info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Define exception(s) from catchall domain
105 views
Skip to first unread message
Sebastian Wiesinger
Oct 23, 2014, 3:52:47 PM10/23/14
to
Hello,
I have a few users that insist on using catch-all domains. Not
surprising they get spam to some address. Now they're asking if they
can reject mail for *some* of the addresses of the catch-all domain.
They can create aliases themselves via postfixadmin and they want to
do this the same way.
I tried to implement this by using a check_recipient_access pcre_table
like this:
/etc/postfix# cat recipient_access.pcre
/^postfix-reject-address@.+$/ REJECT
smtpd_recipient_restrictions =
check_recipient_access pcre:$config_directory/recipient_access.pcre,
...
And telling them to add an alias to
postfix-reject-address@$THEIR_DOMAIN
But this doesn't work as postfix will produce bounces (backscatter)
like this:
<reject-post...@karotte.org> (expanded from <rejec...@karotte.org>):
user unknown
In the log I see that postfix tries to deliver the message with the
default virtual transport (dovecot) which then returns the user
unknown.
It there a way to acomplish this?
Regards
Sebastian
--
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant
I have a few users that insist on using catch-all domains. Not
surprising they get spam to some address. Now they're asking if they
can reject mail for *some* of the addresses of the catch-all domain.
They can create aliases themselves via postfixadmin and they want to
do this the same way.
I tried to implement this by using a check_recipient_access pcre_table
like this:
/etc/postfix# cat recipient_access.pcre
/^postfix-reject-address@.+$/ REJECT
smtpd_recipient_restrictions =
check_recipient_access pcre:$config_directory/recipient_access.pcre,
...
And telling them to add an alias to
postfix-reject-address@$THEIR_DOMAIN
But this doesn't work as postfix will produce bounces (backscatter)
like this:
<reject-post...@karotte.org> (expanded from <rejec...@karotte.org>):
user unknown
In the log I see that postfix tries to deliver the message with the
default virtual transport (dovecot) which then returns the user
unknown.
It there a way to acomplish this?
Regards
Sebastian
--
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant
li...@rhsoft.net
Oct 23, 2014, 4:00:11 PM10/23/14
to
Am 23.10.2014 um 21:52 schrieb Sebastian Wiesinger:
> I have a few users that insist on using catch-all domains. Not
> surprising they get spam to some address. Now they're asking if they
> can reject mail for *some* of the addresses of the catch-all domain.
>
> They can create aliases themselves via postfixadmin and they want to
> do this the same way.
>
> I tried to implement this by using a check_recipient_access pcre_table
> like this:
>
> /etc/postfix# cat recipient_access.pcre
> /^postfix-reject-address@.+$/ REJECT
>
> smtpd_recipient_restrictions =
> check_recipient_access pcre:$config_directory/recipient_access.pcre,
> ...
>
> And telling them to add an alias to
> postfix-reject-address@$THEIR_DOMAIN
>
> But this doesn't work as postfix will produce bounces (backscatter)
> like this:
>
> <reject-post...@karotte.org> (expanded from <rejec...@karotte.org>):
> user unknown
>
> In the log I see that postfix tries to deliver the message with the
> default virtual transport (dovecot) which then returns the user
> unknown.
>
> It there a way to acomplish this?
a proper REJECT in the MTA never send a bounce
if it touchs the virtual transport the REJECT never got triggered
i do not see "postconf -n" output nor a full log example for such a
message, so it's impossible to know what happens on your setup
anyways, somebody insisting in a catch-all in 2014 has to suck the spam
or give up that completly broken idea - it even did not made sense 15
years ago - if somebody don't know my address he can#t send a mail to me
- so what - would you extend that to @internet - no - so why to @domain?
