On Mon, Oct 13, 2025 at 01:01:51PM +0300, Kapetanakis Giannis via Postfix-users
wrote:
> I've enabled Recipient address verification on my external mail
> servers (MX) as well as internals. Sometimes mails for non-existent
> accounts do pass and I'm trying to figure out why this happens and how
> to stop it. This does not happens every time. Most mails for
> unverified recipients get a 450, but sometimes some of them do slip
> in.
You need to look at all the logging associated with the messages in
questions. Not just one step.
In general, it is best to have authoritative lists of valid recipients
on the external servers, rather than rely on verification probes.
> External mail servers are relaying to internal servers via smtp
> (transport_maps).
>
> The recipient domain is listed in local-domains and there is a line in
> transport where they point to the internal server
>
> physics.uoc.gr smtp:[xx.xx.xx.xx]
> .physics.uoc.gr smtp:[xx.xx.xx.xx]
>
> Internal servers (where verification and delivery happens):
>
> smtpd_recipient_restrictions =
> check_recipient_access hash:/etc/postfix/access-protected
> check_recipient_access regexp:/etc/postfix/access-protected-regexp
> check_client_access hash:/etc/postfix/access-client
> permit_mynetworks
> defer_unauth_destination
> # new setup
> reject_unknown_recipient_domain
> check_recipient_access hash:/etc/postfix/verified_recipients
> check_sender_access hash:/etc/postfix/skip_verify_sender
> reject_unverified_recipient # <<<
> permit_mynetworks # <<< Externals not listed here
Do some of the "external" servers match the "mynetworks" list on
some of the internal servers?
> If you see on logs bellow the 2nd mail passed. Actually there are many
> more before the pass that got blocked.
These logs are not sufficiently detailed. At least search for
all the log entries for the given queue id. If at all possible,
use the "collate" script that is included with the Postfix source
distribution:
https://github.com/vdukhovni/postfix/tree/master/postfix/auxiliary/collate
> Oct 13 06:59:43 mail-ext postfix/smtp[1099439]: BBD50209FDC:
> to=<[email protected]>, relay=xx.xx.xx.xx[xx.xx.xx.xx]:25,
> delay=59073, delays=59066/0.33/0.05/6, dsn=4.1.1, status=deferred
> (host xx.xx.xx.xx[xx.xx.xx.xx] said: 450 4.1.1
> <[email protected]>: Recipient address rejected: unverified
> address: Recipient address lookup failed (in reply to RCPT TO
> command))
How did "BBD50209FDC" enter your queue 16h:24m:33s prior?
> Oct 13 08:09:43 mail-ext postfix/smtp[1101818]: CE7CC20AD8A:
> to=<[email protected]>, relay=xx.xx.xx.xx[xx.xx.xx.xx]:25,
> delay=258666, delays=258660/0.03/0.03/6, dsn=4.1.1, status=deferred
> (host xx.xx.xx.xx[xx.xx.xx.xx] said: 450 4.1.1
> <[email protected]>: Recipient address rejected: unverified
> address: Recipient address lookup failed (in reply to RCPT TO
> command))
How did "CE7CC20AD8A" enter your queue 71h:51m:06s prior?
> Any idea why mail was accepted in the first place since I do have
> reject_unverified_recipient ?
Not without the relevant logs, including any logging for related
verification probes
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
