Re: Blocking TLDs

[Matus UHLAR - fantomas]

08.02.2023 12:14, Viktor Dukhovni wrote:
..

/etc/postfix/sender-access:
top REJECT I employ crude anti-spam measures
.topREJECT I employ crude anti-spam measures


On 18.02.23 09:34, Michael Tokarev wrote:

I wonder how effective to block just the TLDs. I guess it is zero, no?


guys use this because many people use parent_domain_matches_subdomains to 
contain smtpd_access_maps, even when it's discouraged:


http://www.postfix.org/postconf.5.html#parent_domain_matches_subdomains


I *guess* foo@top shouldn't really work, as it is non-fqdn in terms of
postfix, and is blocked by, say, reject_non_fqdn_sender.

So only entries like .top (with the leading dot) are needed here
(± the context, which is about how good it is to block-by-tld).


.top only works when parent_domain_matches_subdomains does NOT contain 
smtpd_access_maps:


http://www.postfix.org/access.5.html


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Windows found: (R)emove, (E)rase, (D)elete

A user is unknown, but I can't find out why

[Gerben Wierda]

I’m having trouble with a single user for who mail is rejected on one of two 
servers (but not on the other), but I can’t see why.

User ‘gerben’ works fine. User ‘vanroodewierda’ is rejected:
Feb 18 12:18:43 snape smtp/smtpd[15128]: connect from 
ms11p00im-qufo17282001.me.com[17.58.38.57]
Feb 18 12:18:43 snape smtp/smtpd[15127]: connect from 
ms11p00im-qufo17282001.me.com[17.58.38.57]
Feb 18 12:18:44 snape smtp/smtpd[15128]: NOQUEUE: reject: RCPT from 
ms11p00im-qufo17282001.me.com[17.58.38.57]: 550 5.1.1 : 
Recipient address rejected: User unknown; from= 
to= proto=ESMTP helo=
Feb 18 12:18:44 snape smtp/smtpd[15127]: 0C666492E2: 
client=ms11p00im-qufo17282001.me.com[17.58.38.57]
Feb 18 12:18:44 snape postfix/cleanup[15131]: 0C666492E2: 
message-id=
Feb 18 12:18:44 snape smtp/smtpd[15128]: disconnect from 
ms11p00im-qufo17282001.me.com[17.58.38.57] ehlo=2 starttls=1 mail=1 rcpt=0/1 
data=0/1 rset=1 quit=1 commands=6/8
Feb 18 12:18:47 snape postfix/qmgr[131]: 0C666492E2: 
from=, size=2013, nrcpt=1 (queue active)
Feb 18 12:18:47 snape smtp/smtpd[15127]: disconnect from 
ms11p00im-qufo17282001.me.com[17.58.38.57] ehlo=2 starttls=1 mail=1 rcpt=1 
data=1 quit=1 commands=7
Feb 18 12:18:47 snape postfix/local[15132]: 0C666492E2: passing  
to transport=lmtp
Feb 18 12:18:47 snape postfix/lmtp[15133]: 0C666492E2: to=, 
relay=snape.rna.nl[private/dovecot-lmtp], delay=3, delays=3/0/0.02/0.02, 
dsn=2.0.0, status=sent (250 2.0.0  0OViASfC8GMeOwAAy+4yzw Saved)
Feb 18 12:18:47 snape postfix/qmgr[131]: 0C666492E2: removed

But both are available in dovecot:

/ # doveadm user gerben
field   value
uid 214
gid 8
home/var/mail/nl.rna.mail/users/gerben
mailmaildir:/var/mail/nl.rna.mail/users/gerben
/ # doveadm user vanroodewierda
field   value
uid 214
gid 8
home/var/mail/nl.rna.mail/users/vanroodewierda
mailmaildir:/var/mail/nl.rna.mail/users/vanroodewierda

I’m kind of lost, how do I find out why I’m getting ‘User unknown’ here from 
postfix? Is there a way to run a test with more verbose output that I cans why 
one works and another not?

Gerben Wierda (LinkedIn )
R&A Enterprise Architecture  (main site)
Book: Chess and the Art of Enterprise Architecture 
Book: Mastering ArchiMate 

Re: A user is unknown, but I can't find out why

[Wietse Venema]

Gerben Wierda:
> Feb 18 12:18:44 snape smtp/smtpd[15128]: NOQUEUE: reject: RCPT from 
> ms11p00im-qufo17282001.me.com[17.58.38.57]: 550 5.1.1 
> : Recipient address rejected: User unknown; 
> from= to= proto=ESMTP 
> helo=

The address is rejected by Postfix SMTP server address validation.

I suggest that you look at
https://www.postfix.org/ADDRESS_CLASS_README.html, and determine
which address class rna.nl belong to (local, relay, etc.) and what
user table it expects to use (unix:passwd.byname, etc).

> Feb 18 12:18:47 snape smtp/smtpd[15127]: disconnect from 
> ms11p00im-qufo17282001.me.com[17.58.38.57] ehlo=2 starttls=1 mail=1 rcpt=1 
> data=1 quit=1 commands=7
> Feb 18 12:18:47 snape postfix/local[15132]: 0C666492E2: passing 
>  to transport=lmtp

Looks like rna.nl belongs to the local addres class, and gerben is
a UNIX system account?

> But both are available in dovecot:

Apparently, Postfix does not know that.

Is there a way to make the Dovecot userdb available to Postfix
local_recipient_maps? Otherwise you may want to set up 1:1
virtual_alias_maps entries.

Key Value
vanroodewie...@rna.nl   vanroodewie...@rna.nl

(The Postfix SMTP server queries virtual_alias_maps for address
validation).

I'm not a Dovecot user, so I am not sure whether "local" 
is the right address class for this use case.

Wietse

Re: A user is unknown, but I can't find out why

[Gerben Wierda]

> On 18 Feb 2023, at 14:49, Wietse Venema  wrote:
> 
> Gerben Wierda:
>> Feb 18 12:18:44 snape smtp/smtpd[15128]: NOQUEUE: reject: RCPT from 
>> ms11p00im-qufo17282001.me.com 
>> [17.58.38.57]: 550 5.1.1 
>> mailto:vanroodewie...@rna.nl>>: Recipient address 
>> rejected: User unknown; from=> > to=> > proto=ESMTP 
>> helo=http://ms11p00im-qufo17282001.me.com/>>
> 
> The address is rejected by Postfix SMTP server address validation.
> 
> I suggest that you look at
> https://www.postfix.org/ADDRESS_CLASS_README.html 
> , and determine
> which address class rna.nl  belong to (local, relay, etc.) 
> and what
> user table it expects to use (unix:passwd.byname, etc).
> 
>> Feb 18 12:18:47 snape smtp/smtpd[15127]: disconnect from 
>> ms11p00im-qufo17282001.me.com 
>> [17.58.38.57] ehlo=2 starttls=1 
>> mail=1 rcpt=1 data=1 quit=1 commands=7
>> Feb 18 12:18:47 snape postfix/local[15132]: 0C666492E2: passing 
>> mailto:ger...@rna.nl>> to transport=lmtp
> 
> Looks like rna.nl  belongs to the local addres class, and 
> gerben is
> a UNIX system account?


rna.nl is indeed the local domain and both are not unix accounts (they are on 
my second system)

I think I found it. The side without the unix accounts was using 
local_recipient_maps and one was missing.

G