Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

[SOLVED] Postfix not rejecting invalid recipients
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
gr0x0rd
Guru
Guru


Joined: 12 Aug 2006
Posts: 311
PostPosted: Fri May 15, 2015 6:36 pm    Post subject: [SOLVED] Postfix not rejecting invalid recipients Reply with quote
I've been using postfix/amavisd-new/clamav as a mail gateway for a number of months now, and for the most part, it's been working great. There are a number of hosted exchange environments behind the mailfiltering gateway, but no local mailboxes.

When setting up the system based on the documentation, one thing I was never able to get working was to not accept messages to invalid users in each domain. Once a relay domain was configured, postfix never seemed to care which user/mailbox a message was addressed to: it filtered and handed the messages off to exchange, which resulted in some nasty behavior and backscatter as exchange is configured by default to send NDRs to invalid recipients. I've since changed this behavior, but wanted to further lock down the postfix environment and drop messages to invalid recipients during the initial parts of the smtp conversation.

The documentation I followed was that for Postfix and other example since I couldn't find a lot of detail on this in the gentoo docs. I don't have a database containing the valid recipients, just a simple flat file with a hash table. My latest attempt was a simple one, for a single domain.

Here are the relevant config files:
/etc/postfix/verify-domains
Code:
gr0x0rd.com   reject_unverified_recipient

/etc/postfix/relay-recipients
Code:
gr0x0rd@gr0x0rd.com 1

/etc/postfix/main.cf
Code:

...
# transport and relaying settings
local_transport = error:no local delivery
local_recipient_maps =
transport_maps = hash:/etc/postfix/mailertable
mydestination = /etc/postfix/relay-domains
relay_recipient_maps = hash:/etc/postfix/relay-recipients
...
# reject messages to invalid senders that recipients that we don't relay for
smtpd_recipient_restrictions =
        reject_unauth_destination,
        reject_unauth_pipelining,
        reject_non_fqdn_sender,
        reject_non_fqdn_hostname,
        reject_non_fqdn_recipient,
        reject_unknown_recipient_domain,
        reject_unknown_sender_domain,
        reject_unverified_recipient,
        reject_unlisted_recipient,
        check_recipient_access hash:/etc/postfix/verify-domains
...
address_verify_map = btree:$data_directory/verify_cache
# Uncomment this next line when finished testing address verification:
unverified_recipient_reject_reason = Address lookup failed
unverified_recipient_reject_code = 550
...

Based on this configuration, postfix should look up the domain settings via the check_recipient_access directive, find reject_unverified_recipient set for the gr0x0rd domain, then look up the recipient in the verify_cache generated from the relay_recipient_maps hash table. However, the server still accepts any message for any user in the configured domain. Here is an example telnet session:
Code:
gr0x0rd@teletran4 ~ $ telnet <spam server ip> 25
Trying <spam server ip>...
Connected to <spam server ip>.
Escape character is '^]'.
220 spam-test.dmz: spam, phishing, unsolicited marketing and violators of the CASL will be BANNED!
helo teletran4.cybertron.local
250 spam-test.dmz
mail from: gr0x0rd@<somewhere>.com
250 2.1.0 Ok
rcpt to: nobody@gr0x0rd.com
250 2.1.5 Ok

