RE: looking for any options to better deal with mail looping

[Fazzina, Angelo]

Hi, I am still lost with how this all works together, sadly.  Do you see 
obvious errors or am I misunderstanding the limits of what can be done ?

I am not sure yet what is relevant 
My current settings:
relay_recipient_maps = mysql:/etc/postfix/files/mysql_pn.cf
smtpd_recipient_restrictions =  reject_unknown_recipient_domain,  
                                check_recipient_access 
hash:/etc/postfix/files/sender_relay_domains, 
                                reject_unverified_recipient, 
                                permit_mynetworks, 
                                permit_sasl_authenticate
smtpd_relay_restrictions =  check_recipient_access 
hash:/etc/postfix/maps/block_to, permit_mynetworks, permit_sasl_authenticated, 
defer_unauth_destination

[root@mta5 files]# more sender_relay_domains
## -ALF This should allow Listerv addresses even though they are not in PerName 
DB
listserv.uconn.edu      DUNNO

[root@mta5 maps]# more transport
#  Domains *relayed*  by pn.uconn.edu and which map to the hosts' A record.
ad.uconn.edu                    smtp:[uconn-edu.mail.protection.outlook.com]
darwin.eeb.uconn.edu            smtp:[darwin.eeb.uconn.edu]
listserv.uconn.edu              smtp:[listserv.uconn.edu]



My goal is to allow all mail TO  anyth...@listserv.uconn.edu but still check 
recipient for other domains like darwin.eeb.uconn.edu

MY testing:

Connected to localhost.
Escape character is '^]'.
220 mta5.uits.uconn.edu ESMTP Postfix (2.10.1)
ehlo uconn.edu
250-mta5.uits.uconn.edu
250-PIPELINING
250-SIZE 31457280
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:ang...@uconn.edu
250 2.1.0 Ok
rcpt to:b...@darwin.eeb.uconn.edu
450 4.1.1 <b...@darwin.eeb.uconn.edu>: Recipient address rejected: unverified 
address: Address verification in progress
rcpt to:k...@darwin.eeb.uconn.edu
250 2.1.5 Ok
rcpt to:spa...@listserv.uconn.edu
450 4.1.1 <spa...@listserv.uconn.edu>: Recipient address rejected: unverified 
address: Address verification in progress
quit
221 2.0.0 Bye
Connection closed by foreign host.

-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-----Original Message-----
From: owner-postfix-us...@postfix.org <owner-postfix-us...@postfix.org> On 
Behalf Of Noel Jones
Sent: Friday, November 16, 2018 4:10 PM
To: postfix-users@postfix.org
Subject: Re: looking for any options to better deal with mail looping

On 11/16/2018 2:41 PM, Fazzina, Angelo wrote:
> Hi again,
> Even though my configuration does what I need it to do, it seems to have 
> broken something else that needs to still work.
> Did I forget something or just did this wrong ?
> Will this setting allow whitelisting something to help the issue 
> "smtpd_sender_restrictions"
> I maybe just confusing the processing Postfix does AFA  envelope TO and FROM 
> and header TO and FROM...?

The To: From: headers have no relation to postfix delivery. All
delivery is based on envelope addresses.


> 
> Here is the test showing what is broken:
>... 
> 250 2.1.0 Ok
> rcpt to:uconn_employee...@listserv.uconn.edu
> 450 4.1.1 <uconn_employee...@listserv.uconn.edu>: Recipient address rejected: 
> unverified address: Address verification in progress
>...

Nothing wrong here.  The address verification is in progress and the
client is free to retry delivery.  Presumably the verification
completed a few seconds later.  This will be noted in the log.

If you wish to exempt some recipient from verification, add a
check_recipient_access map before the reject_unverified_recipient


> Here is my current config in main.cf :
> smtpd_recipient_restrictions = reject_unknown_recipient_domain, 
> reject_unverified_recipient, permit_mynetworks, permit_sasl_authenticated, 
> reject_unauth_destination

Typically, reject_unverified_recipient would be after
reject_unauth_destination to prevent verifying random internet
recipients, or in a check_recipient_access map to limit the scope of
the checks.  Something like:

dontverif...@example.com  DUNNO
listserv.example.com  DUNNO
example.com  reject_unverified_recipient


> relay_recipient_maps = hash:/etc/postfix/files/sender_relay_domains,  
> mysql:/etc/postfix/files/mysql_pn.cf
>       [root@mta5 files]# more sender_relay_domains
>       @listserv.uconn.edu      OK

relay_recipient_maps does not exempt addresses from the
reject_unverified_recipient check.  See the above example for how to
exempt addresses from verification.


> 
> Here is [most of] the headers of a real email that gets delivered to my 
> first.l...@uconn.edu address even though it does not appear anywhere in the 
> headers :

Headers are irrelevant for this discussion.  Postfix logs will show
what is happening.




  -- Noel Jones