Postfix - messages from invalid domains getting through
 

We're using Postfix on a SuSE Linux system as our first line of defense to filter incoming email, the mail is subsequently passed on to another internal system. There are messages *to* users in invalid domains slipping through and I'm not sure why. By "invalid domains" I mean domains which are not part of my organization such as sesmail.com, psv.nl, yifan.com, etc. The invalid domains in question are not listed in the relay_domains section of the main.cf file nor are there any users listed in the relay_recipients file @ any of the invalid domains. Any Postfix experts out there have a suggestion on what to check / look for?

Thanks in advance
Scott

Here's the main.cf file:
Note, I've removed commented out info and I've changed the data under relay_domains and myhostname.

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
mail_owner = postfix
unknown_local_recipient_reject_code = 550
relay_domains = <my domain>
<my 2nd domain>
<my 3rd domain>
<my 4th domain>
<my 5th domain>
relay_recipient_maps = hash:/etc/postfix/relay_recipients
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = maildrop
html_directory = /usr/share/doc/packages/postfix/html
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/packages/postfix/samples
readme_directory = /usr/share/doc/packages/postfix/README_FILES
inet_protocols = ipv4
biff = no
mail_spool_directory = /var/mail
canonical_maps = hash:/etc/postfix/canonical
virtual_maps = hash:/etc/postfix/virtual
relocated_maps = hash:/etc/postfix/relocated
transport_maps = hash:/etc/postfix/transport
sender_canonical_maps = hash:/etc/postfix/sender_canonical
masquerade_exceptions = root
masquerade_classes = envelope_sender, header_sender, header_recipient
myhostname = <THIS SERVER NAME>
program_directory = /usr/lib/postfix
inet_interfaces = all
masquerade_domains =
mydestination = $myhostname, localhost.$mydomain
defer_transports =
disable_dns_lookups = no
relayhost = [127.0.0.1]:10024
mailbox_command =
mailbox_transport =
strict_8bitmime = no
disable_mime_output_conversion = no
smtpd_sender_restrictions = hash:/etc/postfix/access, reject_unknown_sender_domain, hash:/etc/postfix/whitelist_senders
smtpd_client_restrictions = reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client bl.spamcop.net
smtpd_helo_required = yes
smtpd_helo_restrictions =
strict_rfc821_envelopes = no
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
smtp_sasl_auth_enable = no
smtpd_sasl_auth_enable = no
smtpd_use_tls = no
smtp_use_tls = no
alias_maps = hash:/etc/aliases
mailbox_size_limit = 0
message_size_limit = 25600000
smtp_helo_timeout = 120
smtp_data_init_timeout = 10m
smtp_data_xfer_timeout = 10m

Look into smtpd_recipient_restrictions, specifically "reject_unknown_recipient_domain"

Thanks but that didn't fix it.

The mail logs show destination addresses like this:
<iqajikyye5444@chello.nl> -> <usera@mydomain.com>
<211348@ilikeclick.com> -> <userb@mydomain.com>
<phonicsm59@websitedesignforbusiness.com> -> <userc@mydomain.com>
NOTE: I substituted the real user email addresses with usera@mydomain.com, userb@mydomain.com, and userc@mydomain.com.
Is this the same as "sender specific routing"?
It looks like this is disabled by default:
http://www.postfix.org/postconf.5.ht...rusted_routing (turned off by default)
but I went ahead and added the line "allow_untrusted_routing = no" just to make sure. That didn't fix the problem.

Any other ideas?

Ok, I misread. Please clarify, you only want to receive mail that is sent FROM your domain?

We have two locations, each has a different inbound Internet connection.
At each location we've got a system setup with SuSE Linux, Postfix, SpamAssassin, ClamAV. These are the systems I'm working on.
Mail from Internet goes to one or the other SuSE server, from there, we send it to a Barracuda Spam Firewall. Any messages that make it through the Barracuda, go to our end user mail server (running MS Exchange).
We do it this way for a couple reasons, first, the Barracuda provides (I believe) a better level of protection (my comment is mostly focused on their spam protection), second, by using the Linux systems as our Internet gateway devices, we only need to purchase one Barracuda.

We do not filter any outbound mail so the only mail going to the Barracuda is inbound from the SuSE servers.

The messages in question are making it through the SuSE system to the Barracuda. The Barracuda is stopping them.

The goal is to prevent these messages from making it to the Barracuda. "These messages" are defined as messages which have a final destination email address outside my environment.

Thanks again 8-)

What is 'mynetworks' set to? I don't see it in your first post.

Not defined.
I was wondering about that one. Do you think I can set it to the IP of my Barracuda?

Run "postconf -n", what is mynetworks set to? I'm guessing that "permit_mynetworks" in smtpd_recipient_restrictions is matching before "reject_unauth_destination"

smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, reject_unknown_recipient_domain

Good call.

Ok, I'm trying to follow the logic of the setting to see how the messages are getting through. I know it starts on the left, and takes the first match. Are you suggesting that the lack of an explicit $mynetworks setting is allowing any destination to match "permit_mynetworks"?

Sounds like I need to remove permit_mynetworks or put it at the right end of the restrictions.

I changed the entry to:
smtpd_recipient_restrictions = reject_unauth_destination, reject_unknown_recipient_domain, permit_mynetworks

It didn't work any better...