Re: Performing rcpt_verification based on sender possible?
Noel, omg own stupidity :-) Settings all are okay but there was a cache file for results of verify lookups. Forgot that I changed the rcpt test account to REJECT within the last 31days (default for address_verify_positive_expire_time) So instead of waiting for max 31days for the "postfix self-healing" to kick in ;-), I removed the file and postfix reload and it works Thanks a lot for your help and have a good one tobi Am 14.11.18 um 16:29 schrieb Noel Jones: > On 11/14/2018 2:50 AM, Tobi wrote: > >> >> $ postconf -d|grep parent_domain_matches >> parent_domain_matches_subdomains = >> debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps >> > > caution: "postconf -d" shows the compiled-in defaults, not current > settings. use "postconf" (no options) to show current settings. > > >> Will set postfix to debug as described this evening and see if I can get >> more information about this issue. > > No, setting postfix to debug was not recommended. The combination > of "postconf -n" plus any overrides you've added in master.cf, and > normal logging almost certainly provides all the information you > need. Debug logging will likely bury the real problem in a flood of > unrelated information. > > > -- Noel Jones >
Re: Performing rcpt_verification based on sender possible?
On 11/14/2018 2:50 AM, Tobi wrote: > > $ postconf -d|grep parent_domain_matches > parent_domain_matches_subdomains = > debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps > caution: "postconf -d" shows the compiled-in defaults, not current settings. use "postconf" (no options) to show current settings. > Will set postfix to debug as described this evening and see if I can get > more information about this issue. No, setting postfix to debug was not recommended. The combination of "postconf -n" plus any overrides you've added in master.cf, and normal logging almost certainly provides all the information you need. Debug logging will likely bury the real problem in a flood of unrelated information. -- Noel Jones
Re: Performing rcpt_verification based on sender possible?
Noel, first of all thanks for your patience :-) > you must have smtpd_delay_reject=yes is set default so YES > and parent_domain_matches_subdomains must contain smtpd_access_maps checked that too, looks like the defaults $ postconf -d|grep parent_domain_matches parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps I checked with postconf -n that the smtpd_sender_restrictions are okay and as expected $ postconf -n|grep smtpd_sender smtpd_sender_restrictions = reject_unknown_sender_domain, reject_non_fqdn_sender, check_sender_access hash:/etc/postfix/do_callahead, . Will set postfix to debug as described this evening and see if I can get more information about this issue. Thanks a lot tobi Am 13.11.18 um 18:22 schrieb Noel Jones: > On 11/13/2018 10:46 AM, Tobi wrote: >>> Postfix supports what you've described. You must have made some >>> other mistake. >> >> believe me that's what I thought first :-) But the only reason this >> would not fire is that a prior restriction already OK the mail. To test >> I commented all client restrictions and placed my check_sender access on >> (almost) top of sender_restrictions >> >> smtpd_sender_restrictions = reject_unknown_sender_domain, >> reject_non_fqdn_sender, >> check_sender_access hash:/etc/postfix/do_callahead, >> [] >> >> so the restriction is well before any restriction that could ACCEPT the >> mail. >> >> postmap tells me that it gets the correct value from the map >> >> $ postmap -q 'example.com' /etc/postfix/do_callahead >> reject_unverified_recipient >> >> >> > > Two things that come to mind... > > you must have smtpd_delay_reject=yes > > and parent_domain_matches_subdomains must contain smtpd_access_maps > > check your "postconf -n" output to make sure it shows what you expect. > > If you have more trouble, please see > http://www.postfix.org/DEBUG_README.html#mail > > > -- Noel Jones >
Re: Performing rcpt_verification based on sender possible?
On 11/13/2018 10:46 AM, Tobi wrote: >> Postfix supports what you've described. You must have made some >> other mistake. > > believe me that's what I thought first :-) But the only reason this > would not fire is that a prior restriction already OK the mail. To test > I commented all client restrictions and placed my check_sender access on > (almost) top of sender_restrictions > > smtpd_sender_restrictions = reject_unknown_sender_domain, > reject_non_fqdn_sender, > check_sender_access hash:/etc/postfix/do_callahead, > [] > > so the restriction is well before any restriction that could ACCEPT the > mail. > > postmap tells me that it gets the correct value from the map > > $ postmap -q 'example.com' /etc/postfix/do_callahead > reject_unverified_recipient > > > Two things that come to mind... you must have smtpd_delay_reject=yes and parent_domain_matches_subdomains must contain smtpd_access_maps check your "postconf -n" output to make sure it shows what you expect. If you have more trouble, please see http://www.postfix.org/DEBUG_README.html#mail -- Noel Jones
Re: Performing rcpt_verification based on sender possible?
> Postfix supports what you've described. You must have made some > other mistake. believe me that's what I thought first :-) But the only reason this would not fire is that a prior restriction already OK the mail. To test I commented all client restrictions and placed my check_sender access on (almost) top of sender_restrictions smtpd_sender_restrictions = reject_unknown_sender_domain, reject_non_fqdn_sender, check_sender_access hash:/etc/postfix/do_callahead, [] so the restriction is well before any restriction that could ACCEPT the mail. postmap tells me that it gets the correct value from the map $ postmap -q 'example.com' /etc/postfix/do_callahead reject_unverified_recipient Am 13.11.18 um 17:18 schrieb Noel Jones: > On 11/13/2018 9:43 AM, Tobi wrote: >> Hello list >> >> I'm trying to achieve that a certain sender (or sender domain) must have >> the recipients verified. Thought that it could be done with a >> restriction class: >> >> #main.cf >> smtpd_restriction_classes = DO_CALLAHEAD >> DO_CALLAHEAD = reject_unverified_recipient >> smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/my.map >> >> #my.map >> example.com DO_CALLAHEAD >> >> But if I test with example.com sender on a remote rcpt that is rejected, >> the msg is always accepted and a bounce has to be sent back to sender. >> Which is what I'm trying to avoid for this particular sender with rcpt >> verification. >> >> Is there a way to achieve that with postfix? >> >> Thanks for any idea >> >> tobi >> > > > Postfix supports what you've described. You must have made some > other mistake. > > You can simplify your config by not using a restriction class, which > isn't required for this particular function. > > # my.map > example.com reject_unverified_recipient > > > > > -- Noel Jones >
Performing rcpt_verification based on sender possible?
Hello list I'm trying to achieve that a certain sender (or sender domain) must have the recipients verified. Thought that it could be done with a restriction class: #main.cf smtpd_restriction_classes = DO_CALLAHEAD DO_CALLAHEAD = reject_unverified_recipient smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/my.map #my.map example.com DO_CALLAHEAD But if I test with example.com sender on a remote rcpt that is rejected, the msg is always accepted and a bounce has to be sent back to sender. Which is what I'm trying to avoid for this particular sender with rcpt verification. Is there a way to achieve that with postfix? Thanks for any idea tobi