Hi, I've enabled Recipient address verification on my external mail servers (MX) as well as internals. Sometimes mails for non-existent accounts do pass and I'm trying to figure out why this happens and how to stop it. This does not happens every time. Most mails for unverified recipients get a 450, but sometimes some of them do slip in.
External mail servers are relaying to internal servers via smtp (transport_maps). External servers: smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/blacklist permit_mynetworks check_recipient_access pcre:/etc/postfix/access-protected check_client_access hash:/etc/postfix/access-client check_sender_access hash:/etc/postfix/whitelist reject_unknown_recipient_domain check_sender_access hash:/etc/postfix/access-whitelist reject_unverified_recipient # <<< smtpd_relay_restrictions = permit_mynetworks reject_non_fqdn_recipient defer_unauth_destination relay_domains = /etc/postfix/local-domains transport_maps = hash:/etc/postfix/transport disable_vrfy_command=yes unverified_recipient_reject_reason = Recipient address lookup failed unverified_recipient_reject_code = 450 unverified_recipient_tempfail_action = defer address_verify_negative_cache = yes address_verify_negative_refresh_time = 10m address_verify_negative_expire_time = 1d address_verify_positive_refresh_time = 20d The recipient domain is listed in local-domains and there is a line in transport where they point to the internal server physics.uoc.gr smtp:[xx.xx.xx.xx] .physics.uoc.gr smtp:[xx.xx.xx.xx] Internal servers (where verification and delivery happens): smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/access-protected check_recipient_access regexp:/etc/postfix/access-protected-regexp check_client_access hash:/etc/postfix/access-client permit_mynetworks defer_unauth_destination # new setup reject_unknown_recipient_domain check_recipient_access hash:/etc/postfix/verified_recipients check_sender_access hash:/etc/postfix/skip_verify_sender reject_unverified_recipient # <<< permit_mynetworks # <<< Externals not listed here disable_vrfy_command=yes unverified_recipient_reject_reason = Recipient address lookup failed unverified_recipient_reject_code = 450 unverified_recipient_tempfail_action = defer address_verify_negative_refresh_time = 10m address_verify_negative_cache=no address_verify_positive_refresh_time = 15d The internals are doing delivery and I guess verification via lmtp virtual_transport = lmtp:inet:yy.yy.yy.yy:24 lmtp_destination_rate_delay = 1s lmtp_destination_concurrency_limit = 10 lmtp_destination_recipient_limit = 10 which is a load balancer for dovecot directors that forward to the internal servers again (dovecot) Example: I have mails for a non-existened account [email protected] If you see on logs bellow the 2nd mail passed. Actually there are many more before the pass that got blocked. Oct 13 06:59:43 mail-ext postfix/smtp[1099439]: BBD50209FDC: to=<[email protected]>, relay=xx.xx.xx.xx[xx.xx.xx.xx]:25, delay=59073, delays=59066/0.33/0.05/6, dsn=4.1.1, status=deferred (host xx.xx.xx.xx[xx.xx.xx.xx] said: 450 4.1.1 <[email protected]>: Recipient address rejected: unverified address: Recipient address lookup failed (in reply to RCPT TO command)) Oct 13 07:50:11 mail-ext postfix/cleanup[1101012]: BE7BC20BF4B: milter-discard: END-OF-MESSAGE from uos.371645.com[185.169.99.149]: milter triggers DISCARD action; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<uos.371645.com> Oct 13 08:09:43 mail-ext postfix/smtp[1101818]: CE7CC20AD8A: to=<[email protected]>, relay=xx.xx.xx.xx[xx.xx.xx.xx]:25, delay=258666, delays=258660/0.03/0.03/6, dsn=4.1.1, status=deferred (host xx.xx.xx.xx[xx.xx.xx.xx] said: 450 4.1.1 <[email protected]>: Recipient address rejected: unverified address: Recipient address lookup failed (in reply to RCPT TO command)) That particular (spam) mail was blocked and quarantined by rspamd (milter service on external mailers) and 5 minutes later a notification has been sent to the user by my system. Since the user does not exist I got back the bounce. Any idea why mail was accepted in the first place since I do have reject_unverified_recipient ? Even if verification failed for some reason, according to unverified_recipient_tempfail_action = defer there should also be a 450 and mail should not be accepted. I'm quite sure it did not got accepted due to some access file (exceptions). grep mjarvine /var/log/maillog|grep "address lookup failed"|wc -l 89 grep mjarvine /var/log/maillog|grep -v "address lookup failed"|wc -l 1 External mailers are: postfix-3.5.25-1.el9.x86_64 Internal mailers are: postfix-3.5.8-7.el8.x86_64 Thanks, Giannis _______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
