In my setup reject_unlisted_recipient is in smtpd_data_restrictions.
I have milters that run, including during the RCPT command.
Normally, I can observe the milters run before postfix rejects for "User unknown in
virtual mailbox table" by reject_unlisted_recipient in smtpd_data_restrictions.
Every once in a while I observe the milters don't run during the RCPT command, and some
how progressed straight to DATA.
Logs for one of these times, the real domain was replaced with example.com
Sep 15 05:34:39 hostname postfix/smtpd[229290]: connect from
mail-qk1-f200.google.com[209.85.222.200]
Sep 15 05:34:40 hostname postfix/smtpd[229290]: 4MSsVS1zdpz7VvCp:
client=mail-qk1-f200.google.com[209.85.222.200]
Sep 15 05:34:40 hostname postfix/smtpd[229290]: 4MSsVS1zdpz7VvCp: reject: DATA from
mail-qk1-f200.google.com[209.85.222.200]: 550 5.1.1 <d...@example.com>:
Recipient address rejected: \
User unknown in virtual mailbox table; from=<nore...@e-front-office.firebaseapp.com>
to=<d...@example.com> proto=ESMTP helo=<mail-qk1-f200.google.com>
Sep 15 05:35:10 hostname postfix/smtpd[229290]: timeout after RSET from
mail-qk1-f200.google.com[209.85.222.200]
Sep 15 05:35:10 hostname postfix/smtpd[229290]: disconnect from
mail-qk1-f200.google.com[209.85.222.200] ehlo=2 starttls=1 mail=1 rcpt=1
data=0/1 rset=1 commands=6/7
If I send myself a test email to the same address they used (d...@example.com) the
milters run during the RCPT command and don't behave in the same manor as the above logs.
I understand the above logged session is from a bad actor doing something
"exploity", I just don't know what.
Any idea what they are doing during that session that would cause the RCPT
command / milters to not happen as they normally would?
