Postfix: how to reject incoming mail as in Sendmail's "error:nouser"?

Berhanie · 09-30-2008, 11:00 AM

Zippy1970, this is in response to your post #11 above.

Quote:

As you can see, I actually want to accept anything sent to mydomain.com, except mail for junk@mydomain.com.

You can do this with pcre tables:

Code:

virtual_alias_maps = pcre:/etc/postfix/virtusertable

and, virtusertable is:

Code:

/^sales@mydomain.com$/        john
/^support@mydomain.com$/      sue
/(?<!^junk)@mydomain.com$/             carl

This does the equivalent of sendmail

Quote:

sales@mydomain.com john
support@mydomain.com sue
junk@mydomain.com error:nouser
@mydomain.com carl

Mr. C. · 09-30-2008, 11:19 AM

It would be best to leave your Sendmail concepts behind, and start learning to think in terms of how Postfix works. You can do what you want.

Yes, postfix runs through the list of smtpd_*_restrictions once per message. But a virtual alias is recursively expanded. You have:

mydestination = servername.mydomainname.com, localhost.mydomainname.com, localhost.localdomain, localhost
myhostname = servername.mydomainname.com

But your mail address examples show:

mydomain.com

Either this is a typo, or is incorrect in your main.cf, but we can't debug inconsistent input/output and configuration. This is why it is necessary to show postconf -n and mail log lines relevant to the problem, when the problem occurs.

From your Edit 2: the virtual alias will map john to john@$myorigin if the default append_at_myorigin is set.

Again, repeat postconf -n, and log lines, which transcends language weakness. :-)

Berhanie · 09-30-2008, 11:20 AM

Quote:

It would be best to leave your Sendmail concepts behind, and start learning to think in terms of how Postfix works.

Exactly. Well said, Mr. C.!

Zippy1970 · 09-30-2008, 04:00 PM

Quote:

Originally Posted by Mr. C.

It would be best to leave your Sendmail concepts behind, and start learning to think in terms of how Postfix works.

I'm trying, I'm trying!

But it isn't easy. I went from Sendmail to Postfix because everybody told me it was so much easier to configure than Sendmail. So far it has turned out to be a lot more complicated - at least for the tasks I'm trying to accomplish.

Quote:

mydestination = servername.mydomainname.com, localhost.mydomainname.com, localhost.localdomain, localhost
myhostname = servername.mydomainname.com

But your mail address examples show:

mydomain.com

That's me being confusing.

But it's not a typo. In fact, it doesn't matter if it's a typo or not because the situation is the same for virtual domains and for mydestination domains.

Quote:

From your Edit 2: the virtual alias will map john to john@$myorigin if the default append_at_myorigin is set.

append_at_myorigin is set to "yes" (in fact, it isn't set at all so it's defaulting to "yes"). But it shouldn't matter if it's expanded or not.

I'll try to explain a bit better in a new message as to not make this even more confusing than it already is.

so please bare with me.

Oh. and let me thank you again for taking the time helping this "noob"...

Zippy1970 · 09-30-2008, 06:10 PM

Goal
To handle mail for several users. Each user receives mail at several different virtual domains. Users only use virtual names in email addresses - never their *nix account names. Mail directed at specific addresses or users should be rejected - not bounced. Some mail needs to be redirected to another mailserver running on a non-standard port (10025) on a different machine.

Domains
As an example, I will use the following domain names (in reality, there are 45):

Code:

mydomain.com            (main domain)
virtualdomain1.com      (virtual domain)
virtualdomain2.com      (virtual domain)
otherserver.com         (the other mailserver)

*nix Account Names
As an example, I will use usernames like "User1", "User2", "User3" for existing *nix account names. All other names I use (like "NoSuchUser") in this example can be considered "non-existing".

postconf -n
This is the true output of postconf -n, but with my true domainnames and IP address replaced (they will be displayed in grey):

