LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 09-23-2008, 04:26 PM   #1
Zippy1970
Member
 
Registered: Sep 2007
Posts: 119

Rep: Reputation: 17
Question Postfix: how to reject incoming mail as in Sendmail's "error:nouser"?


I've searched this on the interwebs and although I found many people with the same problem, I couldn't really find a solution.

I've just migrated from Sendmail to Postfix. Since Sendmail was setup to use virtusertable, I have setup Postfix to use virtusertable as well. But that immediately presents a problem. With Sendmail, I was able to reject mail as follows:

Code:
laura@domain1.com       error:nouser No such user here!
john@domain1.com        john
sue@domain1.com         sue
@domain1.com            catchall

sales@domain2.com       john
support@domain2.com     sue
@domain2.com            error:nouser No user by the name %1 here!
Postfix however, doesn't support the "error:nouser" option. I did find one option however to do something similar:

In main.cf:

Code:
smtpd_recipient_restrictions = (...), check_recipient_access hash:/etc/postfix/recipient_access, (...)
And in file recipient_access:

Code:
laura@domain1.com       550 No such user here!
There are two problems with this. First of all, this doesn't actually reject the email. It just sends a bounce email. So that means my mail server still has to receive the email in its entirety. The second problem is that I can't specify the catchall (as for domain2 above) here.

So what is the proper way to reject email like Sendmail's "error:nouser" does?

Thanks in advance.
 
Old 09-24-2008, 12:00 AM   #2
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
Quote:
First of all, this doesn't actually reject the email. It just sends a bounce email.
That should reject it. You may have tried sending the message from somewhere in $mynetworks, which was accepted before
it hit the check_recipient_access stage.

Quote:
The second problem is that I can't specify the catchall (as for domain2 above) here.
You can use pcre table.
 
Old 09-24-2008, 01:02 AM   #3
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 62
Postfix will reject all unlisted recipients by default, so unless you are using domain wildcards, you can just remove that recipient.

As Berhanie mentioned, Postfix will reject the message, not create a bounce.

You can use the keyword REJECT instead of 550. If you want a specific code, of course you can use it.

Either a pcre or regexp recipient access table will allow your wildcard:

/@mydomain\.com$/ someuser@myotherdomain.com
 
Old 09-24-2008, 07:29 AM   #4
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
To be elaborate on wildcards, you can use them in plain access tables by just listing the domain part of an address without the user@ -- the equivalent of your domain1 wildcard. You don't need pcre for that. But, if you want to use a part of the matched address in the response, as is done your the domain2 example, then i think pcre and regexp are your only options.

Last edited by Berhanie; 09-24-2008 at 07:31 AM.
 
Old 09-28-2008, 07:38 PM   #5
Zippy1970
Member
 
Registered: Sep 2007
Posts: 119

Original Poster
Rep: Reputation: 17
First of all, thank you all for your answers.

Second, on my end, postfix does not reject emails for unknown users. It just sends a bounce email back to the sender:

Quote:
This is the mail system at host xxxxx.xxxxx.xxx.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

The mail system

<test@xxxxx.xxx>: mail for xxxxx.xxx loops back to myself
Which, BTW, reveals another problem (the "loops back to myself" message). Maybe I should elaborate on my setup a bit more.

I have 45 virtual hosts on this particular server. They are listed in the file local-host-names like this:

Code:
domain1.com
domain2.com
domain3.com
   .
   .
   .
The server has a bunch of users. Most users have multiple email aliases for multiple virtual hosts. For instance, User1 can have these email addresses: sales@domain1.com, support@domain2.com, user@domain3.com. These aliases are defined in the file virtusertable.db like this:

Code:
sales@domain1.com          User1
support@domain2.com        User1
user@domain3.com           User1
   .
   .
   .
Both local-host-names and virtusertable.db are taken directly from the old sendmail installation.

In main.cf, I have these lines:

Code:
virtual_maps = hash:/etc/postfix/virtusertable
relay_domains = /etc/postfix/local-host-names
AFAICT, this works quite well. Mail for each virtual host is accepted and delivered to the right user's mailbox.

But apparently postfix works somewhat different than sendmail does (of course). When I send mail to an email address not specified in virtusertable.db, the mail isn't rejected but postfix sends back the above bounce mail. I read somewhere that one solution is to add each virtual host to mydestination in main.cf.

1) Is that true? Do I really need to add each virtual host to mydestination?
2) Is the fact postfix does not reject the email but sends a bounce email instead directly related to 1) or is this a seperate problem?
 
