> On 26 Jan 2025, at 14:33, Wietse Venema via Postfix-users
> <postfix-users@postfix.org> wrote:
>
> Gerben Wierda via Postfix-users:
>>
>>> On 23 Jan 2025, at 17:55, Wietse Venema via Postfix-users
>>> <postfix-users@postfix.org> wrote:
>>>
>>> Gerben Wierda via Postfix-users:
>>>> I was wondering, suppose I have a user like this:
>>>>
>>>> f...@bar.com is the account name
>>>> foo.lastn...@bar.com is the incoming alias and the outgoing canonical
>>>>
>>>> Could I force incoming mail to accept the alias form, but not
>>>> accept the account form? I.e. f...@bar.com as address is blocked,
>>>> but foo.lastn...@bar.com is accepted and delivered to f...@bar.com
>>>>
>>>> The spammers that send to my systems use the account form (and not
>>>> the alias/canonical) a lot, that's why I'm asking
>>>>
>>>> I can of course create a new account form (a...@bar.com) and use
>>>> aliases/canonicals on that, but that might not take hold in the
>>>> long term and I would have to let users change their auth settings
>>>> (which now is user 'foo' and 'password')
>>>
>>> Could this be as simple as an smtpd_recipient_restriction
>>>
>>> /etc/postfix/main.cf
>>> smtpd_recipient_restriction =
>>> ...
>>> reject_unauth_destination
>>> check_recipient_access pcre:/etc/postfix/reject-account.pcre
>>> ...
>>>
>>> /etc/postfix/reject-account.pcre:
>>> /^[^.]+@example\.com$/ reject must use the first.last form
>>>
>>> Or the hard-core form:
>>>
>>> /etc/postfix/main.cf
>>> smtpd_recipient_restriction =
>>> ...
>>> reject_unauth_destination
>>> check_recipient_access pcre:{{/^[^.]+@example\.com$$/
>>> reject must use the first.last form}}
>>> ...
>>>
>>> If this is intended only for *some* accounts, then you need one
>>> to enumerate the forbidden forms.
>>
>> If I understand the documentation correctly, this will reject the entire
>> message for all recipients, including valid ones.
>
> No the above will reject invalid recipients only,
Yes, but for discard it 'affects all recipients' according to access(5)
I could do reject of course and it would bounce back to the secondary which
will drop it then because it gets a reject on the reject. I'd rather do discard.
>
>> (I'm planning for 'discard' to get rid of the backscatter)
>
> discard is the wrong solution for the wrong problem.
>
> I understand that you have a recipient validation policy that you
> want to enforce on a primary and secondary MX (the seconary MX
> forwards to the primary and you want to prevent backscatter).
No. I have no control over the secondary MX, it is a SMTP-backup service I use
(zoneedit). I only have control over the primary. The secondary only keeps the
messages and delivers to the primary. This way, when the primary is down, mail
is not refused, kept, and delivered at a later date when the primary is back up
again.
Spammers will often directly use a secondary as they know a secondary may be
like this.
So, what happens is: the spammer delivers to the secondary, the secondary
delivers to the primary, the primary rejects. The secondary then sends an
undeliverable message to the sender. But the spammers have made the sender and
the recipient the same, so the reject message scatters back to the recipient. I
have a singular case where the spammers use the usern...@domain.tld a lot and
not first.l...@domain.tld so I was looking for dropping those.
G
>
> The solution that I chose was to enforce policy on primary and
> secondary MX, *and* to arrangeme that the secondary MX forwards to
> primary MX port 26 which is configured to not enforce that policy
> again, thus no backscatter.
>
> Of course the port 26 service needs to be locked down so that it
> can can be used only by the secondary. I use a combination of -o
> mynetworks=net/mask and "permit_mynetworks, reject_unauth_destination".
>
> Wietse
> _______________________________________________
> Postfix-users mailing list -- postfix-users@postfix.org
> <mailto:postfix-users@postfix.org>
> To unsubscribe send an email to postfix-users-le...@postfix.org
> <mailto:postfix-users-le...@postfix.org>
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
