Re: Define exception(s) from catchall domain
* Noel Jones njo...@megan.vbhcs.org [2014-10-24 00:36]: I tried to implement this by using a check_recipient_access pcre_table like this: /etc/postfix# cat recipient_access.pcre /^postfix-reject-address@.+$/ REJECT This must match the recipient address as sent by the client and logged by postfix smtpd process, NOT the rewritten address. Yes, I figured this out and found a way to do what I wanted. I now have the following: smtpd_recipient_restrictions = check_recipient_access proxy:mysql:$config_directory/sql/mysql_check_recipient_access.cf, ... (Also I had to extend proxy_read_maps for this). The .cf contains the following query: query = SELECT 'REJECT' FROM alias WHERE address='%s' AND goto='reject@postfix.access' AND active = '1' So all the users have to do is add an alias from their address to reject@postfix.access to reject a specific alias. smtpd_recipient_restrictions = check_recipient_access pcre:$config_directory/recipient_access.pcre, ... It's generally unwise to put any access tables before permit_mynetworks. Extra caution is needed to make sure you don't accidentally create an open relay. In this specific case I think it is okay because I want noone to be able to mail to these addresses. It should be as if the alias does not exist. As for the open relay, I moved all that stuff to smtpd_relay_restrictions. And telling them to add an alias to postfix-reject-address@$THEIR_DOMAIN This should not be necessary. It's the way postfixadmin works. Without coding up an extension that lets user block specific aliases this is the fastest way to do it. Regards Sebastian -- GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant
Re: Define exception(s) from catchall domain
Sebastian Wiesinger: smtpd_recipient_restrictions = smtpd_recipient_restrictions = check_recipient_access proxy:mysql:$config_directory/sql/mysql_check_recipient_access.cf, ... (Also I had to extend proxy_read_maps for this). Argh. I forgot to include that in the default proxy_read_maps setting. As for the open relay, I moved all that stuff to smtpd_relay_restrictions. Good! Wietse
Define exception(s) from catchall domain
Hello, I have a few users that insist on using catch-all domains. Not surprising they get spam to some address. Now they're asking if they can reject mail for *some* of the addresses of the catch-all domain. They can create aliases themselves via postfixadmin and they want to do this the same way. I tried to implement this by using a check_recipient_access pcre_table like this: /etc/postfix# cat recipient_access.pcre /^postfix-reject-address@.+$/ REJECT smtpd_recipient_restrictions = check_recipient_access pcre:$config_directory/recipient_access.pcre, ... And telling them to add an alias to postfix-reject-address@$THEIR_DOMAIN But this doesn't work as postfix will produce bounces (backscatter) like this: reject-postfix-addr...@karotte.org (expanded from reject-t...@karotte.org): user unknown In the log I see that postfix tries to deliver the message with the default virtual transport (dovecot) which then returns the user unknown. It there a way to acomplish this? Regards Sebastian -- GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant
Re: Define exception(s) from catchall domain
Am 23.10.2014 um 21:52 schrieb Sebastian Wiesinger: I have a few users that insist on using catch-all domains. Not surprising they get spam to some address. Now they're asking if they can reject mail for *some* of the addresses of the catch-all domain. They can create aliases themselves via postfixadmin and they want to do this the same way. I tried to implement this by using a check_recipient_access pcre_table like this: /etc/postfix# cat recipient_access.pcre /^postfix-reject-address@.+$/ REJECT smtpd_recipient_restrictions = check_recipient_access pcre:$config_directory/recipient_access.pcre, ... And telling them to add an alias to postfix-reject-address@$THEIR_DOMAIN But this doesn't work as postfix will produce bounces (backscatter) like this: reject-postfix-addr...@karotte.org (expanded from reject-t...@karotte.org): user unknown In the log I see that postfix tries to deliver the message with the default virtual transport (dovecot) which then returns the user unknown. It there a way to acomplish this? smtpd_recipient_restrictions with REJECT do NOT backscatter a proper REJECT in the MTA never send a bounce if it touchs the virtual transport the REJECT never got triggered i do not see postconf -n output nor a full log example for such a message, so it's impossible to know what happens on your setup anyways, somebody insisting in a catch-all in 2014 has to suck the spam or give up that completly broken idea - it even did not made sense 15 years ago - if somebody don't know my address he can#t send a mail to me - so what - would you extend that to @internet - no - so why to @domain?
