Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

postfix check_recipient_access syntax

Posted on 2011-03-15
9
Medium Priority
?
1,991 Views
Last Modified: 2012-05-11
I reject mail to unknown accounts with postfix by using the check_recipient_access feature. In my recipient_access file I list out each valid address and reject the rest of the domain. So my file looks something like:

bob@domain1.com OK
fred@domain1.com OK
domain1.com REJECT

There are certain addresses (info, webmaster, etc.) that appear in all domains and I would like to accept them globally. What would be the syntax to say info@{anything} is OK?
0
Comment
Question by:scarpenter104
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 6

Expert Comment

by:de2Zotjes
ID: 35145134
from the man page (man 5 access):

        user@  Matches all mail addresses with the specified user part.
0
 
LVL 1

Author Comment

by:scarpenter104
ID: 35148970
I too can read a man page :-)

However, when I create a recipient_access file such as:

info@ OK
domain1.com REJECT
domain2.com REJECT

and send mail to info@domain1.com, I get: Recipient address rejected.

changing it to:

info@domain1.com OK
info@domain2.com OK
domain1.com REJECT
domain2.com REJECT

works. However, that requires that I make an entry for each domain which is what I'm trying to avoid.
0
 
LVL 6

Expert Comment

by:de2Zotjes
ID: 35149847
I didn't mean the ref to man page as a sny remark. Just noticed the {anything} and assumed you got the syntax wrong.

The pertinent bits of config for this should look like this:

smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, check_recipient_access hash:/etc/postfix/recipient_list, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

Open in new window


and the content of /etc/postfix/recipient_list
info@ OK
domain1.com REJECT

Open in new window


you will need to run
postmap /etc/postfix/recipient_list

Open in new window

after making changes to that file.

After setting up the files check whether lookups work by issuing:
MAIL_VERBOSE=1 postmap -q <insert lookup stuff here> /etc/postfix/recipient_list

Open in new window


Check the log files if you get any unexpected results and paste the logs here please.

(I know I am stating the obvious...)
0
Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

 
LVL 1

Author Comment

by:scarpenter104
ID: 35159768
All this is already up and running and the lookups work fine if I use an explicit email address.

As you can see in my initial post, the wildcard works fine with the right side of an address.

domain1.com REJECT

does indeed reject any email address that matches domain1.com but doesn't match bob@domain1.com or fred@domain1.com.

However,

info@ OK
domain1.com REJECT

still rejects info@domain1.com.
0
 
LVL 6

Accepted Solution

by:
de2Zotjes earned 2000 total points
ID: 35160173
Did some rechecking and the normal hash table cannot do what you want. The reason is that it will try domain lookup before userpart lookup. You keep hitting the domain lookup :(
The good news is that the regexp map type is your friend. The regexp map is always given the full data item, whether that be an ip-address or email-address. Another big difference is that order inside the table matters, the file is searched top to bottom and the first hit wins.

/^info@/ OK
/domain1.com$/ REJECT
/domain2.com$/ REJECT

Open in new window


refer to it as regexp:/etc/postfix/recipient_list
no need to build a db file
have fun.
0
 
LVL 6

Expert Comment

by:de2Zotjes
ID: 35160228
Oh, and if you don't want to put all your stuff from the original recipient list you can ofcourse use a dunno as catch all and continue on in the original map:

smtpd_recipient_restrictions = check_recipient_access regexp:/etc/postfix/regex_recipient_list, 
                                               check_recipient_access hash:/etc/postfix/recipient_list, 
                                               reject_unauth_destination

Open in new window


and in the regex_recipient list have this as final entry:
/.*/ DUNNO

Open in new window

0
 
LVL 1

Author Comment

by:scarpenter104
ID: 35160404
Just to see if I have this right:
If it matches a rule in the regex file it stops there, otherwise it will evaluate the check_recipient.

Correct?
0
 
LVL 1

Author Comment

by:scarpenter104
ID: 35162311
Works perfectly!
user1@domain1.com is accepted, info@domain1.com is accepted and unknown@domain1.com is rejected.
Just to summarize, my entry in main.cf (all on one line) looks like this:
smtpd_recipient_restrictions = check_recipient_access regexp:/etc/postfix/recipient_access.regexp, 
check_recipient_access hash:/etc/postfix/recipient_access

Open in new window


/etc/postfix/recipient_access.regexp contains:
/^info&/        OK

/.*/    DUNNO

Open in new window


/etc/postfix/recipient_access contains:
domain1.com REJECT
domain2.com REJECT
user1@domain1.com OK
user2@domain1.com OK
user1@domain2.com OK
user2@domain2.com OK

Open in new window

0
 
LVL 1

Author Comment

by:scarpenter104
ID: 35162319
*sigh* couldn't post without making a mistake.

/etc/postfix/recipient_access.regexp contains:
/^info@/        OK

/.*/    DUNNO

Open in new window


They need an edit option here. :-)
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question