I did another test. I changed the recipient restrictions to:
smtpd_recipient_restrictions =
reject_unauth_pipelining,
reject_non_fqdn_recipient,
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
reject_unknown_recipient_domain,
reject_unverified_recipient,
check_client_access
regexp:/Library/Server/Mail/Config/postfix/rna_policy_whitelist_clients,
check_sender_access
regexp:/Library/Server/Mail/Config/postfix/rna_policy_whitelist_senders,
check_policy_service unix:private/policy,
permit
But when I locally send mail to a non fqdn address, it just gets delivered:
Nov 21 22:14:49 vanroodewierda.rna.nl postfix/smtpd[26346]: 5E2B31BBECEC:
client=hermione.rna.nl[192.168.2.86], sasl_method=DIGEST-MD5,
sasl_username=gerben
Nov 21 22:14:49 vanroodewierda.rna.nl postfix/cleanup[26389]: 5E2B31BBECEC:
message-id=<578450b1-63a8-487d-91c3-a434f7ddb...@rna.nl>
Nov 21 22:14:49 vanroodewierda.rna.nl postfix/qmgr[26379]: 5E2B31BBECEC:
from=<gerben.wie...@rna.nl>, size=517, nrcpt=1 (queue active)
Nov 21 22:14:49 vanroodewierda.rna.nl postfix/pipe[26392]: 5E2B31BBECEC:
to=<ger...@vanroodewierda.rna.nl>, orig_to=<gerben>, relay=dovecot, delay=0.24,
delays=0.14/0.02/0/0.08, dsn=2.0.0, status=sent (delivered via dovecot service)
Nov 21 22:14:49 vanroodewierda.rna.nl postfix/qmgr[26379]: 5E2B31BBECEC: removed
Now, this is weird. Definitely non-fqdn (orig_to=<gerben>),
reject_non_fqdn_recipient, but delivered nonetheless.
G
> On 21 Nov 2016, at 21:17, Wietse Venema <wie...@porcupine.org> wrote:
>
> Gerben Wierda:
>>
>>> On 21 Nov 2016, at 17:33, Wietse Venema <wie...@porcupine.org> wrote:
>>>
>>> Gerben Wierda:
>>>> smtpd_recipient_restrictions =
>>>> permit_sasl_authenticated
>>>> permit_mynetworks
>>>> reject_unauth_destination
>>>> reject_unknown_recipient_domain
>>>> reject_unverified_recipient
>>>
>>> You may want to look at these settings (defaults shown):
>>>
>>> unverified_recipient_defer_code = 450
>>> unverified_recipient_reject_code = 450
>>> unverified_recipient_reject_reason =
>>> unverified_recipient_tempfail_action = $reject_tempfail_action
>>> reject_tempfail_action = defer_if_permit
>>
>> from postconf:
>>
>> address_verify_map = btree:$data_directory/verify_cache
>> unverified_recipient_defer_code = 450
>> unverified_recipient_reject_code = 450
>> unverified_recipient_reject_reason =
>> unverified_recipient_tempfail_action = $reject_tempfail_action
>> reject_tempfail_action = defer_if_permit
>>
>>> I suspect that you're hitting a cached defer_if_permit response.
>
> Actually, the stored info is one of {accepted, deferred, rejected}.
> I cannot quickly locate the code that uses the
> unverified_recipient_tempfail_action setting.
>
>> Or should I just have to add to main.cf:
>> unverified_recipient_reject_code = 550
>> and do a reload?
>
> Yes, you probably want to reject mail immediately.
>
>> Another question. The phrase ?Reject the request when mail to the
>> RCPT TO address is known to bounce, or when the recipient address
>> destination is not reachable.? leads to some confusion for me.
>> Does ?not reachable? also include temporary failures?
>
> Temporary failure means that the answer is not known. When making
> an irreversible decision (like permanently rejecting mail), Postfix
> is quite insistent on making the distinction between having and not
> having authoritative information.
>
> Wietse
