I’ve spent more time reviewing and while my observations may be flawed, they do seem to be consistent. What I continue to observe is that when an address is matched in /etc/alias, that the smtp_recipient_restrictions are not processed and therefore the suggested restrictions are not having any effect.
Here are excerpts from logs (-v on for smtp, cleanup, and trivial-rewrite), the two addresses tested are both marked as REJECT in recipient_access. arling...@trashcan.org <mailto:arling...@trashcan.org> is not in /etc/aliases, b...@trashcan.org <mailto:b...@trashcan.org> is in /etc/aliases. with arling...@trashcan.org <mailto:arling...@trashcan.org>, note third line from bottom where Recipient address restrictions are being processed. Dec 23 16:06:34 ip-172-31-54-95 postfix/trivial-rewrite[13474]: match_list_match: trashcan.org: no match Dec 23 16:06:34 ip-172-31-54-95 postfix/trivial-rewrite[13474]: `' -> `arling...@trashcan.org' -> (`local' `vip.trashcan.org' `arling...@trashcan.org' `256') Dec 23 16:06:34 ip-172-31-54-95 postfix/trivial-rewrite[13474]: send attr flags = 0 Dec 23 16:06:34 ip-172-31-54-95 postfix/trivial-rewrite[13474]: send attr transport = local Dec 23 16:06:34 ip-172-31-54-95 postfix/trivial-rewrite[13474]: send attr nexthop = vip.trashcan.org Dec 23 16:06:34 ip-172-31-54-95 postfix/trivial-rewrite[13474]: send attr recipient = arling...@trashcan.org Dec 23 16:06:34 ip-172-31-54-95 postfix/trivial-rewrite[13474]: send attr flags = 256 Dec 23 16:06:34 ip-172-31-54-95 postfix/trivial-rewrite[13474]: master_notify: status 1 Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: private/rewrite socket: wanted attribute: flags Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: input attribute name: flags Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: input attribute value: 0 Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: private/rewrite socket: wanted attribute: transport Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: input attribute name: transport Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: input attribute value: local Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: private/rewrite socket: wanted attribute: nexthop Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: input attribute name: nexthop Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: input attribute value: vip.trashcan.org Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: private/rewrite socket: wanted attribute: recipient Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: input attribute name: recipient Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: input attribute value: arling...@trashcan.org Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: private/rewrite socket: wanted attribute: flags Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: input attribute name: flags Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: input attribute value: 256 Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: private/rewrite socket: wanted attribute: (list terminator) Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: input attribute name: (end) Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: resolve_clnt: `' -> `arling...@trashcan.org' -> transp=`local' host=`vip.trashcan.org' rcpt=`arling...@trashcan.org' flags= class=local Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: ctable_locate: install entry key arling...@trashcan.org Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: extract_addr: in: <arling...@trashcan.org>, result: arling...@trashcan.org Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: >>> START Recipient address RESTRICTIONS <<< Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: generic_checks: name=permit_mynetworks Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: permit_mynetworks: mail-qt0-f171.google.com 209 With b...@trashcan.org <mailto:b...@trashcan.org> at the same point in the delivery logs, it is clearly taking a different path and Recipient address restrictions are never launched. Dec 23 14:32:40 ip-172-31-54-95 postfix/trivial-rewrite[12902]: `' -> `b...@trashcan.org' -> (`local' `vip.trashcan.org' `b...@trashcan.org' `256') Dec 23 14:32:40 ip-172-31-54-95 postfix/trivial-rewrite[12902]: send attr flags = 0 Dec 23 14:32:40 ip-172-31-54-95 postfix/trivial-rewrite[12902]: send attr transport = local Dec 23 14:32:40 ip-172-31-54-95 postfix/trivial-rewrite[12902]: send attr nexthop = vip.trashcan.org Dec 23 14:32:40 ip-172-31-54-95 postfix/trivial-rewrite[12902]: send attr recipient = b...