-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 9/10/2012 9:20 PM, David J. Weller-Fahy wrote:
> I want to confirm something I came across while playing with a
> test Postfix/Dovecot configuration. First, I am using Postfix
> 2.9.1 installed on a fully updated Debian stable (the backports
> version is 2.9.1-2~bpo60+1).
>
> I need to reject recipient-extension addresses not specifically
> allowed by a .forward-extension file in the user's home
> directory during the SMTP conversation, but allow any
> recipient-extension for which the user has defined a
> .forward-extension file. As far as I can tell, that is not
> possible (note, my experience with Postfix is *very* limited,
> thus this email) using any of the default alias maps, because
> the addresses fall back to the recipient.
>
> I have tried only using the "$alias_maps" by assigning
> "local_recipient_maps = $alias_maps", then placing the user
> name in the /etc/aliases file as "dave: dave". I have tried
> using the virtual_alias_maps and placing only the following
> lines in /etc/postfix/virtual.
>
> #v+ d...@caterva.org dave dave-t...@caterva.org dave-test #v-
>
> In both cases when sending email to
> dave-anothert...@caterva.org Postfix determined that dave-test
> existed because Postfix defaulted to the user dave because the
> user existed. Note that I have been able to get Postfix to do
> everything else I wanted: Local, virtual, and internet delivery
> all work well.
>
> So, my two questions.
>
> 1) Am I correct that blocking recipient addresses which consist
> of an existing user with an extension not defined by that user
> (in a .forward-extension file) is not possible using Postfix
> using just the configuration options available in main.cf?
A few things I can think of (although neither of them perfect)
- - a regexp or pcre check_recipient_access map that lists valid
extensions and rejects all others. This could be created
periodically by a not-terribly-complex shell/perl/whatever script.
- - a TCP check_recipient_access map that queries some external
program that verifies the extension. There is sample perl code
for the TCP part floating around the web, and I don't think {look
in the recipient's directory for .forward+foo} would be overly
complex.
- - an external policy service that checks the recipient's delivery
rules to see if the requested extension exists. This would
automatically recognize extensions, but I would be concerned about
latency.
all the above get considerably more complex if the envelope
recipient is an alias.
>
> 2) Has anyone done something similar to what I want with a
> milter/plugin which my search-fu and documentation reading has
> not uncovered?
Not that I am aware of. This generally isn't much of a problem.
I think the usual action is to accept whatever, then add specific
unwanted/abused extensions to a blacklist.
-- Noel Jones
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iQEcBAEBAgAGBQJQTq1QAAoJEJGRUHb5Oh6gcXEIALo3FRt+E/RtfypII3+cNWrf
8pkR1E5/iOOYKHQYizvEb61xCkSFOwpSq2m8Cq2amBkXmaT5MXQzzmumHHVeBhVb
g75QbAbWEcwL96r56kwHcuDycrJYFKdz9Ssv6B6nf/OjtTFobtmSP4fVg5Aruo+p
qcSDxGccPVjHezwWg9ewzRLo+zEKqMdm11Lb+OfmyH2TMlIdLKGgBVRdLw6Svj8I
glP/njA27IRaon9zSs1FwIvfAiEUoPvXON1gVrjFZUvgsEoIGS/usrfEkyBVz+hI
QNa82F66fRabBlpeaPAqCfLDYTX9dxfgsE43ndpIoaJUeevOuoybnTj5otYNi/E=
=dse0
-----END PGP SIGNATURE-----