With each new address I try, there is a delay as the new entry is looked up and cached. But, the message is accepted. Here is what results in the log:
Code:
...
May 15 11:24:32 spam-test postfix/smtpd[9500]: >>> CHECKING RECIPIENT MAPS <<<
May 15 11:24:32 spam-test postfix/smtpd[9500]: ctable_locate: move existing entry key nobody@gr0x0rd.com
May 15 11:24:32 spam-test postfix/smtpd[9500]: maps_find: recipient_canonical_maps: nobody@gr0x0rd.com: not found
May 15 11:24:32 spam-test postfix/smtpd[9500]: match_string: gr0x0rd.com ~? gr0x0rd.com
May 15 11:24:32 spam-test postfix/smtpd[9500]: maps_find: recipient_canonical_maps: nobody: not found
May 15 11:24:32 spam-test postfix/smtpd[9500]: maps_find: recipient_canonical_maps: @gr0x0rd.com: not found
May 15 11:24:32 spam-test postfix/smtpd[9500]: mail_addr_find: nobody@gr0x0rd.com -> (not found)
May 15 11:24:32 spam-test postfix/smtpd[9500]: maps_find: canonical_maps: nobody@gr0x0rd.com: not found
May 15 11:24:32 spam-test postfix/smtpd[9500]: match_string: gr0x0rd.com ~? gr0x0rd.com
May 15 11:24:32 spam-test postfix/smtpd[9500]: maps_find: canonical_maps: nobody: not found
May 15 11:24:32 spam-test postfix/smtpd[9500]: maps_find: canonical_maps: @gr0x0rd.com: not found
May 15 11:24:32 spam-test postfix/smtpd[9500]: mail_addr_find: nobody@gr0x0rd.com -> (not found)
May 15 11:24:32 spam-test postfix/smtpd[9500]: maps_find: virtual_alias_maps: nobody@gr0x0rd.com: not found
May 15 11:24:32 spam-test postfix/smtpd[9500]: match_string: gr0x0rd.com ~? gr0x0rd.com
May 15 11:24:32 spam-test postfix/smtpd[9500]: maps_find: virtual_alias_maps: nobody: not found
May 15 11:24:32 spam-test postfix/smtpd[9500]: maps_find: virtual_alias_maps: @gr0x0rd.com: not found
May 15 11:24:32 spam-test postfix/smtpd[9500]: mail_addr_find: nobody@gr0x0rd.com -> (not found)
May 15 11:24:32 spam-test postfix/smtpd[9500]: generic_checks: name=reject_unlisted_recipient status=0
May 15 11:24:32 spam-test postfix/smtpd[9500]: generic_checks: name=check_recipient_access
May 15 11:24:32 spam-test postfix/smtpd[9500]: check_mail_access: nobody@gr0x0rd.com
May 15 11:24:32 spam-test postfix/smtpd[9500]: ctable_locate: leave existing entry key nobody@gr0x0rd.com
May 15 11:24:32 spam-test postfix/smtpd[9500]: check_access: nobody@gr0x0rd.com
May 15 11:24:32 spam-test postfix/smtpd[9500]: check_domain_access: gr0x0rd.com
May 15 11:24:32 spam-test postfix/smtpd[9500]: check_table_result: hash:/etc/postfix/verify-domains reject_unverified_recipient gr0x0rd.com
May 15 11:24:32 spam-test postfix/smtpd[9500]: >>> START Recipient address RESTRICTIONS <<<
May 15 11:24:32 spam-test postfix/smtpd[9500]: generic_checks: name=reject_unverified_recipient
May 15 11:24:32 spam-test postfix/smtpd[9500]: reject_unverified_address: nobody@gr0x0rd.com
May 15 11:24:32 spam-test postfix/smtpd[9500]: send attr request = query
May 15 11:24:32 spam-test postfix/smtpd[9500]: send attr address = nobody@gr0x0rd.com
May 15 11:24:32 spam-test postfix/smtpd[9500]: private/verify socket: wanted attribute: status
May 15 11:24:32 spam-test postfix/smtpd[9500]: input attribute name: status
May 15 11:24:32 spam-test postfix/smtpd[9500]: input attribute value: 0
May 15 11:24:32 spam-test postfix/smtpd[9500]: private/verify socket: wanted attribute: recipient_status
May 15 11:24:32 spam-test postfix/smtpd[9500]: input attribute name: recipient_status
May 15 11:24:32 spam-test postfix/smtpd[9500]: input attribute value: 0
May 15 11:24:32 spam-test postfix/smtpd[9500]: private/verify socket: wanted attribute: reason
May 15 11:24:32 spam-test postfix/smtpd[9500]: input attribute name: reason
May 15 11:24:32 spam-test postfix/smtpd[9500]: input attribute value: 250 2.1.5 Recipient OK
May 15 11:24:32 spam-test postfix/smtpd[9500]: private/verify socket: wanted attribute: (list terminator)
May 15 11:24:32 spam-test postfix/smtpd[9500]: input attribute name: (end)
May 15 11:24:32 spam-test postfix/smtpd[9500]: generic_checks: name=reject_unverified_recipient status=0
May 15 11:24:32 spam-test postfix/smtpd[9500]: >>> END Recipient address RESTRICTIONS <<<
May 15 11:24:32 spam-test postfix/smtpd[9500]: generic_checks: name=check_recipient_access status=0
May 15 11:24:32 spam-test postfix/smtpd[9500]: >>> END Recipient address RESTRICTIONS <<<

So it is performing the lookup, but it's returning that the recipient is OK and thus accepts the message. What am I missing here?...

Thanks as always for any help or suggestions.

Cheers,
_________________
~g
emerge -FML...

Last edited by gr0x0rd on Wed May 20, 2015 11:35 pm; edited 1 time in total
Back to top
View user's profile Send private message
freke
l33t
l33t


Joined: 23 Jan 2003
Posts: 974
Location: Somewhere in Denmark
PostPosted: Sat May 16, 2015 3:42 pm    Post subject: Reply with quote
According to this, main.cf should not have a 'mydestination' when using relay_recipients
http://www200.pair.com/mecham/spam/relay_recipients.html
Back to top
View user's profile Send private message
gr0x0rd
Guru
Guru


Joined: 12 Aug 2006
Posts: 311
PostPosted: Wed May 20, 2015 11:35 pm    Post subject: Reply with quote
Thanks freke, that was just the ticket. I had relay_domains set to $mydestination in my main.conf, once I removed that and the mydestination directive the recipient lookups started working.

Sure wish I would have stumbled across that document in my searches... Gentoo forums FTW!

Cheers,
_________________
~g
emerge -FML...
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy