Re: Define exception(s) from catchall domain
* Noel Jones njo...@megan.vbhcs.org [2014-10-24 00:36]: I tried to implement this by using a check_recipient_access pcre_table like this: /etc/postfix# cat recipient_access.pcre /^postfix-reject-address@.+$/ REJECT This must match the recipient address as sent by the client and logged by postfix smtpd process, NOT the rewritten address. Yes, I figured this out and found a way to do what I wanted. I now have the following: smtpd_recipient_restrictions = check_recipient_access proxy:mysql:$config_directory/sql/mysql_check_recipient_access.cf, ... (Also I had to extend proxy_read_maps for this). The .cf contains the following query: query = SELECT 'REJECT' FROM alias WHERE address='%s' AND goto='reject@postfix.access' AND active = '1' So all the users have to do is add an alias from their address to reject@postfix.access to reject a specific alias. smtpd_recipient_restrictions = check_recipient_access pcre:$config_directory/recipient_access.pcre, ... It's generally unwise to put any access tables before permit_mynetworks. Extra caution is needed to make sure you don't accidentally create an open relay. In this specific case I think it is okay because I want noone to be able to mail to these addresses. It should be as if the alias does not exist. As for the open relay, I moved all that stuff to smtpd_relay_restrictions. And telling them to add an alias to postfix-reject-address@$THEIR_DOMAIN This should not be necessary. It's the way postfixadmin works. Without coding up an extension that lets user block specific aliases this is the fastest way to do it. Regards Sebastian -- GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant
Re: Define exception(s) from catchall domain
Sebastian Wiesinger: smtpd_recipient_restrictions = smtpd_recipient_restrictions = check_recipient_access proxy:mysql:$config_directory/sql/mysql_check_recipient_access.cf, ... (Also I had to extend proxy_read_maps for this). Argh. I forgot to include that in the default proxy_read_maps setting. As for the open relay, I moved all that stuff to smtpd_relay_restrictions. Good! Wietse
Define exception(s) from catchall domain
Hello, I have a few users that insist on using catch-all domains. Not surprising they get spam to some address. Now they're asking if they can reject mail for *some* of the addresses of the catch-all domain. They can create aliases themselves via postfixadmin and they want to do this the same way. I tried to implement this by using a check_recipient_access pcre_table like this: /etc/postfix# cat recipient_access.pcre /^postfix-reject-address@.+$/ REJECT smtpd_recipient_restrictions = check_recipient_access pcre:$config_directory/recipient_access.pcre, ... And telling them to add an alias to postfix-reject-address@$THEIR_DOMAIN But this doesn't work as postfix will produce bounces (backscatter) like this: reject-postfix-addr...@karotte.org (expanded from reject-t...@karotte.org): user unknown In the log I see that postfix tries to deliver the message with the default virtual transport (dovecot) which then returns the user unknown. It there a way to acomplish this? Regards Sebastian -- GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant
Re: Define exception(s) from catchall domain
Am 23.10.2014 um 21:52 schrieb Sebastian Wiesinger: I have a few users that insist on using catch-all domains. Not surprising they get spam to some address. Now they're asking if they can reject mail for *some* of the addresses of the catch-all domain. They can create aliases themselves via postfixadmin and they want to do this the same way. I tried to implement this by using a check_recipient_access pcre_table like this: /etc/postfix# cat recipient_access.pcre /^postfix-reject-address@.+$/ REJECT smtpd_recipient_restrictions = check_recipient_access pcre:$config_directory/recipient_access.pcre, ... And telling them to add an alias to postfix-reject-address@$THEIR_DOMAIN But this doesn't work as postfix will produce bounces (backscatter) like this: reject-postfix-addr...@karotte.org (expanded from reject-t...@karotte.org): user unknown In the log I see that postfix tries to deliver the message with the default virtual transport (dovecot) which then returns the user unknown. It there a way to acomplish this? smtpd_recipient_restrictions with REJECT do NOT backscatter a proper REJECT in the MTA never send a bounce if it touchs the virtual transport the REJECT never got triggered i do not see postconf -n output nor a full log example for such a message, so it's impossible to know what happens on your setup anyways, somebody insisting in a catch-all in 2014 has to suck the spam or give up that completly broken idea - it even did not made sense 15 years ago - if somebody don't know my address he can#t send a mail to me - so what - would you extend that to @internet - no - so why to @domain?
Re: Define exception(s) from catchall domain
* Sebastian Wiesinger postfix-us...@ml.karotte.org [2014-10-23 21:54]:
Hello,
I have a few users that insist on using catch-all domains. Not
surprising they get spam to some address. Now they're asking if they
can reject mail for *some* of the addresses of the catch-all domain.
They can create aliases themselves via postfixadmin and they want to
do this the same way.
I tried to implement this by using a check_recipient_access pcre_table
like this:
/etc/postfix# cat recipient_access.pcre
/^postfix-reject-address@.+$/ REJECT
smtpd_recipient_restrictions =
check_recipient_access pcre:$config_directory/recipient_access.pcre,
...