Re: Define exception(s) from catchall domain
* Sebastian Wiesinger postfix-us...@ml.karotte.org [2014-10-23 21:54]: Hello, I have a few users that insist on using catch-all domains. Not surprising they get spam to some address. Now they're asking if they can reject mail for *some* of the addresses of the catch-all domain. They can create aliases themselves via postfixadmin and they want to do this the same way. I tried to implement this by using a check_recipient_access pcre_table like this: /etc/postfix# cat recipient_access.pcre /^postfix-reject-address@.+$/ REJECT smtpd_recipient_restrictions = check_recipient_access pcre:$config_directory/recipient_access.pcre, ... And telling them to add an alias to postfix-reject-address@$THEIR_DOMAIN But this doesn't work as postfix will produce bounces (backscatter) like this: reject-postfix-addr...@karotte.org (expanded from reject-t...@karotte.org): user unknown Forgot the logs/configuration: postconf -n: alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no body_checks = pcre:$config_directory/body_checks.pcre broken_sasl_auth_clients = yes config_directory = /etc/postfix disable_vrfy_command = yes dovecot-sa_destination_recipient_limit = 1 dovecot_destination_recipient_limit = 1 enable_long_queue_ids = yes greylist = check_policy_service inet:127.0.0.1:10023 home_mailbox = Maildir/ html_directory = /usr/share/doc/postfix/html inet_interfaces = 127.0.0.1, [::1], 176.9.75.247, 176.9.51.79, [2a01:4f8:150:7142::25], [2a01:4f8:150:7142::587] inet_protocols = ipv4, ipv6 mailbox_command = /usr/bin/procmail -a $EXTENSION mailbox_size_limit = 0 message_size_limit = 10240 mydestination = mx.karotte.org, alita.karotte.org, localhost.karotte.org, localhost myhostname = mx.karotte.org mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 myorigin = /etc/mailname non_smtpd_milters = inet:127.0.0.1:10100, inet:127.0.0.1:10101 parent_domain_matches_subdomains = recipient_delimiter = + relay_clientcerts = hash:$config_directory/relay_clientcerts relay_domains = proxy:mysql:$config_directory/sql/mysql_relay_domains_maps.cf relayhost = smtp_address_preference = ipv6 smtp_bind_address = 176.9.75.247 smtp_bind_address6 = 2a01:4f8:150:7142::25 smtp_dns_support_level = dnssec smtp_tls_CApath = /etc/ssl/certs smtp_tls_fingerprint_digest = sha1 smtp_tls_loglevel = 1 smtp_tls_mandatory_protocols = !SSLv2 !SSLv3 smtp_tls_policy_maps = hash:$config_directory/tls_policy smtp_tls_security_level = dane smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_client_connection_count_limit = 5 smtpd_client_connection_rate_limit = 15 smtpd_client_event_limit_exceptions = $mynetworks, $inet_interfaces smtpd_client_restrictions = permit_mynetworks, permit_inet_interfaces, permit_sasl_authenticated, permit_tls_clientcerts, check_client_access cidr:$config_directory/unknown_reverse_hostname.cidr, check_client_access hash:$config_directory/client_rbl_whitelist, permit_dnswl_client list.dnswl.org=127.0.[0..255].[1..3], reject_rbl_client zen.spamhaus.org=127.0.0.[2..11], reject_rbl_client ix.dnsbl.manitu.net, reject_rhsbl_reverse_client dbl.spamhaus.org=127.0.1.[2;4..6] smtpd_data_restrictions = reject_unauth_pipelining smtpd_delay_reject = yes smtpd_discard_ehlo_keywords = silent-discard, dsn smtpd_etrn_restrictions = reject smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, permit_inet_interfaces, permit_sasl_authenticated, permit_tls_clientcerts, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_rhsbl_helo dbl.spamhaus.org=127.0.1.[2;4..6] smtpd_milters = inet:127.0.0.1:10100, inet:127.0.0.1:10101 smtpd_recipient_restrictions = check_recipient_access pcre:$config_directory/recipient_access.pcre, permit_mynetworks, permit_inet_interfaces, reject_non_fqdn_recipient, permit_sasl_authenticated, permit_tls_clientcerts, check_recipient_access hash:$config_directory/defer_unkown_users, reject_unlisted_recipient, check_policy_service unix:private/policyd-spf, permit_dnswl_client list.dnswl.org=127.0.[0..255].[0..3], check_recipient_access pcre:$config_directory/greylist.pcre smtpd_relay_restrictions = permit_mynetworks, permit_inet_interfaces, permit_sasl_authenticated, permit_tls_clientcerts, reject_unauth_destination smtpd_restriction_classes = greylist smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_sender_restrictions = permit_mynetworks, permit_inet_interfaces, reject_non_fqdn_sender, permit_sasl_authenticated, permit_tls_clientcerts, reject_unlisted_sender, reject_unknown_sender_domain, reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[2;4..6] smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/ssl/certs/cacert-karotte-combined.crt smtpd_tls_dh1024_param_file =
Re: Define exception(s) from catchall domain
On 10/23/2014 2:52 PM, Sebastian Wiesinger wrote: Hello, I have a few users that insist on using catch-all domains. Not surprising they get spam to some address. Now they're asking if they can reject mail for *some* of the addresses of the catch-all domain. They can create aliases themselves via postfixadmin and they want to do this the same way. I tried to implement this by using a check_recipient_access pcre_table like this: /etc/postfix# cat recipient_access.pcre /^postfix-reject-address@.+$/ REJECT This must match the recipient address as sent by the client and logged by postfix smtpd process, NOT the rewritten address. smtpd_recipient_restrictions = check_recipient_access pcre:$config_directory/recipient_access.pcre, ... It's generally unwise to put any access tables before permit_mynetworks. Extra caution is needed to make sure you don't accidentally create an open relay. http://www.postfix.org/SMTPD_ACCESS_README.html#danger And telling them to add an alias to postfix-reject-address@$THEIR_DOMAIN This should not be necessary. -- Noel Jones