Solved

postfix check_recipient_access syntax

Posted on 2011-03-15
9
1,639 Views
Last Modified: 2012-05-11
I reject mail to unknown accounts with postfix by using the check_recipient_access feature. In my recipient_access file I list out each valid address and reject the rest of the domain. So my file looks something like:

bob@domain1.com OK
fred@domain1.com OK
domain1.com REJECT

There are certain addresses (info, webmaster, etc.) that appear in all domains and I would like to accept them globally. What would be the syntax to say info@{anything} is OK?
0
Comment
Question by:scarpenter104
  • 5
  • 4
9 Comments
 
LVL 6

Expert Comment

by:de2Zotjes
ID: 35145134
from the man page (man 5 access):

        user@  Matches all mail addresses with the specified user part.
0
 
LVL 1

Author Comment

by:scarpenter104
ID: 35148970
I too can read a man page :-)

However, when I create a recipient_access file such as:

info@ OK
domain1.com REJECT
domain2.com REJECT

and send mail to info@domain1.com, I get: Recipient address rejected.

changing it to:

info@domain1.com OK
info@domain2.com OK
domain1.com REJECT
domain2.com REJECT

works. However, that requires that I make an entry for each domain which is what I'm trying to avoid.
0
 
LVL 6

Expert Comment

by:de2Zotjes
ID: 35149847
I didn't mean the ref to man page as a sny remark. Just noticed the {anything} and assumed you got the syntax wrong.

The pertinent bits of config for this should look like this:

smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, check_recipient_access hash:/etc/postfix/recipient_list, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

Open in new window


and the content of /etc/postfix/recipient_list
info@ OK
domain1.com REJECT

Open in new window


you will need to run
postmap /etc/postfix/recipient_list

Open in new window

after making changes to that file.

After setting up the files check whether lookups work by issuing:
MAIL_VERBOSE=1 postmap -q <insert lookup stuff here> /etc/postfix/recipient_list

Open in new window


Check the log files if you get any unexpected results and paste the logs here please.

(I know I am stating the obvious...)
0
 
LVL 1

Author Comment

by:scarpenter104
ID: 35159768
All this is already up and running and the lookups work fine if I use an explicit email address.

As you can see in my initial post, the wildcard works fine with the right side of an address.

domain1.com REJECT

does indeed reject any email address that matches domain1.com but doesn't match bob@domain1.com or fred@domain1.com.

However,

info@ OK
domain1.com REJECT

still rejects info@domain1.com.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 6

Accepted Solution

by:
de2Zotjes earned 500 total points
ID: 35160173
Did some rechecking and the normal hash table cannot do what you want. The reason is that it will try domain lookup before userpart lookup. You keep hitting the domain lookup :(
The good news is that the regexp map type is your friend. The regexp map is always given the full data item, whether that be an ip-address or email-address. Another big difference is that order inside the table matters, the file is searched top to bottom and the first hit wins.

/^info@/ OK
/domain1.com$/ REJECT
/domain2.com$/ REJECT

Open in new window


refer to it as regexp:/etc/postfix/recipient_list
no need to build a db file
have fun.
0
 
LVL 6

Expert Comment

by:de2Zotjes
ID: 35160228
Oh, and if you don't want to put all your stuff from the original recipient list you can ofcourse use a dunno as catch all and continue on in the original map:

smtpd_recipient_restrictions = check_recipient_access regexp:/etc/postfix/regex_recipient_list, 
                                               check_recipient_access hash:/etc/postfix/recipient_list, 
                                               reject_unauth_destination

Open in new window


and in the regex_recipient list have this as final entry:
/.*/ DUNNO

Open in new window

0
 
LVL 1

Author Comment

by:scarpenter104
ID: 35160404
Just to see if I have this right:
If it matches a rule in the regex file it stops there, otherwise it will evaluate the check_recipient.

Correct?
0
 
LVL 1

Author Comment

by:scarpenter104
ID: 35162311
Works perfectly!
user1@domain1.com is accepted, info@domain1.com is accepted and unknown@domain1.com is rejected.
Just to summarize, my entry in main.cf (all on one line) looks like this:
smtpd_recipient_restrictions = check_recipient_access regexp:/etc/postfix/recipient_access.regexp, 
check_recipient_access hash:/etc/postfix/recipient_access

Open in new window


/etc/postfix/recipient_access.regexp contains:
/^info&/        OK

/.*/    DUNNO

Open in new window


/etc/postfix/recipient_access contains:
domain1.com REJECT
domain2.com REJECT
user1@domain1.com OK
user2@domain1.com OK
user1@domain2.com OK
user2@domain2.com OK

Open in new window

0
 
LVL 1

Author Comment

by:scarpenter104
ID: 35162319
*sigh* couldn't post without making a mistake.

/etc/postfix/recipient_access.regexp contains:
/^info@/        OK

/.*/    DUNNO

Open in new window


They need an edit option here. :-)
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now