Gerben Wierda via Postfix-users:
>
> > On 23 Jan 2025, at 17:55, Wietse Venema via Postfix-users
> > <postfix-users@postfix.org> wrote:
> >
> > Gerben Wierda via Postfix-users:
> >> I was wondering, suppose I have a user like this:
> >>
> >> f...@bar.com is the account name
> >> foo.lastn...@bar.com is the incoming alias and the outgoing canonical
> >>
> >> Could I force incoming mail to accept the alias form, but not
> >> accept the account form? I.e. f...@bar.com as address is blocked,
> >> but foo.lastn...@bar.com is accepted and delivered to f...@bar.com
> >>
> >> The spammers that send to my systems use the account form (and not
> >> the alias/canonical) a lot, that's why I'm asking
> >>
> >> I can of course create a new account form (a...@bar.com) and use
> >> aliases/canonicals on that, but that might not take hold in the
> >> long term and I would have to let users change their auth settings
> >> (which now is user 'foo' and 'password')
> >
> > Could this be as simple as an smtpd_recipient_restriction
> >
> > /etc/postfix/main.cf
> > smtpd_recipient_restriction =
> > ...
> > reject_unauth_destination
> > check_recipient_access pcre:/etc/postfix/reject-account.pcre
> > ...
> >
> > /etc/postfix/reject-account.pcre:
> > /^[^.]+@example\.com$/ reject must use the first.last form
> >
> > Or the hard-core form:
> >
> > /etc/postfix/main.cf
> > smtpd_recipient_restriction =
> > ...
> > reject_unauth_destination
> > check_recipient_access pcre:{{/^[^.]+@example\.com$$/
> > reject must use the first.last form}}
> > ...
> >
> > If this is intended only for *some* accounts, then you need one
> > to enumerate the forbidden forms.
>
> If I understand the documentation correctly, this will reject the entire
> message for all recipients, including valid ones.
No the above will reject invalid recipients only,
> (I'm planning for 'discard' to get rid of the backscatter)
discard is the wrong solution for the wrong problem.
I understand that you have a recipient validation policy that you
want to enforce on a primary and secondary MX (the seconary MX
forwards to the primary and you want to prevent backscatter).
The solution that I chose was to enforce policy on primary and
secondary MX, *and* to arrangeme that the secondary MX forwards to
primary MX port 26 which is configured to not enforce that policy
again, thus no backscatter.
Of course the port 26 service needs to be locked down so that it
can can be used only by the secondary. I use a combination of -o
mynetworks=net/mask and "permit_mynetworks, reject_unauth_destination".
Wietse
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