Sebastian Wiesinger
Oct 23, 2014, 4:10:16 PM10/23/14
to
* Sebastian Wiesinger <postfi...@ml.karotte.org> [2014-10-23 21:54]:
> Hello,
postconf -n:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
body_checks = pcre:$config_directory/body_checks.pcre
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
disable_vrfy_command = yes
dovecot-sa_destination_recipient_limit = 1
dovecot_destination_recipient_limit = 1
enable_long_queue_ids = yes
greylist = check_policy_service inet:127.0.0.1:10023
home_mailbox = Maildir/
html_directory = /usr/share/doc/postfix/html
inet_interfaces = 127.0.0.1, [::1], 176.9.75.247, 176.9.51.79,
[2a01:4f8:150:7142::25], [2a01:4f8:150:7142::587]
inet_protocols = ipv4, ipv6
mailbox_command = /usr/bin/procmail -a "$EXTENSION"
mailbox_size_limit = 0
message_size_limit = 102400000
mydestination = mx.karotte.org, alita.karotte.org, localhost.karotte.org,
localhost
myhostname = mx.karotte.org
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
non_smtpd_milters = inet:127.0.0.1:10100, inet:127.0.0.1:10101
parent_domain_matches_subdomains =
recipient_delimiter = +
relay_clientcerts = hash:$config_directory/relay_clientcerts
relay_domains = proxy:mysql:$config_directory/sql/mysql_relay_domains_maps.cf
relayhost =
smtp_address_preference = ipv6
smtp_bind_address = 176.9.75.247
smtp_bind_address6 = 2a01:4f8:150:7142::25
smtp_dns_support_level = dnssec
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_fingerprint_digest = sha1
smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_policy_maps = hash:$config_directory/tls_policy
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_client_connection_count_limit = 5
smtpd_client_connection_rate_limit = 15
smtpd_client_event_limit_exceptions = $mynetworks, $inet_interfaces
smtpd_client_restrictions = permit_mynetworks, permit_inet_interfaces,
permit_sasl_authenticated, permit_tls_clientcerts, check_client_access
cidr:$config_directory/unknown_reverse_hostname.cidr, check_client_access
hash:$config_directory/client_rbl_whitelist, permit_dnswl_client
list.dnswl.org=127.0.[0..255].[1..3], reject_rbl_client
zen.spamhaus.org=127.0.0.[2..11], reject_rbl_client ix.dnsbl.manitu.net,
reject_rhsbl_reverse_client dbl.spamhaus.org=127.0.1.[2;4..6]
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_delay_reject = yes
smtpd_discard_ehlo_keywords = silent-discard, dsn
smtpd_etrn_restrictions = reject
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_inet_interfaces,
permit_sasl_authenticated, permit_tls_clientcerts,
reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname,
reject_rhsbl_helo dbl.spamhaus.org=127.0.1.[2;4..6]
smtpd_milters = inet:127.0.0.1:10100, inet:127.0.0.1:10101
smtpd_recipient_restrictions = check_recipient_access
pcre:$config_directory/recipient_access.pcre, permit_mynetworks,
permit_inet_interfaces, reject_non_fqdn_recipient,
permit_sasl_authenticated, permit_tls_clientcerts, check_recipient_access
hash:$config_directory/defer_unkown_users, reject_unlisted_recipient,
check_policy_service unix:private/policyd-spf, permit_dnswl_client
list.dnswl.org=127.0.[0..255].[0..3], check_recipient_access
pcre:$config_directory/greylist.pcre
smtpd_relay_restrictions = permit_mynetworks, permit_inet_interfaces,
permit_sasl_authenticated, permit_tls_clientcerts, reject_unauth_destination
smtpd_restriction_classes = greylist
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks, permit_inet_interfaces,
