Solved

postfix check_recipient_access syntax

Posted on 2011-03-15
9
1,714 Views
Last Modified: 2012-05-11
I reject mail to unknown accounts with postfix by using the check_recipient_access feature. In my recipient_access file I list out each valid address and reject the rest of the domain. So my file looks something like:

bob@domain1.com OK
fred@domain1.com OK
domain1.com REJECT

There are certain addresses (info, webmaster, etc.) that appear in all domains and I would like to accept them globally. What would be the syntax to say info@{anything} is OK?
0
Comment
Question by:scarpenter104
  • 5
  • 4
9 Comments
 
LVL 6

Expert Comment

by:de2Zotjes
ID: 35145134
from the man page (man 5 access):

        user@  Matches all mail addresses with the specified user part.
0
 
LVL 1

Author Comment

by:scarpenter104
ID: 35148970
I too can read a man page :-)

However, when I create a recipient_access file such as:

info@ OK
domain1.com REJECT
domain2.com REJECT

and send mail to info@domain1.com, I get: Recipient address rejected.

changing it to:

info@domain1.com OK
info@domain2.com OK
domain1.com REJECT
domain2.com REJECT

works. However, that requires that I make an entry for each domain which is what I'm trying to avoid.
0
 
LVL 6

Expert Comment

by:de2Zotjes
ID: 35149847
I didn't mean the ref to man page as a sny remark. Just noticed the {anything} and assumed you got the syntax wrong.

The pertinent bits of config for this should look like this:

smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, check_recipient_access hash:/etc/postfix/recipient_list, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

Open in new window


and the content of /etc/postfix/recipient_list
info@ OK
domain1.com REJECT

Open in new window


you will need to run
postmap /etc/postfix/recipient_list

Open in new window

after making changes to that file.

After setting up the files check whether lookups work by issuing:
MAIL_VERBOSE=1 postmap -q <insert lookup stuff here> /etc/postfix/recipient_list

Open in new window


Check the log files if you get any unexpected results and paste the logs here please.

(I know I am stating the obvious...)
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 1

Author Comment

by:scarpenter104
ID: 35159768
All this is already up and running and the lookups work fine if I use an explicit email address.

As you can see in my initial post, the wildcard works fine with the right side of an address.

domain1.com REJECT

does indeed reject any email address that matches domain1.com but doesn't match bob@domain1.com or fred@domain1.com.

However,

info@ OK
domain1.com REJECT

still rejects info@domain1.com.
0
 
LVL 6

Accepted Solution

by:
de2Zotjes earned 500 total points
ID: 35160173
Did some rechecking and the normal hash table cannot do what you want. The reason is that it will try domain lookup before userpart lookup. You keep hitting the domain lookup :(
The good news is that the regexp map type is your friend. The regexp map is always given the full data item, whether that be an ip-address or email-address. Another big difference is that order inside the table matters, the file is searched top to bottom and the first hit wins.

/^info@/ OK
/domain1.com$/ REJECT
/domain2.com$/ REJECT

Open in new window


refer to it as regexp:/etc/postfix/recipient_list
no need to build a db file
have fun.
0
 
LVL 6

Expert Comment

by:de2Zotjes
ID: 35160228
Oh, and if you don't want to put all your stuff from the original recipient list you can ofcourse use a dunno as catch all and continue on in the original map:

smtpd_recipient_restrictions = check_recipient_access regexp:/etc/postfix/regex_recipient_list, 
                                               check_recipient_access hash:/etc/postfix/recipient_list, 
                                               reject_unauth_destination

Open in new window


and in the regex_recipient list have this as final entry:
/.*/ DUNNO

Open in new window

0
 
LVL 1

Author Comment

by:scarpenter104
ID: 35160404
Just to see if I have this right:
If it matches a rule in the regex file it stops there, otherwise it will evaluate the check_recipient.

Correct?
0
 
LVL 1

Author Comment

by:scarpenter104
ID: 35162311
Works perfectly!
user1@domain1.com is accepted, info@domain1.com is accepted and unknown@domain1.com is rejected.
Just to summarize, my entry in main.cf (all on one line) looks like this:
smtpd_recipient_restrictions = check_recipient_access regexp:/etc/postfix/recipient_access.regexp, 
check_recipient_access hash:/etc/postfix/recipient_access

Open in new window


/etc/postfix/recipient_access.regexp contains:
/^info&/        OK

/.*/    DUNNO

Open in new window


/etc/postfix/recipient_access contains:
domain1.com REJECT
domain2.com REJECT
user1@domain1.com OK
user2@domain1.com OK
user1@domain2.com OK
user2@domain2.com OK

Open in new window

0
 
LVL 1

Author Comment

by:scarpenter104
ID: 35162319
*sigh* couldn't post without making a mistake.

/etc/postfix/recipient_access.regexp contains:
/^info@/        OK

/.*/    DUNNO

Open in new window


They need an edit option here. :-)
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question