Postfix: how to reject incoming mail as in Sendmail's "error:nouser"?

Zippy1970 · 09-23-2008, 04:26 PM

I've searched this on the interwebs and although I found many people with the same problem, I couldn't really find a solution.

I've just migrated from Sendmail to Postfix. Since Sendmail was setup to use virtusertable, I have setup Postfix to use virtusertable as well. But that immediately presents a problem. With Sendmail, I was able to reject mail as follows:

Code:

laura@domain1.com       error:nouser No such user here!
john@domain1.com        john
sue@domain1.com         sue
@domain1.com            catchall

sales@domain2.com       john
support@domain2.com     sue
@domain2.com            error:nouser No user by the name %1 here!

Postfix however, doesn't support the "error:nouser" option. I did find one option however to do something similar:

In main.cf:

Code:

smtpd_recipient_restrictions = (...), check_recipient_access hash:/etc/postfix/recipient_access, (...)

And in file recipient_access:

Code:

laura@domain1.com       550 No such user here!

There are two problems with this. First of all, this doesn't actually reject the email. It just sends a bounce email. So that means my mail server still has to receive the email in its entirety. The second problem is that I can't specify the catchall (as for domain2 above) here.

So what is the proper way to reject email like Sendmail's "error:nouser" does?

Thanks in advance.

Berhanie · 09-24-2008, 12:00 AM

Quote:

First of all, this doesn't actually reject the email. It just sends a bounce email.

That should reject it. You may have tried sending the message from somewhere in $mynetworks, which was accepted before
it hit the check_recipient_access stage.

Quote:

The second problem is that I can't specify the catchall (as for domain2 above) here.

You can use pcre table.

Mr. C. · 09-24-2008, 01:02 AM

Postfix will reject all unlisted recipients by default, so unless you are using domain wildcards, you can just remove that recipient.

As Berhanie mentioned, Postfix will reject the message, not create a bounce.

You can use the keyword REJECT instead of 550. If you want a specific code, of course you can use it.

Either a pcre or regexp recipient access table will allow your wildcard:

/@mydomain\.com$/ someuser@myotherdomain.com

Berhanie · 09-24-2008, 07:29 AM

To be elaborate on wildcards, you can use them in plain access tables by just listing the domain part of an address without the user@ -- the equivalent of your domain1 wildcard. You don't need pcre for that. But, if you want to use a part of the matched address in the response, as is done your the domain2 example, then i think pcre and regexp are your only options.

Zippy1970 · 09-28-2008, 07:38 PM

First of all, thank you all for your answers.

Second, on my end, postfix does not reject emails for unknown users. It just sends a bounce email back to the sender:

Quote:

This is the mail system at host xxxxx.xxxxx.xxx.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

The mail system

<test@xxxxx.xxx>: mail for xxxxx.xxx loops back to myself

Which, BTW, reveals another problem (the "loops back to myself" message). Maybe I should elaborate on my setup a bit more.

I have 45 virtual hosts on this particular server. They are listed in the file local-host-names like this:

Code:

domain1.com
domain2.com
domain3.com
   .
   .
   .

The server has a bunch of users. Most users have multiple email aliases for multiple virtual hosts. For instance, User1 can have these email addresses: sales@domain1.com, support@domain2.com, user@domain3.com. These aliases are defined in the file virtusertable.db like this:

Code:

sales@domain1.com          User1
support@domain2.com        User1
user@domain3.com           User1
   .
   .
   .

Both local-host-names and virtusertable.db are taken directly from the old sendmail installation.

In main.cf, I have these lines:

Code:

virtual_maps = hash:/etc/postfix/virtusertable
relay_domains = /etc/postfix/local-host-names

AFAICT, this works quite well. Mail for each virtual host is accepted and delivered to the right user's mailbox.

But apparently postfix works somewhat different than sendmail does (of course). When I send mail to an email address not specified in virtusertable.db, the mail isn't rejected but postfix sends back the above bounce mail. I read somewhere that one solution is to add each virtual host to mydestination in main.cf.

