Hi,
I was under the impression, that smtpd_recipient_restrictions and other
restriction configuration items were being processed top to bottom.
I am running postfix 3.2.2 and as far as I can see my postfix is showing a
different behavior.
I have the following items in my config:
smtpd_recipient_restrictions = check_recipient_access
proxy:mysql:/etc/postfix/bounce_spam_alias.cf
check_recipient_access
proxy:mysql:/etc/postfix/bounce_routes.cf
reject_unknown_recipient_domain
reject_unverified_recipient
reject_unlisted_recipient
bounce_spam_alias.cf and bounce_routes.cf are two files querying a local
mysql server for addresses that should bounce.
This seems to be successful:
[root@mailin01 postfix]# postmap -q test-bou...@example.org
mysql:/etc/postfix/bounce_routes.cf
554 test-bounce successful Mail bounced
[root@mailin01 postfix]# postmap -q test-...@example.org
mysql:/etc/postfix/bounce_spam_alias.cf
554 Address marked as spamtrap, mail not accepted
[root@mailin01 postfix]#
If I now use swaks to actually send mail to the test address, I would
expect one such message, instead it seems these two files are not queried
and instead the reject_unverified_recipient rule triggers immediately:
[root@mailin01 postfix]# swaks --from '<>' --to test-bou...@example.org
--server=localhost
=== Trying localhost:25...
=== Connected to localhost.
<- 220 mailin01.lan ESMTP Postfix
-> EHLO mailin01.lan
<- 250-mailin01.lan
[...]
-> MAIL FROM:<>
<- 250 2.1.0 Ok
-> RCPT TO:<test-bou...@example.org>
<** 550 5.1.1 <test-bou...@example.org>: Recipient address rejected:
undeliverable address: host mailin01.lan[private/dovecot-lmtp] said: 550
5.1.1 <test-bou...@example.org> User doesn't exist:
test-bou...@example.org (in reply to RCPT TO command)
-> QUIT
<- 221 2.0.0 Bye
So I am unclear why this is happening. I have a smtpd_sender_restrictions
entry that seems to work top-to-bottom.
smtpd_sender_restrictions = check_client_access inline:{10.1.1.1=OK}
reject_unknown_sender_domain
The host coming in from 10.1.1.1 is able to deliver mail even if the MAIL
FROM entry is not resovable.
If I look at the logs, it seems the two entries for check_recipient_access
are not consulted:
May 9 18:47:30 mailin01 postfix/smtpd[24094]: >>> START Recipient address
RESTRICTIONS <<<
May 9 18:47:30 mailin01 postfix/smtpd[24094]: generic_checks:
name=reject_unauth_destination
May 9 18:47:30 mailin01 postfix/smtpd[24094]: reject_unauth_destination:
test-bou...@example.org
May 9 18:47:30 mailin01 postfix/smtpd[24094]: permit_auth_destination:
test-bou...@example.org
May 9 18:47:30 mailin01 postfix/smtpd[24094]: ctable_locate: leave
existing entry key ?test-bou...@example.org
May 9 18:47:30 mailin01 postfix/smtpd[24094]: generic_checks:
name=reject_unauth_destination status=0
May 9 18:47:30 mailin01 postfix/smtpd[24094]: generic_checks:
name=reject_unverified_recipient
May 9 18:47:30 mailin01 postfix/smtpd[24094]: reject_unverified_address:
test-bou...@example.org
May 9 18:47:30 mailin01 postfix/smtpd[24094]: connect to subsystem
private/verify
May 9 18:47:30 mailin01 postfix/smtpd[24094]: send attr request = query
May 9 18:47:30 mailin01 postfix/smtpd[24094]: send attr address =
test-bou...@example.org
May 9 18:47:30 mailin01 postfix/smtpd[24094]: private/verify socket:
wanted attribute: status
May 9 18:47:30 mailin01 postfix/smtpd[24094]: input attribute name:
status
May 9 18:47:30 mailin01 postfix/smtpd[24094]: input attribute value: 0
May 9 18:47:30 mailin01 postfix/smtpd[24094]: private/verify socket:
wanted attribute: recipient_status
May 9 18:47:30 mailin01 postfix/smtpd[24094]: input attribute name:
recipient_status
May 9 18:47:30 mailin01 postfix/smtpd[24094]: input attribute value: 3
May 9 18:47:30 mailin01 postfix/smtpd[24094]: private/verify socket:
wanted attribute: reason
May 9 18:47:30 mailin01 postfix/smtpd[24094]: input attribute name:
reason
May 9 18:47:30 mailin01 postfix/smtpd[24094]: input attribute value:
Address verification in progress
May 9 18:47:30 mailin01 postfix/smtpd[24094]: private/verify socket:
wanted attribute: (list terminator)
May 9 18:47:30 mailin01 postfix/smtpd[24094]: input attribute name: (end)
May 9 18:47:33 mailin01 postfix/smtpd[24094]: send attr request = query
May 9 18:47:33 mailin01 postfix/smtpd[24094]: send attr address =
test-bou...@example.org
May 9 18:47:33 mailin01 postfix/smtpd[24094]: private/verify socket:
wanted attribute: status
May 9 18:47:33 mailin01 postfix/smtpd[24094]: input attribute name:
status
May 9 18:47:33 mailin01 postfix/smtpd[24094]: input attribute value: 0
May 9 18:47:33 mailin01 postfix/smtpd[24094]: private/verify socket:
wanted attribute: recipient_status
May 9 18:47:33 mailin01 postfix/smtpd[24094]: input attribute name:
recipient_status
May 9 18:47:33 mailin01 postfix/smtpd[24094]: input attribute value: 2
May 9 18:47:33 mailin01 postfix/smtpd[24094]: private/verify socket:
wanted attribute: reason
May 9 18:47:33 mailin01 postfix/smtpd[24094]: input attribute name:
reason
May 9 18:47:33 mailin01 postfix/smtpd[24094]: input attribute value: host
mailin01.lan[private/dovecot-lmtp] said: 550 5.1.1
<test-bou...@example.org> User doesn't exist: test-bou...@example.org (in
reply to RCPT TO command)
May 9 18:47:33 mailin01 postfix/smtpd[24094]: private/verify socket:
wanted attribute: (list terminator)
May 9 18:47:33 mailin01 postfix/smtpd[24094]: input attribute name: (end)
May 9 18:47:33 mailin01 postfix/smtpd[24094]: NOQUEUE: reject: RCPT from
localhost[127.0.0.1]: 550 5.1.1 <test-bou...@example.org>: Recipient
address rejected: undeliverable address: host
mailin01.lan[private/dovecot-lmtp] said: 550 5.1.1
<test-bou...@example.org> User doesn't exist: test-bou...@example.org (in
reply to RCPT TO command); from=<> to=<test-bou...@example.org>
proto=ESMTP helo=<mailin01.lan>
May 9 18:47:33 mailin01 postfix/smtpd[24094]: generic_checks:
name=reject_unverified_recipient status=2
May 9 18:47:33 mailin01 postfix/smtpd[24094]: >>> END Recipient address
RESTRICTIONS <<<
Does anyone have any pointers what I might be missing?
cheers,
Andreas