Code:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
delay_warning_time = 4h
disable_vrfy_command = yes
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = all
invalid_hostname_reject_code = 554
mailbox_command =
mailbox_size_limit = 0
multi_recipient_bounce_reject_code = 554
mydestination = servername.mydomain.com, localhost.mydomain.com, localhost.localdomain, localhost
myhostname = servername.mydomain.com
mynetworks = 127.0.0.0/8
myorigin = /etc/mailname
non_fqdn_reject_code = 554
recipient_delimiter = +
relay_domains_reject_code = 554
relayhost =
smtp_bind_address = xxx.xxx.xxx.xxx
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_restrictions = check_client_access hash:/etc/postfix/access, reject_rbl_client zen.spamhaus.org,
                            reject_rbl_client bl.spamcop.net, reject_rbl_client dnsbl.sorbs.net,
                            reject_rbl_client cbl.abuseat.org, reject_rbl_client ix.dnsbl.manitu.net
smtpd_helo_required = yes
smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/recipient_access, reject_invalid_hostname,
                               reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks,
                               permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client zen.spamhaus.org,
                               reject_rbl_client bl.spamcop.net, reject_rbl_client dnsbl.sorbs.net,
                               reject_rbl_client cbl.abuseat.org, reject_rbl_client ix.dnsbl.manitu.net, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554
virtual_alias_domains = /etc/postfix/local-host-names
virtual_alias_maps = hash:/etc/postfix/virtusertable

local-host-names

Code:

mydomain.com
virtualdomain1.com
virtualdomain2.com

virtusertable

Code:

#####################
# mydomain.com      #
# (catchall: User3) #
#####################
john@mydomain.com           User1
sales@mydomain.com          User1
support@mydomain.com        User2
list@mydomain.com           NoSuchUser
news@mydomain.com           NoSuchUser
spam@mydomain.com           NoSuchUser
junk@mydomain.com           NoSuchUser@mydomain.com
@mydomain.com               User3

######################
# virtualdomain1.com #
# (no catchall)      #
######################
john@virtualdomain1.com     User1
sales@virtualdomain1.com    User4
pda@virtualdomain1.com      john@otherserver.com
support@virtualdomain1.com  User2

######################
# virtualdomain2.com #
# (catchall: User5)  #
######################
j.j@virtualdomain2.com      User1
sales@virtualdomain2.com    User1
private@virtualdomain2.com  chris@otherserver.com
groups@virtualdomain2.com   NoSuchUser
forum@virtualdomain2.com    NoSuchUser
marc@virtualdomain2.com     NoSuchUser
ann@virtualdomain2.com      NoSuchUser
junk@virtualdomain2.com     NoSuchUser
@virtualdomain2.com         User5

recipient_access

Code:

NoSuchUser@                 550 No such user here!

transport

Code:

otherserver.com            smtp:[otherserver.com]:10025

The Problems

1) When I send an email to spam@mydomain.com, (or any other address that is redirected to NoSuchUser) the mail isn't rejected. Instead I receive a bounce mail:

Code:

Mail header

Final-Recipient: rfc822; NoSuchUser@servername.mydomain.com
Action: failed
Status: 5.1.1
Diagnostic-Code: X-Postfix; unknown user: "NoSuchUser"