reject_non_fqdn_sender, permit_sasl_authenticated, permit_tls_clientcerts,
reject_unlisted_sender, reject_unknown_sender_domain, reject_rhsbl_sender
dbl.spamhaus.org=127.0.1.[2;4..6]
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/cacert-karotte-combined.crt
smtpd_tls_dh1024_param_file = $config_directory/dh2048.pem
smtpd_tls_dh512_param_file = $config_directory/dh512.pem
smtpd_tls_fingerprint_digest = sha1
smtpd_tls_key_file = /etc/ssl/private/cacert-karotte.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
strict_rfc821_envelopes = yes
transport_maps = hash:$config_directory/transport
virtual_alias_maps =
proxy:mysql:$config_directory/sql/mysql_virtual_alias_maps.cf,
proxy:mysql:$config_directory/sql/mysql_virtual_alias_domain_maps.cf,
proxy:mysql:$config_directory/sql/mysql_virtual_alias_domain_catchall_maps.cf
virtual_gid_maps = static:8
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains =
proxy:mysql:$config_directory/sql/mysql_virtual_domains_maps.cf
virtual_mailbox_maps =
proxy:mysql:$config_directory/sql/mysql_virtual_mailbox_maps.cf,
proxy:mysql:$config_directory/sql/mysql_virtual_alias_domain_mailbox_maps.cf
virtual_minimum_uid = 101
virtual_transport = dovecot-sa
virtual_uid_maps = static:111
log:
Oct 23 22:03:16 alita postfix/smtpd[22089]: 3jNzyr0pr2zCqp7: client=danton.fire-world.de[2001:4dd0:f8dd::120]
Oct 23 22:03:33 alita postfix/cleanup[20841]: 3jNzyr0pr2zCqp7: message-id=<>
Oct 23 22:03:33 alita opendmarc[19015]: 3jNzyr0pr2zCqp7: fire-world.de none
Oct 23 22:03:33 alita postfix/qmgr[20825]: 3jNzyr0pr2zCqp7: from=<bo...@fire-world.de>, size=588, nrcpt=1 (queue active)
Oct 23 22:03:33 alita postfix/pipe[22030]: 3jNzyr0pr2zCqp7: to=<postfix-rej...@karotte.org>, orig_to=<rejec...@karotte.org>, relay=dovecot-sa, delay=25, delays=25/0/0/0.07, dsn=5.1.1, status=bounced (user unknown)
Oct 23 22:03:33 alita postfix/bounce[22138]: 3jNzyr0pr2zCqp7: sender non-delivery notification: 3jNzz94LWMzCtkr
Oct 23 22:03:33 alita postfix/qmgr[20825]: 3jNzyr0pr2zCqp7: removed
> Hello,
>
> I have a few users that insist on using catch-all domains. Not
> surprising they get spam to some address. Now they're asking if they
> can reject mail for *some* of the addresses of the catch-all domain.
>
> They can create aliases themselves via postfixadmin and they want to
> do this the same way.
>
> I tried to implement this by using a check_recipient_access pcre_table
> like this:
>
> /etc/postfix# cat recipient_access.pcre
> /^postfix-reject-address@.+$/ REJECT
>
> smtpd_recipient_restrictions =
> check_recipient_access pcre:$config_directory/recipient_access.pcre,
> ...
>
> And telling them to add an alias to
> postfix-reject-address@$THEIR_DOMAIN
>
> But this doesn't work as postfix will produce bounces (backscatter)
> like this:
>
> <reject-post...@karotte.org> (expanded from <rejec...@karotte.org>):
> user unknown
Forgot the logs/configuration:
> I have a few users that insist on using catch-all domains. Not
> surprising they get spam to some address. Now they're asking if they
> can reject mail for *some* of the addresses of the catch-all domain.
>
> They can create aliases themselves via postfixadmin and they want to
> do this the same way.
>
> I tried to implement this by using a check_recipient_access pcre_table
> like this:
>
> /etc/postfix# cat recipient_access.pcre
> /^postfix-reject-address@.+$/ REJECT
>
> smtpd_recipient_restrictions =
> check_recipient_access pcre:$config_directory/recipient_access.pcre,
> ...
