Wietse Venema:
> Nathan Ward:
> > Hi all,
> >
> > I am trying to figure out the best way to reject RCPT TO addresses with no
> > domain part - i.e. "RCPT TO: <test>" or similar. I do not want to rewrite
> > to $myhostname or $mydomain or similar.
>
> There is no Postfix setting to allow or deny every possible syntax
> error.
>
> Postfix converts addresses into a standard form, otherwise a bad
> actor could easily circumvent access restrictions by playing games
> with quotes, backslash, or other transformations. The downside is
> that Postfix access checks don't get the original address form.
>
> You can use smtpd_command_filter to convert a domainless address into
> a form that can be blocked by an access restriction.
>
> /etc/postfix/main.cf:
> smtpd_command_filter = pcre:/etc/postfix/command_filter
> # Require RCPT TO:<address>.
> strict_rfc821_envelopes = yes
>
> /etc/postfix/command_filter:
> # Tag addresses that have no @ with @domain.invalid.
> /^(RCPT\s+TO:\s*<)[^@]+)(>.*)/ $1$2@domain.invalid$3
/^(RCPT\s+TO:\s*<)([^@]+)(>.*)/ $1$2@domain.invalid$3
There was a '(' nissing.
> Combine with an access map that rejects mail from domain.invalid.
>
> Just like "example" and "localhost", the name "invalid" is reserved
> by the Internet Engineering Task Force (IETF) as a domain name that
> may not be installed as a top-level domain in the Domain Name System
> (DNS) of the Internet.
>
> Wietse
>
