On 6/19/2015 11:05 PM, PGNd wrote:
>
>
> On Fri, Jun 19, 2015, at 06:44 PM, Noel Jones wrote:
>> You can control it with a check_recipient_access map in place of
>> your blanket reject_unverified_recipient.
>
> Ah.
>
> My goal is:
>
> -- for {spam,ham}.1...@mail.dddd.com accept & pipe to FILTER
> 'sa-spam'/'sa-ham', respectively
> -- reject all other msgs to * @mail.DDDD.com
> -- reject all other unverified recipients
> -- fwd/relay all verified recipients
>
> Iiuc, then
>
> /main.cf
> ...
> smtpd_relay_restrictions =
> + check_sender_access
> lmdb:/usr/local/etc/postfix/salearn_filter_map
> permit_mynetworks
> reject_unauth_destination
> - reject_unverified_recipient
> + check_recipient_access
> pcre:/usr/local/etc/postfix/recipient_access_map.pcre
> check_policy_service unix:private/policyd-spf
>
> /salearn_filter
> spam.1234 FILTER sa-spam
> ham.1234 FILTER sa-ham
>
> /recipient_access_map.pcre
> /@mail\.DDDD\.com$/ reject_unlisted_recipient
> /./ reject_unverified_recipient
>
> should do the trick. (?)
Yes, that should work as expected.
>
>
> I'm generally using
>
> smtpd_relay_restrictions =
>
> rather than
>
> smtpd_recipient_restrictions =
>
> because I understand it to be an earlier, and not a problem in this usage.
>
> Still ok here?
That's fine. This doesn't have any direct effect on rejecting
unknown users.
>
>
> Docs at
>
> http://www.postfix.org/postconf.5.html#check_recipient_access
>
> check_recipient_access type:table
> Search the specified access(5) database for the resolved RCPT TO
> address, domain, parent domains, or localpart@, and execute the corresponding
> action.
> ...
>
> smtpd_reject_unlisted_recipient (default: yes)
>
> Request that the Postfix SMTP server rejects mail for unknown
> recipient addresses, even when no explicit reject_unlisted_recipient access
> restriction is specified. This prevents the Postfix queue from filling up
> with undeliverable MAILER-DAEMON messages.
>
> An address is always considered "known" when it matches a
> virtual(5) alias or a canonical(5) mapping.
>
> Suggest that I need the spam.1234@ and ham.1234@ addresses _known_ in
> 'canonical'.
No, don't confuse canonical(5) mapping with users in a local domain.
To prevent confusion, we generally refer to a "local" domain rather
than canonical.
That note is a warning that an otherwise non-existent user will be
considered known if it's listed in one of those tables, not a
limitation of what is known.
The ADDRESS_CLASS_README contains the docs on how an address is
considered known.
http://www.postfix.org/ADDRESS_CLASS_README.html
You don't need a canonical(5) table to define users. That table is
used to rewrite "internal" addresses to "external" form, such as
njones@ <-> Noel.Jones@
http://www.postfix.org/ADDRESS_REWRITING_README.html#canonical
-- Noel Jones
