GOAL: To have my backup MX only accept for addresses listed in
/etc/postfix/relay_recipients(.db).
I've gone back to the drawing board and wiped it clean in another attempt to
get this working. I'm utterly confounded by what I might be doing wrong.
I started fresh with a default copy of main.cf and master.cf, and this tutorial:
https://xdeb.org/post/2017/mail-relay-mx-backup-and-spam-filtering-with-postfix
So after following those instructions, here is the behavior:
telnet caduceus.wtfayla.net 25
Trying 50.75.172.140...
Connected to caduceus.wtfayla.net.
Escape character is '^]'.
220 ca2ceus.wtfayla.net ESMTP Postfix (Debian/GNU)
helo protonmail.com
250 ca2ceus.wtfayla.net
mail from: fonga...@gmail.com
250 2.1.0 Ok
rcpt to: fonga...@protonmail.com
554 5.7.1 <fonga...@protonmail.com>: Relay access denied
OK good that it is not an open relay. It knows enough to only accept for the
domains I specified.
I tried sending to a non-existent email address on one of the domains hosted on
both my primary and secondary MX:
telnet caduceus.wtfayla.net 25
Trying 50.75.172.140...
Connected to caduceus.wtfayla.net.
Escape character is '^]'.
220 ca2ceus.wtfayla.net ESMTP Postfix (Debian/GNU)
helo fongaboo.com
250 ca2ceus.wtfayla.net
mail from: fonga...@gmail.com
250 2.1.0 Ok
rcpt to: doesnotex...@fongaboo.com
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
this thing will accept anything.
.
250 2.0.0 Ok: queued as 6AF362E3B7F
I've attached the main.cf (based on the tutorial instructions). I've also
attached my current master.cf, but strangely the tutorial had me make no
changes to it, so it is effectively the default.
Here's what the first chunk of m relay_recipients file looks like:
# /etc/postfix/relay_recipients
# run "postmap /etc/postfix/relay_recipients" after each edit
032815te...@fongaboo.com OK
032815te...@fongaboo.com OK
032815t...@fongaboo.com OK
071...@fongaboo.com OK
07151...@fongaboo.com OK
071...@fongaboo.com OK
072...@fongaboo.com OK
072...@fongaboo.com OK
0...@fongaboo.com OK
There has to be something missing that's keeping
/etc/postfix/relay_recipients.db from being processed.
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2
# TLS parameters
# smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
# smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_cert_file=/etc/letsencrypt/live/ca2ceus.wtfayla.net/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/ca2ceus.wtfayla.net/privkey.pem
smtpd_tls_security_level=may
smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level=may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
reject_unauth_destination
myhostname = ca2ceus.wtfayla.net
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, caduceus.wtfayla.net, localhost.wtfayla.net,
localhost
relayhost =
# mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 50.75.172.136/29
64.246.134.152/29
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
relay_domains = hash:/etc/postfix/transport
transport_maps = hash:/etc/postfix/transport
relay_recipient_maps = hash:/etc/postfix/relay_recipients
message_size_limit = 25600000
maximal_queue_lifetime = 10d
# Postscreen
postscreen_greet_action = enforce
postscreen_dnsbl_action = enforce
postscreen_blacklist_action = enforce
postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/client_access.cidr
# postscreen_dnsbl_sites = zen.spamhaus.org, b.barracudacentral.org
postscreen_cache_map = proxy:btree:$data_directory/postscreen_cache
# Filter on content in mime headers
mime_header_checks = pcre:/etc/postfix/mime_header_checks
# Requirement for the recipient address.
smtpd_recipient_restrictions =
reject_unauth_pipelining,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
check_client_access cidr:/etc/postfix/client_access.cidr,
reject_unknown_reverse_client_hostname,
# reject_rbl_client zen.spamhaus.org=127.0.0.10,
# reject_rbl_client zen.spamhaus.org=127.0.0.11,
# reject_rbl_client zen.spamhaus.org,
# reject_rbl_client b.barracudacentral.org,
reject_unlisted_recipient,
# check_policy_service unix:private/policyd-spf,
permit
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
smtp inet n - y - - smtpd
#smtp inet n - y - 1 postscreen
#smtpd pass - - y - - smtpd
#dnsblog unix - - y - 0 dnsblog
#tlsproxy unix - - y - 0 tlsproxy
#submission inet n - y - - smtpd
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_tls_auth_only=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - y - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - y - - qmqpd
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
-o syslog_name=postfix/$service_name
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
postlog unix-dgram n - n - 1 postlogd
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension}
${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop}
${user} ${extension}
mailman unix - n n - - pipe
flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
