Hello, I am trying to utilize 'reject_unverified_recipient' selectively, so that only addresses for domains which I host are verified, ahead of permitting sasl senders, in order to avoid bounces for unknown recipients of local domains. In summary, the setup seems to work correctly for mailboxes, but a problem arises with forwarded addresses, where verification is performed for the destination of the forward (external domain), rather than the smtp recipient address (local domain).
I am using postfix 3.4.14-0+deb10u1 from Debian. I setup test.com to demonstrate and created a [email protected] mailbo x and a [email protected] forward to my gmail account: # postconf virtual_mailbox_domains virtual_mailbox_maps virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf # postmap -q test.com mysql:/etc/postfix/mysql-virtual_domains.cf test.com # postmap -q [email protected] mysql:/etc/postfix/mysql-virtual_mailboxes.cf test.com/mailbox/ # postmap -q [email protected] mysql:/etc/postfix/mysql-virtual_mailboxes.cf [email protected] I set 'reject_unverified_recipient' via the mysql-virtual_recipient.cf map: smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unlisted_recipient, check_recipient_access proxy:mysql:/etc/postfix/mysql-verify_recipients.cf, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf, check_policy_service unix:private/quota-status # grep query /etc/postfix/mysql-verify_recipients.cf query = SELECT 'reject_unverified_recipient' FROM mail_domain WHERE domain = '%s' AND active = 'y' AND server_id = 1 The mysql-verify_recipients.cf query works correctly to for domains I host and for external domains: # postmap -q test.com mysql:/etc/postfix/mysql-verify_recipients.cf reject_unverified_recipient # postmap -q gmail.com mysql:/etc/postfix/mysql-verify_recipients.cf # (<-- no output) What I expect and want is that lookups for test.com recipient addresses will undergo address verification, and addresses for external domains like gmail.com will not. However when send to [email protected], what happens is address verification for [email protected] fails. The failure is correct, because my test server does not have outbound smtp access (nor ipv6), but I don't want address verification for the gmail.com address to take place at all. Replies from my smtp conversations are: Rcpt To:<[email protected]> 250 2.1.5 Ok and on first attempt: Rcpt To:<[email protected]> 450 4.1.1 <[email protected]>: Recipient address rejected: unverified address: Address verification in progress then on subsequent attempts with a verification cache entry present: Rcpt To:<[email protected]> 450 4.1.1 <[email protected]>: Recipient address rejected: unverified address: connect to gmail-smtp-in.l.google.com[142.250.138.26]:25: Connection timed out Logs show: Aug 27 11:31:15 dev postfix/smtpd[1091]: NOQUEUE: reject: RCPT from my.host.name[xx.xx.xx.xx]: 450 4.1.1 <[email protected]>: Recipient address rejected: unverified address: connect to gmail-smtp-in.l.google.com[142.250.138.26]:25: Connection timed out; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<my.host.name> Aug 27 11:31:15 dev postfix/qmgr[11728]: 1224C210A0: from=<[email protected]>, size=275, nrcpt=1 (queue active) Aug 27 11:31:15 dev postfix/smtp[1235]: connect to gmail-smtp-in.l.google.com[2607:f8b0:4023:1006::1b]:25: Network is unreachable So the recipient address [email protected] triggered the verification, but the verification itself is being performed against the address I forwarded to, [email protected]. If I remove the mysql-verify_recipients.cf check, the recipient is accepted: Rcpt To:<[email protected]> 250 2.1.5 Ok I don't see any way to configure around this, but perhaps I'm overlooking something. Or possible bug? Thanks, Jesse -- Jesse Norell Kentec Communications, Inc. 970-522-8107 - www.kci.net
