Wietse, sorry, please bear with me here, but this is not easy to understand
(given the complexity of all the settings). And I’m afraid to damage my mail in
the sense that I start refusing legitimate mail.
> On 21 Nov 2016, at 21:17, Wietse Venema <wie...@porcupine.org> wrote:
>
> Gerben Wierda:
>>
>>> On 21 Nov 2016, at 17:33, Wietse Venema <wie...@porcupine.org> wrote:
>>>
>>> Gerben Wierda:
>>>> smtpd_recipient_restrictions =
>>>> permit_sasl_authenticated
>>>> permit_mynetworks
>>>> reject_unauth_destination
>>>> reject_unknown_recipient_domain
>>>> reject_unverified_recipient
>>>
>>> You may want to look at these settings (defaults shown):
>>>
>>> unverified_recipient_defer_code = 450
>>> unverified_recipient_reject_code = 450
>>> unverified_recipient_reject_reason =
>>> unverified_recipient_tempfail_action = $reject_tempfail_action
>>> reject_tempfail_action = defer_if_permit
>>
>> from postconf:
>>
>> address_verify_map = btree:$data_directory/verify_cache
>> unverified_recipient_defer_code = 450
>> unverified_recipient_reject_code = 450
>> unverified_recipient_reject_reason =
>> unverified_recipient_tempfail_action = $reject_tempfail_action
>> reject_tempfail_action = defer_if_permit
>>
>>> I suspect that you're hitting a cached defer_if_permit response.
>
> Actually, the stored info is one of {accepted, deferred, rejected}.
> I cannot quickly locate the code that uses the
> unverified_recipient_tempfail_action setting.
>
>> Or should I just have to add to main.cf:
>> unverified_recipient_reject_code = 550
>> and do a reload?
>
> Yes, you probably want to reject mail immediately.
>
>> Another question. The phrase ?Reject the request when mail to the
>> RCPT TO address is known to bounce, or when the recipient address
>> destination is not reachable.? leads to some confusion for me.
>> Does ?not reachable? also include temporary failures?
>
> Temporary failure means that the answer is not known. When making
> an irreversible decision (like permanently rejecting mail), Postfix
> is quite insistent on making the distinction between having and not
> having authoritative information.
So, just that I understand. With *my* unverified_recipient_reject_code in the
5xx range, but a remote SMTP server giving a temporary failure (4xx) on an
address (or just plain unreachable), *my* postfix would still return 4xx
because it cannot be certain?
I still would like to understand why with a setting like this
smtpd_recipient_restrictions =
permit_sasl_authenticated
permit_mynetworks
reject_unauth_destination
reject_unknown_recipient_domain
reject_unverified_recipient
check_client_access
regexp:/Library/Server/Mail/Config/postfix/rna_policy_whitelist_clients
check_sender_access
regexp:/Library/Server/Mail/Config/postfix/rna_policy_whitelist_senders
check_policy_service unix:private/policy
permit
and a recipient that is not in the 'local recipient table’,
check_policy_service is even reached. Is that *solely* because of
unverified_recipient_reject_code is in the 4xx range?
And the best thing is: how do I make sure that reject_unverified_recipient only
works on local ($mydestination) addresses?
I am rna.nl <http://rna.nl/>. If foo.com <http://foo.com/> sends mail to
u...@rna.nl <mailto:u...@rna.nl> I want rejection on locally undeliverable
recipients to be quick. If my users connect to my mail server for outgoing
mail, I want no local cache of ‘verified’ recipients, I leave that to the MTA
at the final destination.
G