>
> And telling them to add an alias to
> postfix-reject-address@$THEIR_DOMAIN
>
> But this doesn't work as postfix will produce bounces (backscatter)
> like this:
>
> <reject-post...@karotte.org> (expanded from <rejec...@karotte.org>):
> user unknown
postconf -n:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
body_checks = pcre:$config_directory/body_checks.pcre
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
disable_vrfy_command = yes
dovecot-sa_destination_recipient_limit = 1
dovecot_destination_recipient_limit = 1
enable_long_queue_ids = yes
greylist = check_policy_service inet:127.0.0.1:10023
home_mailbox = Maildir/
html_directory = /usr/share/doc/postfix/html
inet_interfaces = 127.0.0.1, [::1], 176.9.75.247, 176.9.51.79,
[2a01:4f8:150:7142::25], [2a01:4f8:150:7142::587]
inet_protocols = ipv4, ipv6
mailbox_command = /usr/bin/procmail -a "$EXTENSION"
mailbox_size_limit = 0
message_size_limit = 102400000
mydestination = mx.karotte.org, alita.karotte.org, localhost.karotte.org,
localhost
myhostname = mx.karotte.org
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
non_smtpd_milters = inet:127.0.0.1:10100, inet:127.0.0.1:10101
parent_domain_matches_subdomains =
recipient_delimiter = +
relay_clientcerts = hash:$config_directory/relay_clientcerts
relay_domains = proxy:mysql:$config_directory/sql/mysql_relay_domains_maps.cf
relayhost =
smtp_address_preference = ipv6
smtp_bind_address = 176.9.75.247
smtp_bind_address6 = 2a01:4f8:150:7142::25
smtp_dns_support_level = dnssec
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_fingerprint_digest = sha1
smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_policy_maps = hash:$config_directory/tls_policy
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_client_connection_count_limit = 5
smtpd_client_connection_rate_limit = 15
smtpd_client_event_limit_exceptions = $mynetworks, $inet_interfaces
smtpd_client_restrictions = permit_mynetworks, permit_inet_interfaces,
permit_sasl_authenticated, permit_tls_clientcerts, check_client_access
cidr:$config_directory/unknown_reverse_hostname.cidr, check_client_access
hash:$config_directory/client_rbl_whitelist, permit_dnswl_client
list.dnswl.org=127.0.[0..255].[1..3], reject_rbl_client
zen.spamhaus.org=127.0.0.[2..11], reject_rbl_client ix.dnsbl.manitu.net,
reject_rhsbl_reverse_client dbl.spamhaus.org=127.0.1.[2;4..6]
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_delay_reject = yes
smtpd_discard_ehlo_keywords = silent-discard, dsn
smtpd_etrn_restrictions = reject
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_inet_interfaces,
permit_sasl_authenticated, permit_tls_clientcerts,
reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname,
reject_rhsbl_helo dbl.spamhaus.org=127.0.1.[2;4..6]
smtpd_milters = inet:127.0.0.1:10100, inet:127.0.0.1:10101
smtpd_recipient_restrictions = check_recipient_access
pcre:$config_directory/recipient_access.pcre, permit_mynetworks,
permit_inet_interfaces, reject_non_fqdn_recipient,
permit_sasl_authenticated, permit_tls_clientcerts, check_recipient_access
hash:$config_directory/defer_unkown_users, reject_unlisted_recipient,
check_policy_service unix:private/policyd-spf, permit_dnswl_client
list.dnswl.org=127.0.[0..255].[0..3], check_recipient_access
pcre:$config_directory/greylist.pcre
smtpd_relay_restrictions = permit_mynetworks, permit_inet_interfaces,
permit_sasl_authenticated, permit_tls_clientcerts, reject_unauth_destination
smtpd_restriction_classes = greylist
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks, permit_inet_interfaces,
reject_non_fqdn_sender, permit_sasl_authenticated, permit_tls_clientcerts,
reject_unlisted_sender, reject_unknown_sender_domain, reject_rhsbl_sender
dbl.spamhaus.org=127.0.1.[2;4..6]
