Hello, On 02/23/2012 08:55 AM, Noel Jones wrote: >> smtpd_sender_restrictions= > > Yes, that's where it goes unless you've (unwisely) set > smtpd_delay_reject=no.
I have not set that. >> and >> >> smtpd_recipient_restrictions= > > That works too, but needs additional settings. Simpler to put it in > smtpd_sender_restrictions. Ok. SImpler is better. I'll put it there. >> Still no luck - the spamtrap check is never triggered. > > For reporting a problem, please see: > http://www.postfix.org/DEBUG_README.html#mail Follows below. > As a general rule, avoid doing recipient checks in smtpd_data_restrictions. Got it. > Reporting problems to postfix-users@postfix.org > A summary of the problem. Please do not just send some logging without > explanation of what YOU believe is wrong. I'm trying to get spamtrap recipient address detection and subsequent all-recipient DISCARD of the message, as advised in this thread, I added to the "reinjection listener", -o smtpd_sender_restrictions=check_recipient_access,hash:/etc/postfix/spamtrap After a postfix reload postsuper -d ALL service postfix restart When I test-send a 2-recipient message, where one recipient is the hash-table-identified spamtrap address, sendmail -i -t From: ro...@deskmail.rogermail.lan To: ro...@mail.rogermail.lan,s...@mail.rogermail.lan Subject: test testing Instead of DISCARDing the message for both recipients, the "spam@" recipient is rejected for "User unknown in virtual mailbox table", and the "roger@" recipient is accepted & delivered via lmtp to my local mail store. I don't know if that's because I misconfigured or misused something, or there's a problem. So I'm including > Complete error messages. > Postfix logging. tail -f /var/log/mail ==> ----------------------------------------------------------------------- Feb 23 09:37:15 mx postfix/postscreen[17166]: cache /var/lib/postfix/postscreen_cache.db full cleanup: retained=3 dropped=0 entries Feb 23 09:37:16 mx postfix/postscreen[17166]: PASS OLD [192.168.1.13]:43486 Feb 23 09:37:16 mx postfix/smtpd[17175]: connect from deskmail.rogermail.lan[192.168.1.13] Feb 23 09:37:16 mx postfix/smtpd[17175]: NOQUEUE: client=deskmail.rogermail.lan[192.168.1.13] Feb 23 09:37:16 mx postfix/smtpd[17175]: NOQUEUE: reject: RCPT from deskmail.rogermail.lan[192.168.1.13]: 550 5.1.1 <s...@mail.rogermail.lan>: Recipient address rejected: User unknown in virtual mailbox table; from=<r...@deskmail.rogermail.lan> to=<s...@mail.rogermail.lan> proto=ESMTP helo=<deskmail.rogermail.lan> Feb 23 09:37:16 mx postfix/smtpd[17183]: connect from localhost[127.0.0.1] Feb 23 09:37:16 mx postfix/smtpd[17183]: 8B81B20337: client=localhost[127.0.0.1], orig_client=deskmail.rogermail.lan[192.168.1.13] Feb 23 09:37:16 mx spampd[32019]: processing message <20120223173719.0128f40...@deskmail.rogermail.lan> for <ro...@mail.rogermail.lan> ORCPT=rfc822;ro...@mail.rogermail.lan Feb 23 09:37:26 mx spampd[32019]: clean message <20120223173719.0128f40...@deskmail.rogermail.lan> (0.80/4.00) from <r...@deskmail.rogermail.lan> for <ro...@mail.rogermail.lan> ORCPT=rfc822;ro...@mail.rogermail.lan in 9.56s, 602 bytes. Feb 23 09:37:26 mx postfix/cleanup[17186]: 8B81B20337: message-id=<20120223173719.0128f40...@deskmail.rogermail.lan> Feb 23 09:37:26 mx postfix/qmgr[16440]: 8B81B20337: from=<r...@deskmail.rogermail.lan>, size=1066, nrcpt=1 (queue active) Feb 23 09:37:26 mx postfix/smtpd[17175]: proxy-accept: END-OF-MESSAGE: 250 2.0.0 Ok: queued as 8B81B20337; from=<r...@deskmail.rogermail.lan> to=<ro...@mail.rogermail.lan> proto=ESMTP helo=<deskmail.rogermail.lan> Feb 23 09:37:26 mx postfix/smtpd[17175]: disconnect from deskmail.rogermail.lan[192.168.1.13] Feb 23 09:37:26 mx postfix/smtpd[17183]: disconnect from localhost[127.0.0.1] Feb 23 09:37:26 mx postfix/lmtp[17212]: 8B81B20337: to=<ro...