And telling them to add an alias to
postfix-reject-address@$THEIR_DOMAIN
But this doesn't work as postfix will produce bounces (backscatter)
like this:
reject-postfix-addr...@karotte.org (expanded from
reject-t...@karotte.org):
user unknown
Forgot the logs/configuration:
postconf -n:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
body_checks = pcre:$config_directory/body_checks.pcre
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
disable_vrfy_command = yes
dovecot-sa_destination_recipient_limit = 1
dovecot_destination_recipient_limit = 1
enable_long_queue_ids = yes
greylist = check_policy_service inet:127.0.0.1:10023
home_mailbox = Maildir/
html_directory = /usr/share/doc/postfix/html
inet_interfaces = 127.0.0.1, [::1], 176.9.75.247, 176.9.51.79,
[2a01:4f8:150:7142::25], [2a01:4f8:150:7142::587]
inet_protocols = ipv4, ipv6
mailbox_command = /usr/bin/procmail -a $EXTENSION
mailbox_size_limit = 0
message_size_limit = 10240
mydestination = mx.karotte.org, alita.karotte.org, localhost.karotte.org,
localhost
myhostname = mx.karotte.org
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
non_smtpd_milters = inet:127.0.0.1:10100, inet:127.0.0.1:10101
parent_domain_matches_subdomains =
recipient_delimiter = +
relay_clientcerts = hash:$config_directory/relay_clientcerts
relay_domains = proxy:mysql:$config_directory/sql/mysql_relay_domains_maps.cf
relayhost =
smtp_address_preference = ipv6
smtp_bind_address = 176.9.75.247
smtp_bind_address6 = 2a01:4f8:150:7142::25
smtp_dns_support_level = dnssec
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_fingerprint_digest = sha1
smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_policy_maps = hash:$config_directory/tls_policy
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_client_connection_count_limit = 5
smtpd_client_connection_rate_limit = 15
smtpd_client_event_limit_exceptions = $mynetworks, $inet_interfaces
smtpd_client_restrictions = permit_mynetworks, permit_inet_interfaces,
permit_sasl_authenticated, permit_tls_clientcerts, check_client_access
cidr:$config_directory/unknown_reverse_hostname.cidr, check_client_access
hash:$config_directory/client_rbl_whitelist, permit_dnswl_client
list.dnswl.org=127.0.[0..255].[1..3], reject_rbl_client
zen.spamhaus.org=127.0.0.[2..11], reject_rbl_client ix.dnsbl.manitu.net,
reject_rhsbl_reverse_client dbl.spamhaus.org=127.0.1.[2;4..6]
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_delay_reject = yes
smtpd_discard_ehlo_keywords = silent-discard, dsn
smtpd_etrn_restrictions = reject
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_inet_interfaces,
permit_sasl_authenticated, permit_tls_clientcerts,
reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname,
reject_rhsbl_helo dbl.spamhaus.org=127.0.1.[2;4..6]
smtpd_milters = inet:127.0.0.1:10100, inet:127.0.0.1:10101
smtpd_recipient_restrictions = check_recipient_access
pcre:$config_directory/recipient_access.pcre, permit_mynetworks,
permit_inet_interfaces, reject_non_fqdn_recipient,
permit_sasl_authenticated, permit_tls_clientcerts, check_recipient_access
hash:$config_directory/defer_unkown_users, reject_unlisted_recipient,
check_policy_service unix:private/policyd-spf, permit_dnswl_client
list.dnswl.org=127.0.[0..255].[0..3], check_recipient_access
pcre:$config_directory/greylist.pcre
smtpd_relay_restrictions = permit_mynetworks, permit_inet_interfaces,
permit_sasl_authenticated, permit_tls_clientcerts, reject_unauth_destination
smtpd_restriction_classes = greylist
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks, permit_inet_interfaces,
reject_non_fqdn_sender, permit_sasl_authenticated, permit_tls_clientcerts,
reject_unlisted_sender, reject_unknown_sender_domain, reject_rhsbl_sender
dbl.spamhaus.org=127.0.1.[2;4..6]
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/cacert-karotte-combined.crt
smtpd_tls_dh1024_param_file =
Re: Define exception(s) from catchall domain
On 10/23/2014 2:52 PM, Sebastian Wiesinger wrote: Hello, I have a few users that insist on using catch-all domains. Not surprising they get spam to some address. Now they're asking if they can reject mail for *some* of the addresses of the catch-all domain. They can create aliases themselves via postfixadmin and they want to do this the same way. I tried to implement this by using a check_recipient_access pcre_table like this: /etc/postfix# cat recipient_access.pcre /^postfix-reject-address@.+$/ REJECT This must match the recipient address as sent by the client and logged by postfix smtpd process, NOT the rewritten address. smtpd_recipient_restrictions = check_recipient_access pcre:$config_directory/recipient_access.pcre, ... It's generally unwise to put any access tables before permit_mynetworks. Extra caution is needed to make sure you don't accidentally create an open relay. http://www.postfix.org/SMTPD_ACCESS_README.html#danger And telling them to add an alias to postfix-reject-address@$THEIR_DOMAIN This should not be necessary. -- Noel Jones
