Re: restrict execution of remote address verification probes for canonical, local-only domain?

[PGNd]

On Fri, Jun 19, 2015, at 06:44 PM, Noel Jones wrote:
> You can control it with a check_recipient_access map in place of
> your blanket reject_unverified_recipient.

Ah.

My goal is:

        -- for {spam,ham}.1...@mail.dddd.com accept & pipe to FILTER 
'sa-spam'/'sa-ham', respectively
        -- reject all other msgs to * @mail.DDDD.com
        -- reject all other unverified recipients
        -- fwd/relay all verified recipients

Iiuc, then

        /main.cf
                ...
                smtpd_relay_restrictions =
+                 check_sender_access 
lmdb:/usr/local/etc/postfix/salearn_filter_map
                  permit_mynetworks
                  reject_unauth_destination
-                 reject_unverified_recipient
+                 check_recipient_access 
pcre:/usr/local/etc/postfix/recipient_access_map.pcre
                  check_policy_service unix:private/policyd-spf

        /salearn_filter
                spam.1234 FILTER sa-spam
                ham.1234  FILTER sa-ham

        /recipient_access_map.pcre
                /@mail\.DDDD\.com$/    reject_unlisted_recipient
                /./                    reject_unverified_recipient 

should do the trick. (?)


I'm generally using

                smtpd_relay_restrictions =

rather than

                smtpd_recipient_restrictions =

because I understand it to be an earlier, and not a problem in this usage.

Still ok here?


Docs at

        http://www.postfix.org/postconf.5.html#check_recipient_access

        check_recipient_access type:table
            Search the specified access(5) database for the resolved RCPT TO 
address, domain, parent domains, or localpart@, and execute the corresponding 
action. 
        ...

        smtpd_reject_unlisted_recipient (default: yes)

            Request that the Postfix SMTP server rejects mail for unknown 
recipient addresses, even when no explicit reject_unlisted_recipient access 
restriction is specified. This prevents the Postfix queue from filling up with 
undeliverable MAILER-DAEMON messages.

            An address is always considered "known" when it matches a 
virtual(5) alias or a canonical(5) mapping.

Suggest that I need the spam.1234@ and ham.1234@ addresses _known_ in 
'canonical'.

@ http://www.postfix.org/canonical.5.html

        TABLE FORMAT
               The input format for the postmap(1) command is as follows:

               pattern address
                      When  pattern  matches  a mail address, replace it by the 
corre-
                      sponding address.

so

        /canonical
                spam.1...@mail.dddd.com   ?????
                ham.1...@mail.dddd.com    ?????

(1) is the approach above what you had in mind, and correct?
(2) what're the 'right side' entries in /canoncial in this use case?