Log lines

Sep 30 23:54:30 servername postfix/pipe[4464]: A10B3228CF: to=<NoSuchUser@servername.mydomain.com>,
                orig_to=<spam@mydomain.com>, relay=spamassassin, delay=1.8, delays=1.2/0/0/0.57,
                dsn=2.0.0, status=sent (delivered via spamassassin service)
Sep 30 23:54:30 servername postfix/qmgr[4357]: A10B3228CF: removed
Sep 30 23:54:30 servername postfix/pickup[4356]: 8F15C228CF: uid=1047 from=<me@hotmail.com>
Sep 30 23:54:30 servername postfix/cleanup[4461]: 8F15C228CF: message-id=<BAY135-
                W43EJI8903JOOSI98DJ87830@phx.gbl>
Sep 30 23:54:30 servername postfix/qmgr[4357]: 8F15C228CF: from=<me@hotmail.com>, size=2047,
                nrcpt=1 (queue active)
Sep 30 23:54:30 servername postfix/local[4468]: 8F15C228CF: to=<NoSuchUser@servername.mydomain.com>,
                relay=local, delay=0.03, delays=0.02/0/0/0.01, dsn=5.1.1, status=bounced
                (unknown user: "nosuchuser")
Sep 30 23:54:30 servername postfix/cleanup[4461]: 94F59228D7: message-id=<20080930215430.
                94F59228D7@servername.mydomain.com>
Sep 30 23:54:30 servername postfix/qmgr[4357]: 94F59228D7: from=<>, size=3810, nrcpt=1 (queue active)
Sep 30 23:54:30 servername postfix/bounce[4469]: 8F15C228CF: sender non-delivery notification:
                94F59228D7
Sep 30 23:54:30 servername postfix/qmgr[4357]: 8F15C228CF: removed
Sep 30 23:54:31 servername postfix/smtp[4365]: 94F59228D7: to=<me@hotmail.com>, relay=
                mx1.hotmail.com[65.54.245.8]:25, delay=1.3, delays=0.01/0/0.55/0.71, dsn=2.0.0,
                status=sent (250 <20080930215430.94F59228D7@servername.mydomain.com> Queued mail for
                delivery)
Sep 30 23:54:31 servername postfix/qmgr[4357]: 94F59228D7: removed

This is not what I expect. I expect mail to user "NoSuchUser" to be caught by check_recipient_access hash:/etc/postfix/recipient_access.

2) When I send mail to NoSuchUser@mydomain.com The mail is rejected with the message "No such user here!" - as expected because it is properly caught by check_recipient_access hash:/etc/postfix/recipient_access. But when I send mail to junk@mydomain.com which is redirected to NoSuchUser@mydomain.com, it arrives in User3's mailbox (the catchall). This is not expected. I expect it to be rejected.

Possible Solutions

A) List every single mail address that should be rejected in recipient_access. This works but it's impractical since such a setup is prone to mistakes (you constantly need to cross-check recipient_access and virtusertable).

B) Use a pcre table. Slow (I think, since my virtusertable contains almost 400 entries) and impractical because it's cumbersome to list all email addresses which you want to reject if the domain has a catchall (some domains with a catchall have dozens of addresses that needs to be rejected). But in all honesty I haven't experimented with this yet. The advantage is however that you have everything in a single file.

My Question

(Finally!) So what is the proper way to do this? I would love to do it the way I propose above: redirect all mail that needs to be rejected to a single account (existing or non-existing) like "NoSuchUser" then set the action for this user to "REJECT". But I'm starting to suspect this isn't possible - or is it?

Mr. C. · 09-30-2008, 07:25 PM

In this instance, you've send mail via sendmail (the key is pickup)

Code:

Sep 30 23:54:30 servername postfix/pickup[4356]: 8F15C228CF: uid=1047 from=<me@hotmail.com>
Sep 30 23:54:30 servername postfix/cleanup[4461]: 8F15C228CF: message-id=<BAY135-
                W43EJI8903JOOSI98DJ87830@phx.gbl>
Sep 30 23:54:30 servername postfix/qmgr[4357]: 8F15C228CF: from=<me@hotmail.com>, size=2047,
                nrcpt=1 (queue active)
Sep 30 23:54:30 servername postfix/local[4468]: 8F15C228CF: to=<NoSuchUser@servername.mydomain.com>,
                relay=local, delay=0.03, delays=0.02/0/0/0.01, dsn=5.1.1, status=bounced
                (unknown user: "nosuchuser")

The sendmail binary does not perform SMTP - it drops mail into postfix's queue via pickup. There is no chance to reject. Rejection occurs only during SMTP conversations and sendmail has none. Postfix can only bounce in this case.