@mail.rogermail.lan>, relay=mail.rogermail.lan[private/dovecot-lmtp], delay=10, delays=9.7/0.02/0.03/0.23, dsn=2.0.0, status=sent (250 2.0.0 <ro...@mail.rogermail.lan> ihjKFVZ5Rk89QwAAwJ+ohQ Saved) Feb 23 09:37:26 mx postfix/qmgr[16440]: 8B81B20337: removed ----------------------------------------------------------------------- > Output from "postconf -n". Please do not send your main.cf file, or 500+ > lines of postconf output. > Better, provide output from the postfinger tool. This can be found at > http://ftp.wl0.org/SOURCES/postfinger. The config below comes from a LOT of digging, copy/paste and trial & error from the mailing lists and the Postfix book. It seems to works for most usage, so far as I've tested. There's obviously more testing to do. postfinger ==> ----------------------------------------------------------------------- postfinger - postfix configuration on Thu Feb 23 09:11:38 PST 2012 version: 1.30 --System Parameters-- mail_version = 2.8.7 hostname = mail.rogermail.lan uname = Linux mail.rogermail.lan 3.1.9-1.4-xen #1 SMP Fri Jan 27 08:55:10 UTC 2012 (efb5ff4) x86_64 x86_64 x86_64 GNU/Linux --Packaging information-- looks like this postfix comes from RPM package: postfix-2.8.7-126.1.x86_64 --main.cf non-default parameters-- append_dot_mydomain = no authorized_submit_users = root roger wwwrun biff = no body_checks = pcre:/etc/postfix/body_checks daemon_directory = /usr/lib/postfix disable_vrfy_command = yes header_checks = pcre:/etc/postfix/header_checks inet_interfaces = 192.168.1.10 192.168.1.11 local_recipient_maps = mailbox_size_limit = 0 mail_name = mail.rogermail.lan message_size_limit = 20480000 milter_default_action = accept mime_header_checks = pcre:/etc/postfix/mime_header_checks mydestination = localhost.mail.rogermail.lan, localhost mydomain = mail.rogermail.lan mynetworks = 127.0.0.0/8 nested_header_checks = pcre:/etc/postfix/nested_header_checks parent_domain_matches_subdomains = debug_peer_list smtpd_access_maps postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr postscreen_blacklist_action = drop postscreen_client_connection_count_limit = 10 postscreen_dnsbl_action = drop postscreen_dnsbl_sites = zen.spamhaus.org*2 b.barracudacentral.org*1 postscreen_dnsbl_threshold = 2 postscreen_greet_action = enforce smtp_bind_address = 192.168.1.10 smtpd_banner = mail.rogermail.lan ESMTP smtpd_helo_required = yes smtpd_recipient_restrictions = smtpd_timeout = ${stress?10}${stress:60}s smtpd_tls_auth_only = yes smtpd_tls_CApath = /etc/ssl/certs smtpd_tls_cert_file = /usr/local/etc/ssl/certs/mail.rogermail.lan.crt smtpd_tls_ciphers = HIGH smtpd_tls_exclude_ciphers = MEDIUM, LOW, EXPORT, NULL, aNULL smtpd_tls_key_file = /usr/local/etc/ssl/private/mail.rogermail.lan.key smtpd_tls_loglevel = 1 smtpd_tls_mandatory_ciphers = HIGH smtpd_tls_mandatory_exclude_ciphers = MEDIUM, LOW, EXPORT, NULL, aNULL smtpd_tls_mandatory_protocols = TLSv1, SSLv3, !SSLv2 smtpd_tls_protocols = TLSv1, SSLv3, !SSLv2 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache smtp_tls_CApath = /etc/ssl/certs smtp_tls_loglevel = 1 smtp_tls_security_level = may smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache strict_rfc821_envelopes = yes unknown_address_reject_code = 554 unknown_client_reject_code = 554 virtual_alias_maps = hash:/etc/postfix/virtual virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/vdomains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/sql/vmailboxes.cf virtual_transport = lmtp:unix:private/dovecot-lmtp --master.cf-- 192.168.1.10:smtp inet