Old 09-28-2008, 08:30 PM   #6
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
virtual domain s should no be listed as mydestinations. This is specifically dealt with here http://www.postfix.org/VIRTUAL_README.html
Quote:
NEVER list a virtual MAILBOX domain name as a mydestination domain!
For the other issue, post

postconf -n
 
Old 09-28-2008, 08:45 PM   #7
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
To add to billymayday's comment, I think the cause of the problem (bounce rather than rejection) is that you listed the domains in relay_domains without defining relay_recipient_maps. Due to the function of these email addresses, they should probably be part of the Virtual Alias Domains rather than Relay Domains class. You might do something like this, instead:
Code:
virtual_alias_domains = /etc/postfix/local-host-names
virtual_alias_maps = hash:/etc/postfix/virtusertable
Note that an entry of the form
Code:
sales@domain1.com          User1
tacks on $myorigin to User1, since you did not specify a full user@domain address.
 
Old 09-28-2008, 10:37 PM   #8
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 62
Quote:
Originally Posted by Zippy1970 View Post
Second, on my end, postfix does not reject emails for unknown users. It just sends a bounce email back to the sender:

...

But apparently postfix works somewhat different than sendmail does (of course). When I send mail to an email address not specified in virtusertable.db, the mail isn't rejected but postfix sends back the above bounce mail. I read somewhere that one solution is to add each virtual host to mydestination in main.cf.
Show your postconf -n output, and the relevant log messages showing the bounce. The content of the bounce notification is less useful.

Quote:
Originally Posted by Zippy1970 View Post
1) Is that true? Do I really need to add each virtual host to mydestination?
2) Is the fact postfix does not reject the email but sends a bounce email instead directly related to 1) or is this a seperate problem?
1. Postfix has several address classes. Domains listed in mydestination are part of the local address class. These would not be virtual addresses.

2. This is not a fact. Postfix will reject messages for unknown users by default. Postfix would only bounce a message after it has accepted it, or if your configuration has non-default notify_classes configured. Your system may be configured to send bounce messages upon reject or other error class.

Show postconf -n, so we don't have to speculate.
 
Old 09-29-2008, 05:01 AM   #9
Zippy1970
Member
 
Registered: Sep 2007
Posts: 119

Original Poster
Rep: Reputation: 17
Again I would like to thank everybody for their help first, it's very much appreciated.

Here is the output of postfix -n, I have replaced my true server name with servername, my true domain name with mydomainname and my server's IP address with xxx.xxx.xxx.xxx, everything else is unchanged:

Quote:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
delay_warning_time = 4h
disable_vrfy_command = yes
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = all
invalid_hostname_reject_code = 554
mailbox_command =
mailbox_size_limit = 0
multi_recipient_bounce_reject_code = 554
mydestination = servername.mydomainname.com, localhost.mydomainname.com, localhost.localdomain, localhost
myhostname = servername.mydomainname.com
mynetworks = 127.0.0.0/8
myorigin = /etc/mailname
non_fqdn_reject_code = 554
recipient_delimiter = +
relay_domains = /etc/postfix/local-host-names
relay_domains_reject_code = 554
relayhost =
smtp_bind_address = xxx.xxx.xxx.xxx
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_restrictions = hash:/etc/postfix/access, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client cbl.abuseat.org, reject_rbl_client ix.dnsbl.manitu.net
smtpd_helo_required = yes
smtpd_recipient_restrictions = reject_invalid_hostname, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject _rbl_client dnsbl.sorbs.net, reject_rbl_client cbl.abuseat.org, reject_rbl_client ix.dnsbl.manitu.net, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554
I noticed one settings is not listed with postconf -n even though it can be found in main.cf, so I've listed it here:

Quote:
virtual_maps = hash:/etc/postfix/virtusertable

Last edited by Zippy1970; 09-29-2008 at 06:06 AM.
 
Old 09-29-2008, 07:05 AM   #10
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
You might consider merging smtpd_client_restrictions (should that be "check_client_access hash:/etc/postfix/access"?) into smtpd_recipient_restrictions. Also, the access list is traversed in sequence, so you should
put things like permit_mynetworks and permit_sasl_authenticated near the top of the list, otherwise some users
may be denied by a previous restriction.

As far as sasl and tls, if your clients are using plain-text passwords, you can prevent their transmission
in the clear by changing "smtpd_tls_auth_only = no" to "smtpd_tls_auth_only = yes".

See my previous post about rejecting unknown addresses.
 
Old 09-29-2008, 04:05 PM   #11
Zippy1970
Member
 
Registered: Sep 2007
Posts: 119

Original Poster
Rep: Reputation: 17
Ok, I've changed this:

Code:
relay_domains = /etc/postfix/local-host-names
virtual_maps = hash:/etc/postfix/virtusertable
to this:

Code:
virtual_alias_domains = /etc/postfix/local-host-names
virtual_alias_maps = hash:/etc/postfix/virtusertable
This fixed the problem of postfix sending a bounce mail instead of rejecting the mail. I'm still unclear however why there's a need for relay_domains at all since the same result can be achieved with virtual_alias_maps...