Sending mail to junk@mydomain.com - junk@mydomain.com rewrites to NoSuchUser@mydomain.com; this is done by the cleanup daemon, and is AFTER smtpd_*_checks, therefore it cannot be rejected by smtpd in the way you desire. junk@mydomain.com is a valid email address - you listed it, so it is accepted.

The problem you are having is that you want your cake and want to eat it too. You have a wildcard, which defeats recipient validation, so all recipients are considered valid by Postfix. You also want to invalidate some recipients in that wildcarded domain, but don't want to use the standard mechanisms, and want to do it after address rewriting, which is too late. If you want to wildcard, and want to list invalid recipients, you need to list all the recipients you want to be as invalid in an access table. If you feel this is prone to mistakes, that's what makefiles are for, or program a tool to populate your tables.

You will not notice any degradation in performance with a mere 400 recipients in a pcre table - this is a small installation. Again, generate the lists via some tool.

Postfix does not have a "virtual user table". It has address classes: local, virtual mailbox domains, virtual alias domains, relay domains. You are confusing Sendmail style virtual user tables with Postfix's virtual aliases and virtual alias domains. Furthermore, you have a file called local-host-names, which really is a list of virtual alias domains. This is confusing, because of the aforementioned address class name of "local" (vs. virtual alias domains).

Zippy1970 · 09-30-2008, 07:58 PM

So in short, there's no easy way to do this without the help of some tools. That's ok with me, I can easily write a Perl script that parses a Sendmail style virtusertable and creates files to feed to Postfix.

But I am slightly disappointed. Doing what I want to do is easy in Sendmail - almost trivial. So far my experience is the opposite of what I have been reading everywhere - that Postfix is so much easier to configure than Sendmail.

Don't get me wrong, I don't want to go back to Sendmail but that's where I came from so it's going to take a while to switch my mindset to "the Postfix way".

Mr. C. · 09-30-2008, 08:09 PM

Each piece of software has its own strengths and weaknesses. It simply isn't valid to compare one feature against another and assume that it holds true for all features across the board.

Postfix is easy enough to configure, but it does require reading some documentation to do so successfully. It is much more difficult when one tries to push Sendmail concepts into Postfix. And Sendmail will be trivial for you to configure because you are experienced with it. But it is not easy for others less experienced. Have you examined the size of the O'Reilly Sendmail book!

It would be VERY worth your while to a) get The Book of Postfix, and/or b) read and re-read the Postfix documentation starting here: http://www.postfix.org/documentation.html. There is a lot to learn.

Postfix's aim is to transfer and deliver mail and do so as securely as possible. Simplicity in configuration is also a factor. This doesn't mean it has built-in, programmatic recipient list generation. But there are plenty of features that Sendmail does not provide that Postfix does.

Berhanie · 10-01-2008, 12:01 AM

Quote:

it's cumbersome to list all email addresses which you want to reject if the domain has a catchall

With the sendmail table, you are in fact testing each address you want to reject before it hits the catchall:

Code:

john@mydomain.com           User1
sales@mydomain.com          User1
support@mydomain.com        User2
list@mydomain.com           error:nouser
news@mydomain.com           error:nouser
spam@mydomain.com           error:nouser
junk@mydomain.com           error:nouser
@mydomain.com               User3

Constructing such a table takes just as much effort as, and is algorithmically similar to,
this postfix version using pcre:

Code:

/^john@mydomain\.com$/           User1
/^sales@mydomain\.com$/          User1
/^support@mydomain\.com$/        User2
if !/^list@mydomain\.com$/
if !/^news@mydomain\.com$/
if !/^spam@mydomain\.com$/ 
if !/junk@mydomain\.com$/
/.*@mydomain\.com$/               User3
endif
endif
endif
endif

Zippy1970 · 10-01-2008, 08:20 AM

Well, for now I've written a Perl script that takes a Sendmail-style virtusertable, and creates two other files (virt-user-table and recipient_access) that can be fed to Postfix.