1) Is that true? Do I really need to add each virtual host to mydestination?
2) Is the fact postfix does not reject the email but sends a bounce email instead directly related to 1) or is this a seperate problem?

billymayday · 09-28-2008, 08:30 PM

virtual domain s should no be listed as mydestinations. This is specifically dealt with here http://www.postfix.org/VIRTUAL_README.html

Quote:

NEVER list a virtual MAILBOX domain name as a mydestination domain!

For the other issue, post

postconf -n

Berhanie · 09-28-2008, 08:45 PM

To add to billymayday's comment, I think the cause of the problem (bounce rather than rejection) is that you listed the domains in relay_domains without defining relay_recipient_maps. Due to the function of these email addresses, they should probably be part of the Virtual Alias Domains rather than Relay Domains class. You might do something like this, instead:

Code:

virtual_alias_domains = /etc/postfix/local-host-names
virtual_alias_maps = hash:/etc/postfix/virtusertable

Note that an entry of the form

Code:

sales@domain1.com          User1

tacks on $myorigin to User1, since you did not specify a full user@domain address.

Mr. C. · 09-28-2008, 10:37 PM

Quote:

Originally Posted by Zippy1970

Second, on my end, postfix does not reject emails for unknown users. It just sends a bounce email back to the sender:

...

But apparently postfix works somewhat different than sendmail does (of course). When I send mail to an email address not specified in virtusertable.db, the mail isn't rejected but postfix sends back the above bounce mail. I read somewhere that one solution is to add each virtual host to mydestination in main.cf.

Show your postconf -n output, and the relevant log messages showing the bounce. The content of the bounce notification is less useful.

Quote:

Originally Posted by Zippy1970

1) Is that true? Do I really need to add each virtual host to mydestination?
2) Is the fact postfix does not reject the email but sends a bounce email instead directly related to 1) or is this a seperate problem?

1. Postfix has several address classes. Domains listed in mydestination are part of the local address class. These would not be virtual addresses.

2. This is not a fact. Postfix will reject messages for unknown users by default. Postfix would only bounce a message after it has accepted it, or if your configuration has non-default notify_classes configured. Your system may be configured to send bounce messages upon reject or other error class.

Show postconf -n, so we don't have to speculate.

Zippy1970 · 09-29-2008, 05:01 AM

Again I would like to thank everybody for their help first, it's very much appreciated.

Here is the output of postfix -n, I have replaced my true server name with servername, my true domain name with mydomainname and my server's IP address with xxx.xxx.xxx.xxx, everything else is unchanged:

Quote:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
delay_warning_time = 4h
disable_vrfy_command = yes
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = all
invalid_hostname_reject_code = 554
mailbox_command =
mailbox_size_limit = 0
multi_recipient_bounce_reject_code = 554
mydestination = servername.mydomainname.com, localhost.mydomainname.com, localhost.localdomain, localhost
myhostname = servername.mydomainname.com
mynetworks = 127.0.0.0/8
myorigin = /etc/mailname
non_fqdn_reject_code = 554
recipient_delimiter = +
relay_domains = /etc/postfix/local-host-names
relay_domains_reject_code = 554
relayhost =
smtp_bind_address = xxx.xxx.xxx.xxx
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_restrictions = hash:/etc/postfix/access, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client cbl.abuseat.org, reject_rbl_client ix.dnsbl.manitu.net
smtpd_helo_required = yes
smtpd_recipient_restrictions = reject_invalid_hostname, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject _rbl_client dnsbl.sorbs.net, reject_rbl_client cbl.abuseat.org, reject_rbl_client ix.dnsbl.manitu.net, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554

I noticed one settings is not listed with postconf -n even though it can be found in main.cf, so I've listed it here:

Quote:

virtual_maps = hash:/etc/postfix/virtusertable

Berhanie · 09-29-2008, 07:05 AM

You might consider merging smtpd_client_restrictions (should that be "check_client_access hash:/etc/postfix/access"?) into smtpd_recipient_restrictions. Also, the access list is traversed in sequence, so you should
put things like permit_mynetworks and permit_sasl_authenticated near the top of the list, otherwise some users
may be denied by a previous restriction.

As far as sasl and tls, if your clients are using plain-text passwords, you can prevent their transmission
in the clear by changing "smtpd_tls_auth_only = no" to "smtpd_tls_auth_only = yes".