This only leaves me with the problem I want to be able to reject mail for a specific recipient. I know that postfix by default rejects mail for unknown recipients but consider the following (Sendmail) virtusertable snippet:

Code:
sales@mydomain.com        john
support@mydomain.com      sue
junk@mydomain.com         error:nouser
@mydomain.com             carl
As you can see, I actually want to accept anything sent to mydomain.com, except mail for junk@mydomain.com.

Is the proper way to do it, to create a file recipient_access.db:

Code:
junk@mydomain.com       550 No such user here!
Then put in main.cf:

Code:
smtpd_recipient_restrictions = (...), check_recipient_access hash:/etc/postfix/recipient_access, (...)
?
 
Old 09-29-2008, 04:31 PM   #12
Zippy1970
Member
 
Registered: Sep 2007
Posts: 119

Original Poster
Rep: Reputation: 17
Quote:
Originally Posted by Berhanie View Post
(should that be "check_client_access hash:/etc/postfix/access"?)
Yes, thanks! Another config error I missed.
 
Old 09-29-2008, 05:28 PM   #13
Zippy1970
Member
 
Registered: Sep 2007
Posts: 119

Original Poster
Rep: Reputation: 17
My apologies for posting yet another question, but I thought I was being clever by doing this:

virtusertable:
Code:
junk@mydomain.com    nosuchuser
spam@mydomain.com    nosuchuser
recipient-access:
Code:
nosuchuser@          550 No such user here!
main.cf:
Code:
virtual_alias_maps = hash:/etc/postfix/virtusertable
smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/recipient-access
This however, does not work. I just get a bounce mail the user "nosuchuser@servername.mydomain.com" is not found. Why? Is that because servername.mydomain.com is listed in $mydestination?

If I put "junk@" and "spam@" in recipient-access, the mail is properly rejected.
 
Old 09-29-2008, 11:52 PM   #14
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 62
Create a check_recipient_access table, and specifically exclude the desired user.
Code:
main.cf:
    check_recipient_access hash:/etc/postfix/denied_recipients

/etc/postfix/denied_recipients:
    # never place an OK here, or this will make your server an open relay
    # see: http://www.postfix.org/SMTPD_ACCESS_README.html#danger
    #
    junk@mydomain.com       REJECT recipient rejected
    spam@mydomain.com       REJECT recipient rejected
Place this restriction before permit_mynetworks, but see warning above.

Move reject_unauth_pipelining into smtpd_data_restrictions. It has no purpose in any other smtpd_*_restriction.
 
Old 09-30-2008, 06:07 AM   #15
Zippy1970
Member
 
Registered: Sep 2007
Posts: 119

Original Poster
Rep: Reputation: 17
Quote:
Originally Posted by Mr. C. View Post
Move reject_unauth_pipelining into smtpd_data_restrictions. It has no purpose in any other smtpd_*_restriction.
Will do, thanks for the tip.

Quote:
Create a check_recipient_access table, and specifically exclude the desired user.
Well, that's exactly what I did. And I know I can exclude specific clients by listing them in the check_recipient_access table. But the reason I want to do it the way I'm suggesting in my previous post (aliasing the recipient to user "nosuchuser" first, then block mail for "nosuchuser" instead), is so I can keep all recipients in a single table (like Sendmail does) and to make it easier to change the action taken for a blocked recipient (since I then only have to change the action for "nosuchuser").

Hope that made sense. English is not my native language so sometimes explaining something can be a bit difficult for me.

Edit: I think the problem is that Postfix only checks the smtpd_recipient_restrictions once. For instance, if I have this in my virtusertable:

Code:
john@mydomain.com        doe@mydomain.com
it will check john@mydomain.com against smtpd_recipient_restrictions, but not doe@mydomain.com.

Edit 2: Suppose I have something like this in my virtusertable:

Code:
support@mydomain.com     john
causing postfix to hand the mail over to the local delivery agent. What I don't get is why it then completely ignores all rules for local delivery. For instance, it completely ignores $local_recipient_maps.

Last edited by Zippy1970; 09-30-2008 at 08:44 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Postfix - "mail command not found" azmadar Linux - Networking 3 01-21-2013 03:52 AM
Postfix-Rewrite "From" address in mail on particular condition. dhruvypatel Linux - General 1 04-07-2006 07:39 AM
How do I configure Postfix to save my outgoing SMTP mail in my IMAP "Sent Items"? wired Linux - Newbie 1 02-01-2006 12:12 AM
postfix error procmail: Couldn't create "/var/spool/mail/ bentman78 Linux - Software 4 05-26-2004 12:04 AM
"autoreply" mail problem postfix rov3 Linux - General 5 05-13-2004 06:04 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 07:28 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration