* Sebastian Wiesinger <postfix-us...@ml.karotte.org> [2014-10-23 21:54]:
> Hello,
>
> I have a few users that insist on using catch-all domains. Not
> surprising they get spam to some address. Now they're asking if they
> can reject mail for *some* of the addresses of the catch-all domain.
>
> They can create aliases themselves via postfixadmin and they want to
> do this the same way.
>
> I tried to implement this by using a check_recipient_access pcre_table
> like this:
>
> /etc/postfix# cat recipient_access.pcre
> /^postfix-reject-address@.+$/ REJECT
>
> smtpd_recipient_restrictions =
> check_recipient_access pcre:$config_directory/recipient_access.pcre,
> ...
>
> And telling them to add an alias to
> postfix-reject-address@$THEIR_DOMAIN
>
> But this doesn't work as postfix will produce bounces (backscatter)
> like this:
>
> <reject-postfix-addr...@karotte.org> (expanded from
> <reject-t...@karotte.org>):
> user unknown
Forgot the logs/configuration:
postconf -n:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
body_checks = pcre:$config_directory/body_checks.pcre
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
disable_vrfy_command = yes
dovecot-sa_destination_recipient_limit = 1
dovecot_destination_recipient_limit = 1
enable_long_queue_ids = yes
greylist = check_policy_service inet:127.0.0.1:10023
home_mailbox = Maildir/
html_directory = /usr/share/doc/postfix/html
inet_interfaces = 127.0.0.1, [::1], 176.9.75.247, 176.9.51.79,
[2a01:4f8:150:7142::25], [2a01:4f8:150:7142::587]
inet_protocols = ipv4, ipv6
mailbox_command = /usr/bin/procmail -a "$EXTENSION"
mailbox_size_limit = 0
message_size_limit = 102400000
mydestination = mx.karotte.org, alita.karotte.org, localhost.karotte.org,
localhost
myhostname = mx.karotte.org
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
non_smtpd_milters = inet:127.0.0.1:10100, inet:127.0.0.1:10101
parent_domain_matches_subdomains =
recipient_delimiter = +
relay_clientcerts = hash:$config_directory/relay_clientcerts
relay_domains = proxy:mysql:$config_directory/sql/mysql_relay_domains_maps.cf
relayhost =
smtp_address_preference = ipv6
smtp_bind_address = 176.9.75.247
smtp_bind_address6 = 2a01:4f8:150:7142::25
smtp_dns_support_level = dnssec
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_fingerprint_digest = sha1
smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_policy_maps = hash:$config_directory/tls_policy
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_client_connection_count_limit = 5
smtpd_client_connection_rate_limit = 15
smtpd_client_event_limit_exceptions = $mynetworks, $inet_interfaces
smtpd_client_restrictions = permit_mynetworks, permit_inet_interfaces,
permit_sasl_authenticated, permit_tls_clientcerts, check_client_access
cidr:$config_directory/unknown_reverse_hostname.cidr, check_client_access
hash:$config_directory/client_rbl_whitelist, permit_dnswl_client
list.dnswl.org=127.0.[0..255].[1..3], reject_rbl_client
zen.spamhaus.org=127.0.0.[2..11], reject_rbl_client ix.dnsbl.manitu.net,
reject_rhsbl_reverse_client dbl.spamhaus.org=127.0.1.[2;4..6]
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_delay_reject = yes
smtpd_discard_ehlo_keywords = silent-discard, dsn
smtpd_etrn_restrictions = reject
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_inet_interfaces,
permit_sasl_authenticated, permit_tls_clientcerts,
reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname,
reject_rhsbl_helo dbl.spamhaus.org=127.0.1.[2;4..6]
smtpd_milters = inet:127.0.0.1:10100, inet:127.0.0.1:10101
smtpd_recipient_restrictions = check_recipient_access
pcre:$config_directory/recipient_access.pcre, permit_mynetworks,
permit_inet_interfaces, reject_non_fqdn_recipient,
permit_sasl_authenticated, permit_tls_clientcerts, check_recipient_access
hash:$config_directory/defer_unkown_users, reject_unlisted_recipient,
check_policy_service unix:private/policyd-spf, permit_dnswl_client
list.dnswl.org=127.0.[0..255].[0..3], check_recipient_access
pcre:$config_directory/greylist.pcre
smtpd_relay_restrictions = permit_mynetworks, permit_inet_interfaces,
permit_sasl_authenticated, permit_tls_clientcerts, reject_unauth_destination
smtpd_restriction_classes = greylist
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks, permit_inet_interfaces,
reject_non_fqdn_sender, permit_sasl_authenticated, permit_tls_clientcerts,
reject_unlisted_sender, reject_unknown_sender_domain, reject_rhsbl_sender
dbl.spamhaus.org=127.0.1.[2;4..6]
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/cacert-karotte-combined.crt
smtpd_tls_dh1024_param_file = $config_directory/dh2048.pem
smtpd_tls_dh512_param_file = $config_directory/dh512.pem
smtpd_tls_fingerprint_digest = sha1
smtpd_tls_key_file = /etc/ssl/private/cacert-karotte.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
strict_rfc821_envelopes = yes
transport_maps = hash:$config_directory/transport
virtual_alias_maps =
proxy:mysql:$config_directory/sql/mysql_virtual_alias_maps.cf,
proxy:mysql:$config_directory/sql/mysql_virtual_alias_domain_maps.cf,
proxy:mysql:$config_directory/sql/mysql_virtual_alias_domain_catchall_maps.cf
virtual_gid_maps = static:8
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains =
proxy:mysql:$config_directory/sql/mysql_virtual_domains_maps.cf
virtual_mailbox_maps =
proxy:mysql:$config_directory/sql/mysql_virtual_mailbox_maps.cf,
proxy:mysql:$config_directory/sql/mysql_virtual_alias_domain_mailbox_maps.cf
virtual_minimum_uid = 101
virtual_transport = dovecot-sa
virtual_uid_maps = static:111
log:
Oct 23 22:03:16 alita postfix/smtpd[22089]: 3jNzyr0pr2zCqp7:
client=danton.fire-world.de[2001:4dd0:f8dd::120]
Oct 23 22:03:33 alita postfix/cleanup[20841]: 3jNzyr0pr2zCqp7: message-id=<>
Oct 23 22:03:33 alita opendmarc[19015]: 3jNzyr0pr2zCqp7: fire-world.de none
Oct 23 22:03:33 alita postfix/qmgr[20825]: 3jNzyr0pr2zCqp7:
from=<b...@fire-world.de>, size=588, nrcpt=1 (queue active)
Oct 23 22:03:33 alita postfix/pipe[22030]: 3jNzyr0pr2zCqp7:
to=<postfix-reject-addr...@karotte.org>, orig_to=<reject-t...@karotte.org>,
relay=dovecot-sa, delay=25, delays=25/0/0/0.07, dsn=5.1.1, status=bounced (user
unknown)
Oct 23 22:03:33 alita postfix/bounce[22138]: 3jNzyr0pr2zCqp7: sender
non-delivery notification: 3jNzz94LWMzCtkr
Oct 23 22:03:33 alita postfix/qmgr[20825]: 3jNzyr0pr2zCqp7: removed
--
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant
