On Tue, Aug 19, 2008 at 11:38 AM, Wietse Venema <[EMAIL PROTECTED]> wrote:
> Jeff:
>> It took me a while before I could test this. The recommended solution
>> succeeds at blocking the specified aliases when relayed through our
>> gateway, but it does not do so at the SMTP level. It generates bounce
>> notifications, which in the end will create back-scatter. The bounce
>> message I got in testing gave an error code of 554.
>
> Sorry, reject_unverified_recipient does not generate backscatter.
> If you believe this is not so, then you need to provide actual
> evidence so that we can point out your mistake.
>
> Wietse
Exactly! I can't figure out why I'm getting bounces instead of rejects.
I did (moments after clicking "send") discover in "man -s 5 access"
that I can put the reject code (550) directly in the map. However, I
am still getting bounces when I send mail to the private address I am
using for testing.
Updated config on the back-end MTA...
# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = $myhostname, localhost
local_destination_concurrency_limit = 5
local_destination_recipient_limit = 300
local_recipient_maps = $alias_maps, $virtual_alias_maps,
ldap:/etc/postfix/ldap-users.cf
mail_owner = postfix
mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mynetworks = !192.168.1.65, 192.168.0.0/16, 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.2.10/README_FILES
sample_directory = /usr/share/doc/postfix-2.2.10/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_recipient_restrictions = permit_mynetworks,
reject_unauth_destination,
check_recipient_access hash:/etc/postfix/private-aliases,
reject_unverified_recipient
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = ldap:/etc/postfix/ldap-aliases.cf
# cat /etc/postfix/private-aliases
[EMAIL PROTECTED] 550 User unknown
Perhaps the way in which I added "check_recipient_access" has broken
my standard recipient verification.
Using telnet to port 25 from my gateway box (for which the special
restrictions should apply) to the back-end MTA, I get:
RCPT TO: [EMAIL PROTECTED]
550 <[EMAIL PROTECTED]>: Recipient address rejected: User unknown
Which is appears correct. Yet, the gateway still sends a bounce. I
don't know why. Again, maybe just not exactly what the gateway
expects. Does not appear to be the fault of the back-end postfix.
But for an actual non-existent user, I now get
RCPT TO:[EMAIL PROTECTED]
450 <[EMAIL PROTECTED]>: Recipient address rejected: undeliverable
address: host /var/lib/imap/socket/lmtp[/var/lib/imap/socket/lmtp]
said: 550-Mailbox unknown. Either there is no mailbox associated with
this 550-name or you do not have authorization to see it. 550 5.1.1
User unknown (in reply to RCPT TO command)
Here, the recipient lookup does not appear to be happening and postfix
is attempting to deliver to cyrus-imap via lmtp, which fails.
Previous to this attempted implementation (adding
check_recipient_access as suggested), I was getting (correctly):
RCPT TO:[EMAIL PROTECTED]
550 <[EMAIL PROTECTED]>: Recipient address rejected: User unknown in
local recipient table
The gateway treats this properly and relays the reject to the external MTA.
So I guess I am back to the original question: What is the proper way
to reject specific recipients from the gateway, yet allow them from
internal MTAs? And, how can I do it in a fashion that appears to the
gateway identical to the response for a truly non-existent user
--
Jeff
