Postfix: how to reject incoming mail as in Sendmail's "error:nouser"?
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Postfix: how to reject incoming mail as in Sendmail's "error:nouser"?
I've searched this on the interwebs and although I found many people with the same problem, I couldn't really find a solution.
I've just migrated from Sendmail to Postfix. Since Sendmail was setup to use virtusertable, I have setup Postfix to use virtusertable as well. But that immediately presents a problem. With Sendmail, I was able to reject mail as follows:
Code:
laura@domain1.com error:nouser No such user here!
john@domain1.com john
sue@domain1.com sue
@domain1.com catchall
sales@domain2.com john
support@domain2.com sue
@domain2.com error:nouser No user by the name %1 here!
Postfix however, doesn't support the "error:nouser" option. I did find one option however to do something similar:
There are two problems with this. First of all, this doesn't actually reject the email. It just sends a bounce email. So that means my mail server still has to receive the email in its entirety. The second problem is that I can't specify the catchall (as for domain2 above) here.
So what is the proper way to reject email like Sendmail's "error:nouser" does?
First of all, this doesn't actually reject the email. It just sends a bounce email.
That should reject it. You may have tried sending the message from somewhere in $mynetworks, which was accepted before
it hit the check_recipient_access stage.
Quote:
The second problem is that I can't specify the catchall (as for domain2 above) here.
To be elaborate on wildcards, you can use them in plain access tables by just listing the domain part of an address without the user@ -- the equivalent of your domain1 wildcard. You don't need pcre for that. But, if you want to use a part of the matched address in the response, as is done your the domain2 example, then i think pcre and regexp are your only options.
Second, on my end, postfix does not reject emails for unknown users. It just sends a bounce email back to the sender:
Quote:
This is the mail system at host xxxxx.xxxxx.xxx.
I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.
For further assistance, please send mail to postmaster.
If you do so, please include this problem report. You can
delete your own text from the attached returned message.
The mail system
<test@xxxxx.xxx>: mail for xxxxx.xxx loops back to myself
Which, BTW, reveals another problem (the "loops back to myself" message). Maybe I should elaborate on my setup a bit more.
I have 45 virtual hosts on this particular server. They are listed in the file local-host-names like this:
Code:
domain1.com
domain2.com
domain3.com
.
.
.
The server has a bunch of users. Most users have multiple email aliases for multiple virtual hosts. For instance, User1 can have these email addresses: sales@domain1.com, support@domain2.com, user@domain3.com. These aliases are defined in the file virtusertable.db like this:
AFAICT, this works quite well. Mail for each virtual host is accepted and delivered to the right user's mailbox.
But apparently postfix works somewhat different than sendmail does (of course). When I send mail to an email address not specified in virtusertable.db, the mail isn't rejected but postfix sends back the above bounce mail. I read somewhere that one solution is to add each virtual host to mydestination in main.cf.
1) Is that true? Do I really need to add each virtual host to mydestination? 2) Is the fact postfix does not reject the email but sends a bounce email instead directly related to 1) or is this a seperate problem?
To add to billymayday's comment, I think the cause of the problem (bounce rather than rejection) is that you listed the domains in relay_domains without defining relay_recipient_maps. Due to the function of these email addresses, they should probably be part of the Virtual Alias Domains rather than Relay Domains class. You might do something like this, instead:
Second, on my end, postfix does not reject emails for unknown users. It just sends a bounce email back to the sender:
...
But apparently postfix works somewhat different than sendmail does (of course). When I send mail to an email address not specified in virtusertable.db, the mail isn't rejected but postfix sends back the above bounce mail. I read somewhere that one solution is to add each virtual host to mydestination in main.cf.
Show your postconf -n output, and the relevant log messages showing the bounce. The content of the bounce notification is less useful.
Quote:
Originally Posted by Zippy1970
1) Is that true? Do I really need to add each virtual host to mydestination? 2) Is the fact postfix does not reject the email but sends a bounce email instead directly related to 1) or is this a seperate problem?
