for that domain to your relay_recipient_maps table. > http://www.postfix.org/postconf.5.html#relay_recipient_maps This is the idea I was missing. Works great, thanks. > To verify recipients at a specific domain, I would put a > check_recipient_access map just after where you have > reject_unlisted_recipients > > -- Noel Jones |