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/cacert-karotte-combined.crt
smtpd_tls_dh1024_param_file = $config_directory/dh2048.pem
smtpd_tls_dh512_param_file = $config_directory/dh512.pem
smtpd_tls_fingerprint_digest = sha1
smtpd_tls_key_file = /etc/ssl/private/cacert-karotte.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
strict_rfc821_envelopes = yes
transport_maps = hash:$config_directory/transport
virtual_alias_maps =
proxy:mysql:$config_directory/sql/mysql_virtual_alias_maps.cf,
proxy:mysql:$config_directory/sql/mysql_virtual_alias_domain_maps.cf,
proxy:mysql:$config_directory/sql/mysql_virtual_alias_domain_catchall_maps.cf
virtual_gid_maps = static:8
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains =
proxy:mysql:$config_directory/sql/mysql_virtual_domains_maps.cf
virtual_mailbox_maps =
proxy:mysql:$config_directory/sql/mysql_virtual_mailbox_maps.cf,
proxy:mysql:$config_directory/sql/mysql_virtual_alias_domain_mailbox_maps.cf
virtual_minimum_uid = 101
virtual_transport = dovecot-sa
virtual_uid_maps = static:111
log:
Oct 23 22:03:16 alita postfix/smtpd[22089]: 3jNzyr0pr2zCqp7: client=danton.fire-world.de[2001:4dd0:f8dd::120]
Oct 23 22:03:33 alita postfix/cleanup[20841]: 3jNzyr0pr2zCqp7: message-id=<>
Oct 23 22:03:33 alita opendmarc[19015]: 3jNzyr0pr2zCqp7: fire-world.de none
Oct 23 22:03:33 alita postfix/qmgr[20825]: 3jNzyr0pr2zCqp7: from=<bo...@fire-world.de>, size=588, nrcpt=1 (queue active)
Oct 23 22:03:33 alita postfix/pipe[22030]: 3jNzyr0pr2zCqp7: to=<postfix-rej...@karotte.org>, orig_to=<rejec...@karotte.org>, relay=dovecot-sa, delay=25, delays=25/0/0/0.07, dsn=5.1.1, status=bounced (user unknown)
Oct 23 22:03:33 alita postfix/bounce[22138]: 3jNzyr0pr2zCqp7: sender non-delivery notification: 3jNzz94LWMzCtkr
Oct 23 22:03:33 alita postfix/qmgr[20825]: 3jNzyr0pr2zCqp7: removed
Noel Jones
Oct 23, 2014, 6:34:56 PM10/23/14
to
On 10/23/2014 2:52 PM, Sebastian Wiesinger wrote:
> Hello,
>
> I have a few users that insist on using catch-all domains. Not
> surprising they get spam to some address. Now they're asking if they
> can reject mail for *some* of the addresses of the catch-all domain.
>
> They can create aliases themselves via postfixadmin and they want to
> do this the same way.
>
> I tried to implement this by using a check_recipient_access pcre_table
> like this:
>
> /etc/postfix# cat recipient_access.pcre
> /^postfix-reject-address@.+$/ REJECT
>
This must match the recipient address as sent by the client and
> Hello,
>
> I have a few users that insist on using catch-all domains. Not
> surprising they get spam to some address. Now they're asking if they
> can reject mail for *some* of the addresses of the catch-all domain.
>
> They can create aliases themselves via postfixadmin and they want to
> do this the same way.
>
> I tried to implement this by using a check_recipient_access pcre_table
> like this:
>
> /etc/postfix# cat recipient_access.pcre
> /^postfix-reject-address@.+$/ REJECT
>
logged by postfix smtpd process, NOT the rewritten address.
> smtpd_recipient_restrictions =
> check_recipient_access pcre:$config_directory/recipient_access.pcre,
> ...
permit_mynetworks. Extra caution is needed to make sure you don't
accidentally create an open relay.
http://www.postfix.org/SMTPD_ACCESS_README.html#danger
>
> And telling them to add an alias to
> postfix-reject-address@$THEIR_DOMAIN
-- Noel Jones
Sebastian Wiesinger
Oct 24, 2014, 6:10:47 AM10/24/14
to
* Noel Jones <njo...@megan.vbhcs.org> [2014-10-24 00:36]:
I figured this out and found a way to do what I wanted. I now have the
following:
smtpd_recipient_restrictions =
check_recipient_access proxy:mysql:$config_directory/sql/mysql_check_recipient_access.cf,
...
