Nathan Ward:
> Hi all,
>
> I am trying to figure out the best way to reject RCPT TO addresses with no
> domain part - i.e. "RCPT TO: <test>" or similar. I do not want to rewrite
> to $myhostname or $mydomain or similar.
There is no Postfix setting to allow or deny every possible syntax
error.
Postfix converts addresses into a standard form, otherwise a bad
actor could easily circumvent access restrictions by playing games
with quotes, backslash, or other transformations. The downside is
that Postfix access checks don't get the original address form.
You can use smtpd_command_filter to convert a domainless address into
a form that can be blocked by an access restriction.
/etc/postfix/main.cf:
smtpd_command_filter = pcre:/etc/postfix/command_filter
# Require RCPT TO:<address>.
strict_rfc821_envelopes = yes
/etc/postfix/command_filter:
# Tag addresses that have no @ with @domain.invalid.
/^(RCPT\s+TO:\s*<)[^@]+)(>.*)/ $1$2@domain.invalid$3
Combine with an access map that rejects mail from domain.invalid.
Just like "example" and "localhost", the name "invalid" is reserved
by the Internet Engineering Task Force (IETF) as a domain name that
may not be installed as a top-level domain in the Domain Name System
(DNS) of the Internet.
Wietse