n - n - 1 postscreen smtpd pass - - n - 20 smtpd -o smtpd_proxy_filter=inet:127.0.0.1:10025 -o smtpd_proxy_timeout=100s -o smtpd_proxy_ehlo=mail.rogermail.lan -o smtpd_client_connection_count_limit=10 -o smtpd_proxy_options=speed_adjust -o smtp_send_xforward_command=yes -o smtpd_authorized_xforward_hosts=127.0.0.0/8 -o disable_mime_output_conversion=yes -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_non_fqdn_sender,reject_unknown_sender_domain,permit_mynetworks,reject_unknown_recipient_domain,reject_unlisted_recipient,reject_unauth_destination 127.0.0.1:10026 inet n - n - - smtpd -o smtpd_authorized_xforward_hosts=127.0.0.0/8 -o smtpd_client_restrictions= -o smtpd_helo_required=yes -o smtpd_helo_restrictions= -o smtpd_sender_restrictions=check_recipient_access,hash:/etc/postfix/spamtrap -o smtpd_recipient_restrictions=permit_mynetworks,reject_unauth_destination -o smtpd_data_restrictions= -o smtpd_end_of_data_restrictions= -o smtpd_etrn_restrictions= -o mynetworks=127.0.0.0/8 -o receive_override_options=no_unknown_recipient_checks submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_sasl_security_options=noanonymous -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_login_maps= -o smtpd_recipient_restrictions=permit_mynetworks,reject_unauth_destination -o smtpd_etern_restrictions=reject -o milter_macro_daemon_name=ORIGINATING -o smtpd_milters=inet:127.0.0.1:10030 -o non_smtpd_milters=inet:localhost:10030 dnsblog unix - - n - 0 dnsblog tlsproxy unix - - n - 0 tlsproxy pickup fifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp -o smtp_fallback_relay= showq unix n - n - - showq error unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache policyd-spf unix - n n - 0 spawn user=nobody argv=/usr/bin/python /usr/local/bin/policyd-spf retry unix - - n - - error -- end of postfinger output -- ----------------------------------------------------------------------- On 02/23/2012 09:28 AM, /dev/rob0 wrote: >> I'd have to create a policy service, right? Some sort of >> additional filter, or some such? > > A policy service is an external daemon, yes. Examples of such which > are in common use include policyd and postfwd. Ok. If that's the eventual solution, I'll have to learn how to do that. > http://www.postfix.org/SMTPD_POLICY_README.html and the sites for > both aforementioned third-party projects. I'd read that already. Time to read it some more. Thanks. > My view remains unchanged; I would not do what you are describing. > Naturally you are free to disagree and do it anyway, but by posting > here, you opened it up for opinions, and you got mine. Thanks for the input. I will disagree, and will attempt to achive the same outcome that my prior commercial implementation has enabled me to do, by design. On 02/23/2012 09:45 AM, Wietse Venema wrote: > At DATA time, recipient-based features are undefined for multi-recipient > mail. Such things are beyond what is possible with the built-in > access language. > > With the current access language, a policy daemon would have to > maintain state (the afore-mentioned flag) about preceding queries > for the same mail trasaction (the same "instance" attribute) and > then reject mail at DATA time. Again way over my head -- though I'm not even sure that's targeted at me. I think that if I wrote a policy daemon that's what I'd have to *do*. IIUC, the -o smtpd_sender_restrictions=check_recipient_access,hash:/etc/postfix/spamtrap as advised should be doing the trick. Apprently it's not working for me. I hope to learn how to get there. Ideally just using what Postfix provides and without writing additional code. Cheers, Roger -- Roger Garrington Wilimington, NC