@trashcan.org Dec 23 14:32:40 ip-172-31-54-95 postfix/trivial-rewrite[12902]: send attr flags = 256 Dec 23 14:32:40 ip-172-31-54-95 postfix/trivial-rewrite[12902]: master_notify: status 1 Dec 23 14:32:41 ip-172-31-54-95 postfix/cleanup[12904]: connection established Dec 23 14:32:41 ip-172-31-54-95 postfix/cleanup[12904]: master_notify: status 0 Dec 23 14:32:41 ip-172-31-54-95 postfix/cleanup[12904]: mail_flow_get: 1 1 Dec 23 14:32:41 ip-172-31-54-95 postfix/cleanup[12904]: open incoming/5455260C59 Dec 23 14:32:41 ip-172-31-54-95 postfix/cleanup[12904]: cleanup_open: open incoming/5455260C59 Dec 23 14:32:41 ip-172-31-54-95 postfix/cleanup[12904]: send attr queue_id = 5455260C59 Dec 23 14:32:41 ip-172-31-54-95 postfix/smtpd[12898]: 5455260C59: client=mail-qt0-f178.google.com[209.85.216.178] Dec 23 14:32:41 ip-172-31-54-95 postfix/cleanup[12904]: cleanup socket: wanted attribute: flags Dec 23 14:32:41 ip-172-31-54-95 postfix/cleanup[12904]: input attribute name: flags Dec 23 14:32:41 ip-172-31-54-95 postfix/cleanup[12904]: input attribute value: 178 Dec 23 14:32:41 ip-172-31-54-95 postfix/cleanup[12904]: cleanup socket: wanted attribute: (list terminator) Dec 23 14:32:41 ip-172-31-54-95 postfix/cleanup[12904]: input attribute name: (end) Dec 23 14:32:41 ip-172-31-54-95 postfix/cleanup[12904]: cleanup flags = enable_header_body_filter enable_automatic_bcc enable_address_mapping enable_smtp_reply Dec 23 14:32:41 ip-172-31-54-95 postfix/cleanup[12904]: initial envelope T 1514039560 571966 Dec 23 14:32:41 ip-172-31-54-95 postfix/cleanup[12904]: initial envelope L spamassassin Dec 23 14:32:41 ip-172-31-54-95 postfix/cleanup[12904]: initial envelope A log_ident=5455260C59 Dec 23 14:32:41 ip-172-31-54-95 postfix/cleanup[12904]: initial envelope A rewrite_context=remote Dec 23 14:32:41 ip-172-31-54-95 postfix/cleanup[12904]: initial envelope S xxx@addresshidden Dec 23 14:32:41 ip-172-31-54-95 postfix/trivial-rewrite[12902]: connection established fd 129 Dec 23 14:32:41 ip-172-31-54-95 postfix/cleanup[12904]: connect to subsystem private/rewrite Dec 23 14:32:41 ip-172-31-54-95 postfix/cleanup[12904]: send attr request = rewrite Dec 23 14:32:41 ip-172-31-54-95 postfix/cleanup[12904]: send attr rule = local Dec 23 14:32:41 ip-172-31-54-95 postfix/cleanup[12904]: send attr address = xxx@addresshidden Dec 23 14:32:41 ip-172-31-54-95 postfix/trivial-rewrite[12902]: master_notify: status 0 Dec 23 14:32:41 ip-172-31-54-95 postfix/trivial-rewrite[12902]: rewrite socket: wanted attribute: request I’ll re-ask, are addresses listed in /etc/aliases expected to bypass smtp_recipient_restrictions? If so, I’ll give up on this particular approach. If not, I’ll keep trying to debug. Thanks, Justin > On Dec 14, 2017, at 6:58 AM, Wietse Venema <wie...@porcupine.org> wrote: > > Justin Peavey: >> >> Thanks for the reply, unfortunately the approach doesn?t seem to work for >> me. It appears that that the regardless of the smtp_recipient_restrictions >> setting, that any addresses listed in /etc/aliases addressed to $mydomain is >> bypassing any blocking/filtering. Is this expected behavior? >> > > Your observation is flawed, or you made a mistake. The filter below > does not distinguish between recipient domains. > > Wietse > >>> >>>> On Dec 10, 2017, at 4:22 PM, Wietse Venema <wie...@porcupine.org> wrote: >>>> >>>> Omniver: >>>>> I have a mail server receiving internet mail for my primary domain and >>>>> for a >>>>> few virtual domains. I'm having some spam issues with internet mail >>>>> coming >>>>> in for address@mydomain for addresses intended for use by local >>>>> tools/scripts which are listed in /etc/aliases. Any ideas on how can I >>>>> make >>>>> it that postfix accepts mail for these addressesI *only* if they were sent >>>>> by my mail server? >>>> >>>> A crude but simple solution: >>>> >>>> - Add the server's IP address to Postfix mynetworks. >>>> >>>> - Block some recipients if mail does not come from mynetworks: >>>> >>>> /etc/postfix/main.cf: >>>> smtpd_recipient_restrictions = >>>> permit_mynetworks >>>> check_recipient_access hash:/etc/postfix/recipient_access >>>> ... >>>> reject_unauth_destination >>>> ... >>>> >>>> /etc/postfix/recipient_access >>>> us...@example.com reject >>>> us...@example.com reject >>>> >>>> Crude because it adds the server to mynetworks. >>>> >>>> Wietse >>> >> >>