See my previous post about rejecting unknown addresses.

Zippy1970 · 09-29-2008, 04:05 PM

Ok, I've changed this:

Code:

relay_domains = /etc/postfix/local-host-names
virtual_maps = hash:/etc/postfix/virtusertable

to this:

Code:

virtual_alias_domains = /etc/postfix/local-host-names
virtual_alias_maps = hash:/etc/postfix/virtusertable

This fixed the problem of postfix sending a bounce mail instead of rejecting the mail. I'm still unclear however why there's a need for relay_domains at all since the same result can be achieved with virtual_alias_maps...

This only leaves me with the problem I want to be able to reject mail for a specific recipient. I know that postfix by default rejects mail for unknown recipients but consider the following (Sendmail) virtusertable snippet:

Code:

sales@mydomain.com        john
support@mydomain.com      sue
junk@mydomain.com         error:nouser
@mydomain.com             carl

As you can see, I actually want to accept anything sent to mydomain.com, except mail for junk@mydomain.com.

Is the proper way to do it, to create a file recipient_access.db:

Code:

junk@mydomain.com       550 No such user here!

Then put in main.cf:

Code:

smtpd_recipient_restrictions = (...), check_recipient_access hash:/etc/postfix/recipient_access, (...)

?

Zippy1970 · 09-29-2008, 04:31 PM

Quote:

Originally Posted by Berhanie

(should that be "check_client_access hash:/etc/postfix/access"?)

Yes, thanks! Another config error I missed.

Zippy1970 · 09-29-2008, 05:28 PM

My apologies for posting yet another question, but I thought I was being clever by doing this:

virtusertable:

Code:

junk@mydomain.com    nosuchuser
spam@mydomain.com    nosuchuser

recipient-access:

Code:

nosuchuser@          550 No such user here!

main.cf:

Code:

virtual_alias_maps = hash:/etc/postfix/virtusertable
smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/recipient-access

This however, does not work. I just get a bounce mail the user "nosuchuser@servername.mydomain.com" is not found. Why? Is that because servername.mydomain.com is listed in $mydestination?

If I put "junk@" and "spam@" in recipient-access, the mail is properly rejected.

Mr. C. · 09-29-2008, 11:52 PM

Create a check_recipient_access table, and specifically exclude the desired user.

Code:

main.cf:
    check_recipient_access hash:/etc/postfix/denied_recipients

/etc/postfix/denied_recipients:
    # never place an OK here, or this will make your server an open relay
    # see: http://www.postfix.org/SMTPD_ACCESS_README.html#danger
    #
    junk@mydomain.com       REJECT recipient rejected
    spam@mydomain.com       REJECT recipient rejected

Place this restriction before permit_mynetworks, but see warning above.

Move reject_unauth_pipelining into smtpd_data_restrictions. It has no purpose in any other smtpd_*_restriction.

Zippy1970 · 09-30-2008, 06:07 AM

Quote:

Originally Posted by Mr. C.

Move reject_unauth_pipelining into smtpd_data_restrictions. It has no purpose in any other smtpd_*_restriction.

Will do, thanks for the tip.

Quote:

Create a check_recipient_access table, and specifically exclude the desired user.

Well, that's exactly what I did. And I know I can exclude specific clients by listing them in the check_recipient_access table. But the reason I want to do it the way I'm suggesting in my previous post (aliasing the recipient to user "nosuchuser" first, then block mail for "nosuchuser" instead), is so I can keep all recipients in a single table (like Sendmail does) and to make it easier to change the action taken for a blocked recipient (since I then only have to change the action for "nosuchuser").

Hope that made sense. English is not my native language so sometimes explaining something can be a bit difficult for me.

Edit: I think the problem is that Postfix only checks the smtpd_recipient_restrictions once. For instance, if I have this in my virtusertable:

Code:

john@mydomain.com        doe@mydomain.com

it will check john@mydomain.com against smtpd_recipient_restrictions, but not doe@mydomain.com.

Edit 2: Suppose I have something like this in my virtusertable:

Code:

support@mydomain.com     john

causing postfix to hand the mail over to the local delivery agent. What I don't get is why it then completely ignores all rules for local delivery. For instance, it completely ignores $local_recipient_maps.