On 06/19/2010 12:08 PM, Noel Jones wrote:
On 6/18/2010 8:48 PM, Michael Orlitzky wrote:
Our MX currently relays to one of two boxes (mail1, mail2) based on a
list of domains in transport_maps. Both mail1 and mail2 are ours, and we
have a full list of domains and recipients in relay_domains and
relay_recipient maps respectively.
Now, I would like to add a third, external, relay destination for one
domain. I can add the domain to relay_domains, but would prefer to use
address verification for the recipients (in that domain only).
My current restrictions:
smtpd_recipient_restrictions =
reject_unauth_destination,
reject_unlisted_recipient,
check_recipient_access hash:/etc/postfix/maps/rfc_addresses,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
reject_non_fqdn_sender,
check_client_access pcre:/etc/postfix/maps/reverse_dns.pcre,
reject_unknown_sender_domain,
check_client_access pcre:/etc/postfix/maps/generic_rbl_clients.pcre,
check_sender_access hash:/etc/postfix/maps/backscatter_senders,
reject_rhsbl_client dbl.spamhaus.org,
reject_rhsbl_helo dbl.spamhaus.org,
reject_rhsbl_sender dbl.spamhaus.org,
check_policy_service unix:private/policyd-spf,
check_policy_service unix:private/postgrey,
permit
My first question is, what effect does reject_unverified_recipient
actually have? For example, if the recipient is verified, do the
restrictions continue to be evaluated, or is it the equivalent of an OK?
If the other restrictions are evaluated, wouldn't the address still be
rejected by either reject_unlisted_recipient or the default
smtpd_reject_unlisted_recipient=yes?
Regardless of the answer to that question, where is the smartest place
to stick that restriction in my current list? I would prefer to add
something like,
check_recipient_access hash:/.../recipient_verify_domains
containing,
example.com reject_unverified_recipient
so that only that domain's addresses are verified. However, this depends
on whether or not the reject_unlisted_recipient is skipped. If it isn't,
should I move the reject_unlisted/unverified restrictions to the end? Or
create a separate (almost-identical) restrictions class for the domain
in question?
All postfix reject_* restrictions return the equivelent of either REJECT
or DUNNO; if the transaction is not rejected it will continue with the
next defined restriction.
(Rules that can return DEFER_IF_PERMIT, such as
reject_unverified_[sender,recipient], are slightly more complicated
since a later restriction can cause a reject rather than a deferral, but
the general rule still applies -- if the connection isn't rejected,
processing continues with the next defined restriction.)
To exempt a relay domain from the reject_unlisted_recipient checks, add
a wildcard for that domain to your relay_recipient_maps table.
http://www.postfix.org/postconf.5.html#relay_recipient_maps
This is the idea I was missing. Works great, thanks.
To verify recipients at a specific domain, I would put a
check_recipient_access map just after where you have
reject_unlisted_recipients
-- Noel Jones
