On 6/19/2015 7:33 PM, PGNd wrote: > I've a postfix frontend instance that > > -- relays only for specific domains > -- uses remote address verification > > to a postfix backend. > > Frontend config includes > > /main.cf > myhostname = mailhost.DDDD.com > mydomain = mail.DDDD.com > myorigin = $mydomain > mydestination = $myhostname localhost.$mydomain localhost > $mydomain > relay_domains = DDDD1.com > DDDD2.com > ... > DDDDn.com > parent_domain_matches_subdomains = debug_peer_list > relay_recipient_maps = > reject_tempfail_action = defer_if_permit > unverified_recipient_tempfail_action = defer_if_permit > address_verify_map = lmdb:/var/lib/postfix/verify_cache > address_verify_transport_maps = > static:relay-vpn:[internal.DDDD.com]:25 > transport_maps = static:relay-vpn:[internal.DDDD.com]:12345 > ... > > Message relay is correctly restricted to the 'relay_domains' list. > > OTOH, remote recipient verification probes are allowed/executed for both mail > sent to user@ > > -- the 'relay' domains list > -- the canonical domain, DDDD.com > > DDDD.com is local-only; it's NOT hosted at the remote backend. > > How do I correctly restrict/prevent remote address verification probes being > executed for the canonical domain? >
You can control it with a check_recipient_access map in place of your blanket reject_unverified_recipient. An indexed map would look something like local.example.com reject_unlisted_recipient relay1.example.com reject_unverified_recipient relay2.example.com reject_unverified_recipient ... If you have lots of relay domains, you can use a PCRE map, something like: /@local\.example\.com$/ reject_unlisted_recipient /./ reject_unverified_recipient -- Noel Jones
