Postfix seems to be ignoring the smtpd_recipient_restrictions =
check_recipient_access instruction.
I've got a Postfix + Dovecot + Amavis setup and all works fine. I use address
extensions for the virtual users, so I can "turn off" addresses that have been
included on spammers' lists.
When an email is "To" one of the turned off addresses, the header_checks
detects the message and deletes it.
When an email is only RCPT TO one of the turned off addresses, the
smtpd_recipient_restrictions = check_recipient_access instruction _should_ (I
think) tell Postfix to reject the message. But the messages still end up in my
inbox.
What am I missing here? How do I get check_recipient_access to reject the
addresses specified in the recipient_checks table?
(Postfix 2.11.0 running on Ubuntu 14.04.3 LTS)
Thanks,
Neil.
Logs and config follows:
/var/log/mail.log (This email should be rejected, but is instead accepted)
-----------------
Nov 8 17:48:07 pserver postfix/smtpd[15446]: connect from mail-
db3on0074.outbound.protection.outlook.com[157.55.234.74]
Nov 8 17:48:08 pserver postfix/smtpd[15446]: 0FC981C4: client=mail-
db3on0074.outbound.protection.outlook.com[157.55.234.74]
Nov 8 17:48:08 pserver postfix/cleanup[15451]: 0FC981C4: message-
id=<2020849.HWx7EOcjLU@desktop>
Nov 8 17:48:08 pserver postfix/qmgr[2638]: 0FC981C4:
from=<u...@gooddomain.org>, size=17198, nrcpt=1 (queue active)
Nov 8 17:48:08 pserver postfix/smtpd[15446]: disconnect from mail-
db3on0074.outbound.protection.outlook.com[157.55.234.74]
Nov 8 17:48:10 pserver postfix/smtpd[15456]: connect from
localhost[127.0.0.1]
Nov 8 17:48:10 pserver postfix/smtpd[15456]: 286381DC:
client=localhost[127.0.0.1]
Nov 8 17:48:10 pserver postfix/cleanup[15451]: 286381DC: message-
id=<2020849.HWx7EOcjLU@desktop>
Nov 8 17:48:10 pserver postfix/qmgr[2638]: 286381DC:
from=<u...@gooddomain.org>, size=17633, nrcpt=1 (queue active)
Nov 8 17:48:10 pserver postfix/smtpd[15456]: disconnect from
localhost[127.0.0.1]
Nov 8 17:48:10 pserver amavis[12838]: (12838-14) Passed CLEAN
{RelayedInbound}, [157.55.234.74]:56949 [137.108.238.2] <u...@gooddomain.org>
-> <user.ban...@example.com>, Queue-ID: 0FC981C4, Message-ID:
<2020849.HWx7EOcjLU@desktop>, mail_id: I_IbbLvsH2OU, Hits: -1.902, size:
17184, queued_as: 286381DC, 2017 ms
Nov 8 17:48:10 pserver postfix/smtp[15452]: 0FC981C4:
to=<user.ban...@example.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.2,
delays=0.16/0.01/0/2, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:
[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 286381DC)
Nov 8 17:48:10 pserver postfix/qmgr[2638]: 0FC981C4: removed
Nov 8 17:48:10 pserver postfix/pipe[15457]: 286381DC:
to=<user.ban...@example.com>, relay=dovecot, delay=0.22, delays=0.04/0/0/0.18,
dsn=2.0.0, status=sent (delivered via dovecot service)
Nov 8 17:48:10 pserver postfix/qmgr[2638]: 286381DC: removed
/var/log/mail.err
-----------------
<Nothing>
Config:
-------
root@pserver:/etc/postfix# postconf -nf
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
dovecot_destination_recipient_limit = 1
header_checks = regexp:/etc/postfix/header_checks
home_mailbox = Maildir/
inet_interfaces = all
mailbox_size_limit = 0
mailbox_transport = dovecot
mydestination = $myhostname localhost.$mydomain localhost
mydomain = example.org
myhostname = mail.$mydomain
mynetworks = 127.0.0.0/8, 192.168.1.0/24
myorigin = $mydomain
permit_mx_backup_networks = backup.com backup2.com
proxy_interfaces = 101.11.22.33
readme_directory = no
recipient_delimiter = .
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_restrictions = reject_unknown_helo_hostname
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks
permit_mx_backup check_recipient_access hash:/etc/postfix/recipient_checks
reject_unauth_destination
smtpd_relay_restrictions = permit_sasl_authenticated permit_mynetworks
permit_mx_backup check_recipient_access hash:/etc/postfix/recipient_checks
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_unknown_sender_domain
smtpd_tls_cert_file = /etc/ssl/example/certs/mail-cert.pem
smtpd_tls_key_file = /etc/ssl/example/private/mail-key.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_domains = otherdomain.org.uk other-domain.org.uk
virtual_alias_maps = hash:/etc/postfix/valiases
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = /etc/postfix/vhosts
virtual_mailbox_maps = hash:/etc/postfix/vmaps
virtual_minimum_uid = 1000
virtual_transport = dovecot
virtual_uid_maps = static:5000
/etc/postfix/recipient_checks
-----------------------------
# Reject messages with these recipient addresses
user.bann...@example.com REJECT
user.ban...@example.com REJECT
user.bann...@example.com REJECT
user.bann...@example.com REJECT
person.ban...@example.com REJECT
Testing the map:
----------------
root@pserver:/etc/postfix# postmap -q user.va...@example.com
hash:/etc/postfix/recipient_checks
root@pserver:/etc/postfix# postmap -q user.ban...@example.com
hash:/etc/postfix/recipient_checks
REJECT