1. Postfix has several address classes. Domains listed in mydestination are part of the local address class. These would not be virtual addresses.
2. This is not a fact. Postfix will reject messages for unknown users by default. Postfix would only bounce a message after it has accepted it, or if your configuration has non-default notify_classes configured. Your system may be configured to send bounce messages upon reject or other error class.
Again I would like to thank everybody for their help first, it's very much appreciated.
Here is the output of postfix -n, I have replaced my true server name with servername, my true domain name with mydomainname and my server's IP address with xxx.xxx.xxx.xxx, everything else is unchanged:
You might consider merging smtpd_client_restrictions (should that be "check_client_access hash:/etc/postfix/access"?) into smtpd_recipient_restrictions. Also, the access list is traversed in sequence, so you should
put things like permit_mynetworks and permit_sasl_authenticated near the top of the list, otherwise some users
may be denied by a previous restriction.
As far as sasl and tls, if your clients are using plain-text passwords, you can prevent their transmission
in the clear by changing "smtpd_tls_auth_only = no" to "smtpd_tls_auth_only = yes".
See my previous post about rejecting unknown addresses.
This fixed the problem of postfix sending a bounce mail instead of rejecting the mail. I'm still unclear however why there's a need for relay_domains at all since the same result can be achieved with virtual_alias_maps...
This only leaves me with the problem I want to be able to reject mail for a specific recipient. I know that postfix by default rejects mail for unknown recipients but consider the following (Sendmail) virtusertable snippet:
Code:
sales@mydomain.com john
support@mydomain.com sue
junk@mydomain.com error:nouser
@mydomain.com carl
As you can see, I actually want to accept anything sent to mydomain.com, except mail for junk@mydomain.com.
Is the proper way to do it, to create a file recipient_access.db:
This however, does not work. I just get a bounce mail the user "nosuchuser@servername.mydomain.com" is not found. Why? Is that because servername.mydomain.com is listed in $mydestination?
If I put "junk@" and "spam@" in recipient-access, the mail is properly rejected.
Create a check_recipient_access table, and specifically exclude the desired user.
Code:
main.cf:
check_recipient_access hash:/etc/postfix/denied_recipients
/etc/postfix/denied_recipients:
# never place an OK here, or this will make your server an open relay
# see: http://www.postfix.org/SMTPD_ACCESS_README.html#danger
#
junk@mydomain.com REJECT recipient rejected
spam@mydomain.com REJECT recipient rejected
Place this restriction before permit_mynetworks, but see warning above.
Move reject_unauth_pipelining into smtpd_data_restrictions. It has no purpose in any other smtpd_*_restriction.
Move reject_unauth_pipelining into smtpd_data_restrictions. It has no purpose in any other smtpd_*_restriction.
Will do, thanks for the tip.
Quote:
Create a check_recipient_access table, and specifically exclude the desired user.
Well, that's exactly what I did. And I know I can exclude specific clients by listing them in the check_recipient_access table. But the reason I want to do it the way I'm suggesting in my previous post (aliasing the recipient to user "nosuchuser" first, then block mail for "nosuchuser" instead), is so I can keep all recipients in a single table (like Sendmail does) and to make it easier to change the action taken for a blocked recipient (since I then only have to change the action for "nosuchuser").
Hope that made sense. English is not my native language so sometimes explaining something can be a bit difficult for me.
Edit: I think the problem is that Postfix only checks the smtpd_recipient_restrictions once. For instance, if I have this in my virtusertable:
Code:
john@mydomain.com doe@mydomain.com
it will check john@mydomain.com against smtpd_recipient_restrictions, but not doe@mydomain.com.
Edit 2: Suppose I have something like this in my virtusertable:
Code:
support@mydomain.com john
causing postfix to hand the mail over to the local delivery agent. What I don't get is why it then completely ignores all rules for local delivery. For instance, it completely ignores $local_recipient_maps.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.