(Also I had to extend proxy_read_maps for this).
The .cf contains the following query:
query = SELECT 'REJECT' FROM alias WHERE address='%s' AND goto='rej...@postfix.access' AND active = '1'
So all the users have to do is add an alias from their address to
rej...@postfix.access to reject a specific alias.
> > smtpd_recipient_restrictions =
> > check_recipient_access pcre:$config_directory/recipient_access.pcre,
> > ...
>
> It's generally unwise to put any access tables before
> permit_mynetworks. Extra caution is needed to make sure you don't
> accidentally create an open relay.
In this specific case I think it is okay because I want noone to be
able to mail to these addresses. It should be as if the alias does not
exist.
As for the open relay, I moved all that stuff to
smtpd_relay_restrictions.
> > And telling them to add an alias to
> > postfix-reject-address@$THEIR_DOMAIN
>
> This should not be necessary.
It's the way postfixadmin works. Without coding up an extension that
lets user block specific aliases this is the fastest way to do it.
Regards
Sebastian
> > I tried to implement this by using a check_recipient_access pcre_table
> > like this:
> >
> > /etc/postfix# cat recipient_access.pcre
> > /^postfix-reject-address@.+$/ REJECT
> >
>
> This must match the recipient address as sent by the client and
> logged by postfix smtpd process, NOT the rewritten address.
Yes,
> > like this:
> >
> > /etc/postfix# cat recipient_access.pcre
> > /^postfix-reject-address@.+$/ REJECT
> >
>
> This must match the recipient address as sent by the client and
> logged by postfix smtpd process, NOT the rewritten address.
I figured this out and found a way to do what I wanted. I now have the
following:
smtpd_recipient_restrictions =
check_recipient_access proxy:mysql:$config_directory/sql/mysql_check_recipient_access.cf,
...
(Also I had to extend proxy_read_maps for this).
The .cf contains the following query:
query = SELECT 'REJECT' FROM alias WHERE address='%s' AND goto='rej...@postfix.access' AND active = '1'
So all the users have to do is add an alias from their address to
rej...@postfix.access to reject a specific alias.
> > smtpd_recipient_restrictions =
> > check_recipient_access pcre:$config_directory/recipient_access.pcre,
> > ...
>
> It's generally unwise to put any access tables before
> permit_mynetworks. Extra caution is needed to make sure you don't
> accidentally create an open relay.
able to mail to these addresses. It should be as if the alias does not
exist.
As for the open relay, I moved all that stuff to
smtpd_relay_restrictions.
> > And telling them to add an alias to
> > postfix-reject-address@$THEIR_DOMAIN
>
> This should not be necessary.
lets user block specific aliases this is the fastest way to do it.
Regards
Sebastian
Wietse Venema
Oct 24, 2014, 7:26:57 AM10/24/14
to
Sebastian Wiesinger:
> smtpd_recipient_restrictions =
setting.
> As for the open relay, I moved all that stuff to smtpd_relay_restrictions.
Good!
Wietse
> smtpd_recipient_restrictions =
> smtpd_recipient_restrictions =
> check_recipient_access proxy:mysql:$config_directory/sql/mysql_check_recipient_access.cf,
> ...
>
> (Also I had to extend proxy_read_maps for this).
Argh. I forgot to include that in the default proxy_read_maps
> check_recipient_access proxy:mysql:$config_directory/sql/mysql_check_recipient_access.cf,
> ...
>
> (Also I had to extend proxy_read_maps for this).
setting.
> As for the open relay, I moved all that stuff to smtpd_relay_restrictions.
Wietse
0 new messages