Reject message
in [Postfix]
|
Prev: Postfix (Ubuntu 9.10 x64) said: 421 4.4.1 Connection timed out(in reply to end of DATA command)
Next: postfix connection issues with milters
From: Jesper Fruergaard Andersen on 28 May 2010 07:49 I am testing a new server running Postfix 2.7.0 on Ubuntu 10.4. I am using postmulti. The instance for receiving mail is setup like below. Everything seems to be working fine. But I feel confused why messages for non existing accounts gets rejected with messages from policyd-weight and not with user unknown. It seems that if policyd-weight accepts the connection it does then get rejected with "Recipient address rejected: User unknown in virtual mailbox table" I would think that postfix would reject it right at "reject_unauth_destination". Is it because having smtpd_reject_unlisted_recipient = yes gets evaluated later and not as a part of smtpd_recipient_restrictions? # postmulti -i postfix-in -x postconf -n alias_database = alias_maps = authorized_submit_users = root config_directory = /etc/postfix-in data_directory = /var/lib/postfix-in default_database_type = cdb default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using rbl default_transport = smtp:[127.0.0.1]:10024 inet_interfaces = $myhostname, localhost local_header_rewrite_clients = local_recipient_maps = local_transport = error:5.1.1 Mailbox unavailable master_service_disable = multi_instance_enable = yes multi_instance_group = mta multi_instance_name = postfix-in mydestination = mydomain = xxxxxx.dk myhostname = mta1.xxxxxx.dk mynetworks = 127.0.0.0/8 myorigin = $mydomain queue_directory = /var/spool/postfix-in rbl_reply_maps = ${indexedh}rbl_reply_maps recipient_delimiter = + relay_transport = $default_transport smtp_data_done_timeout = 1200s smtp_destination_recipient_limit = 1000 smtp_send_xforward_command = yes smtpd_banner = $myhostname ESMTP $mail_name smtpd_client_port_logging = no smtpd_client_restrictions = check_recipient_access ${indexed}receive_all check_client_access pcre:/etc/postfix-in/fqrdns.pcre check_client_access regexp:/etc/postfix-in/fqrdns.regexp check_client_access cidr:/etc/postfix-in/client_blacklist.cidr smtpd_data_restrictions = check_recipient_access ${indexed}receive_all check_client_access ${indexed}client_pipeline_access smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_recipient_restrictions = reject_non_fqdn_recipient reject_unauth_destination permit_mynetworks check_recipient_access ${indexed}receive_all check_recipient_access pgsql:/etc/postfix-in/pg-recipient-quota ${indexed}recipient_access warn_if_reject check_policy_service unix:private/policydjfa check_policy_service inet:127.0.0.1:12525 smtpd_restriction_classes = restrict_pipeline, permissive smtpd_sender_restrictions = check_recipient_access ${indexed}receive_all reject_unknown_sender_domain reject_non_fqdn_sender ${indexed}sender_access transport_maps = pgsql:/etc/postfix-in/pg-transport virtual_alias_domains = virtual_alias_maps = pgsql:/etc/postfix-in/pg-virtual-alias-maps pgsql:/etc/postfix-in/pg-virtual-mailbox2mailbox virtual_mailbox_domains = pgsql:/etc/postfix-in/pg-virtual-mailbox-domains virtual_mailbox_maps = pgsql:/etc/postfix-in/pg-virtual-mailbox virtual_transport = $default_transport -- Jesper
From: Brian Evans - Postfix List on 28 May 2010 08:29 On 5/28/2010 7:49 AM, Jesper Fruergaard Andersen wrote: > I am testing a new server running Postfix 2.7.0 on Ubuntu 10.4. I am > using postmulti. The instance for receiving mail is setup like below. > Everything seems to be working fine. > But I feel confused why messages for non existing accounts gets > rejected with messages from policyd-weight and not with user unknown. > It seems that if policyd-weight accepts the connection it does then > get rejected with "Recipient address rejected: User unknown in virtual > mailbox table" > I would think that postfix would reject it right at "reject_unauth_destination". > Is it because having smtpd_reject_unlisted_recipient = yes gets > evaluated later and not as a part of smtpd_recipient_restrictions? > > Unless reject_unlisted_recipient is explicitly listed in a restriction class, smtpd_reject_unlisted_recipient, when enabled, is evaluated after smtpd_recipient_restrictions. The simple change is to insert reject_unlisted_recipient before your policy service. Brian > # postmulti -i postfix-in -x postconf -n > [snip] > smtpd_recipient_restrictions = reject_non_fqdn_recipient > reject_unauth_destination permit_mynetworks check_recipient_access > ${indexed}receive_all check_recipient_access > pgsql:/etc/postfix-in/pg-recipient-quota ${indexed}recipient_access > warn_if_reject check_policy_service unix:private/policydjfa > check_policy_service inet:127.0.0.1:12525 >
From: mouss on 28 May 2010 17:43
Jesper Fruergaard Andersen a �crit : > I am testing a new server running Postfix 2.7.0 on Ubuntu 10.4. I am > using postmulti. The instance for receiving mail is setup like below. > Everything seems to be working fine. > But I feel confused why messages for non existing accounts gets > rejected with messages from policyd-weight and not with user unknown. > It seems that if policyd-weight accepts the connection it does then > get rejected with "Recipient address rejected: User unknown in virtual > mailbox table" > I would think that postfix would reject it right at "reject_unauth_destination". reject_unauth_destinations rejects unauthorized _relay_, that is mail to _domains_ that you don't list in one of - mydestination - relay_domains - virtual_mailbox_domains - virtual_alias_domains. said otherwise, reject_unauth_destination is what protects you from being an open relay. it will block mail except for domains that you host or relay mail for. "unknwon users" are rejected at end of smtpd restrictions if you keep the default setup: smtpd_reject_unlisted_sender = yes but you can do the check any time you want by calling it explicitely: reject_unlisted_recipient similar things can be done for "sender" instead of recipient. > Is it because having smtpd_reject_unlisted_recipient = yes gets > evaluated later and not as a part of smtpd_recipient_restrictions? > [snip] |