The reason I'm not going for the pcre table is because other programs read the virtusertable too and they don't understand pcre style tables.

Perhaps others can use this script too, so I'm posting it here. Mind you, it took me about 30 minutes to write and test this so don't shoot me if you think it's coded inefficiently (although I doubt it is).

Code:

#!/usr/bin/perl

# This script splits a Sendmail style virtusertable into two files that can be used by Postix.

my $sendmail_vut    = "/etc/postfix/virtusertable";    # Name of Sendmail style virtusertable used as input

my $postfix_vut     = "/etc/postfix/virt-user-table";  # Name of Postfix style virtusertable used as output
my $postfix_rat     = "/etc/postfix/recipient_access"; # Name of postfix style recipient access table used as output

my $includecommentsvut = "yes"; # If set to "yes" will include comments from the original file in the new virtusertable
my $includecommentsrat = "no";  # If set to "yes" will include comments from the original file in the new recipient_access file
my $rat_seperator      = "#### Everyting Below this line was generated by makeconfig.pl. Do not change!!! ####";

my @orgratable = ();
if( open( RATABLE, "$postfix_rat" ) ) {
  foreach $line (<RATABLE>) {
    chomp( $line );
    if( $line eq $rat_seperator ) {
      last;
    }
    $orgratable[ $#orgratable + 1 ] = "$line\n";
  }
  close( RATABLE );
}

if( ! open( TABLE, "$sendmail_vut" ) ) {
  error( "can't open $sendmail_vut for input.");
}

my @newvutable = ();  # New virtusertable
my @newratable = ();  # New recipient-access table

foreach $line (<TABLE>) {
  chomp( $line );
  $thisline = trim( $line );
  if( $thisline ne "" && substr( $thisline, 0, 1 ) ne "#" ) {
    # replace double spaces and double tabs for single space
    $thisline =~ s/\s+/ /;
    my ($email, $alias, @errormessage) = split( / /, $thisline );
    if( lc( substr( $alias, 0, 6 ) ) eq "error:" ) {
      # With sendmail, you can rewrite email adresses for a domain, *and* define a reject
      # for the catchall like this:
      #
      #   john@domain.com       mb_john
      #   chris@domain.com      mb_chris
      #   @domain.com           error:nouser No such user here!
      #
      # Postfix does not support this. So comment the line, then put it in recipient_access
      # Postfix rejects an unknown address anyway if no catchall is specified.
      my $comment = substr( $email, 0, 1 ) eq "@" ? "# " : "";
      my $error = (split( /:/, $alias ))[1];
      if( lc( $error ) eq "nouser" ) {
        $newratable[ $#newratable + 1 ] = "$comment$email\t\t550 @errormessage";
      } else {
        $newratable[ $#newratable + 1 ] = "$comment$email\t\t$error @errormessage";
      }
    } else {
      $newvutable[ $#newvutable + 1 ] = $line;
    }
  } else {
    $newvutable[ $#newvutable + 1 ] = $line if( lc($includecommentsvut) eq "yes" );
    $newratable[ $#newratable + 1 ] = $line if( lc($includecommentsrat) eq "yes" );
  }
}

close( TABLE );

if( ! open( OUTVUT, ">$postfix_vut" ) ) {
  error( "can't open $postfix_vut for output." );
}
if( ! open( OUTRAT, ">$postfix_rat" ) ) {
  close( OUTVUT );
  error( "can't open $postfix_rat for output." );
}

print OUTVUT join( "\n", @newvutable );
print OUTRAT @orgratable;
print OUTRAT "$rat_seperator\n\n";
print OUTRAT join( "\n", @newratable );

close( OUTVUT );
close( OUTRAT );

print "Done.\n\n";

sub error {
  my $message = shift;
  print "Error: $message\n";
  exit( -1 );  
}

sub trim {
  my $string = shift;
  $string =~ s/^\s+//;
  $string =~ s/\s+$//;
  return $string;
}