Accepting messages only for valid users in a secondary MX server

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Accepting messages only for valid users in a secondary MX server

Santiago Romero-2

 Hi.

 I have a secondary MX server with qmail that I'm migrating to postfix.
Currently, my qmail server checks RCPT TO addresses against a plain text
file that contains all the valid email accounts for some of the domains
that is making MX-backup for. That "plain-text" file is scp'ed from the
main server.

 As I'm migrating it to postfix, I wonder if it's possible to do the
same in postfix.

 To summarize it, currently I have 2 files called:

valid_accounts.txt: a list of valid accounts in the primary MX.
domains_to_check_user.txt: Holds a list of domains. Server only checks
RCPT against valid_accounts.txt for the domains present in this file.

 When a new email arrives, if the destinatary domain is in
"domains_to_check_user.txt", then I check the RCPT TO against
"valid_accounts.txt" (and return NO SUCH USER or ACCEPT the email).

 If the domain is not in "domains_to_check_user.txt", I accept it (if
it's in qmail's rcpthosts's, of course).

 This way, I'm rejecting thousands of email messages directed to
non-existent accounts in our main domains and sent directly to our MX2
server (as it cannot check if the account exists without this method).

 Is there any way of doing something similar in postfix (maintaining
domains and accounts in 2 different files would be nice)?

 Thanks a lot.

--
Santiago Romero


Reply | Threaded
Open this post in threaded view
|

Re: Accepting messages only for valid users in a secondary MX server

Erwan David
On Mon, Feb 23, 2009 at 05:01:09PM CET, Santiago Romero <[hidden email]> said:

>
> Hi.
>
> I have a secondary MX server with qmail that I'm migrating to postfix.  
> Currently, my qmail server checks RCPT TO addresses against a plain text  
> file that contains all the valid email accounts for some of the domains  
> that is making MX-backup for. That "plain-text" file is scp'ed from the  
> main server.
>
> As I'm migrating it to postfix, I wonder if it's possible to do the same
> in postfix.
>
> To summarize it, currently I have 2 files called:
>
> valid_accounts.txt: a list of valid accounts in the primary MX.
> domains_to_check_user.txt: Holds a list of domains. Server only checks  
> RCPT against valid_accounts.txt for the domains present in this file.
>
> When a new email arrives, if the destinatary domain is in  
> "domains_to_check_user.txt", then I check the RCPT TO against  
> "valid_accounts.txt" (and return NO SUCH USER or ACCEPT the email).
>
> If the domain is not in "domains_to_check_user.txt", I accept it (if it's
> in qmail's rcpthosts's, of course).
>
> This way, I'm rejecting thousands of email messages directed to  
> non-existent accounts in our main domains and sent directly to our MX2  
> server (as it cannot check if the account exists without this method).
>
> Is there any way of doing something similar in postfix (maintaining  
> domains and accounts in 2 different files would be nice)?
>
> Thanks a lot.

postfix does this through the "relay_recipient_maps". it checks for a
relay domain, only if there are addresses for this domain in the maps.
Note it is mapS, you can have several maps, eg. one per domain to
check.


--
Erwan
Reply | Threaded
Open this post in threaded view
|

Re: Accepting messages only for valid users in a secondary MX server

Noel Jones-2
In reply to this post by Santiago Romero-2
Santiago Romero wrote:

> To summarize it, currently I have 2 files called:
>
> valid_accounts.txt: a list of valid accounts in the primary MX.
> domains_to_check_user.txt: Holds a list of domains. Server only checks
> RCPT against valid_accounts.txt for the domains present in this file.
>
> When a new email arrives, if the destinatary domain is in
> "domains_to_check_user.txt", then I check the RCPT TO against
> "valid_accounts.txt" (and return NO SUCH USER or ACCEPT the email).
>
> If the domain is not in "domains_to_check_user.txt", I accept it (if
> it's in qmail's rcpthosts's, of course).

Postfix calls domains that it accepts mail for but delivers
elsewhere (such as MX backups) relay_domains.  You can use a
plain text file or any supported postfix map type.
http://www.postfix.org/postconf.5.html#relay_domains
A sample configuration is described here:
http://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall

The list if valid recipients in those domains is specified in
relay_recipient_maps.  Specify one or more map files listing
the valid recipients; all other recipients are rejected.
http://www.postfix.org/postconf.5.html#relay_recipient_maps
If this file is scp'ed as a plain text file, you will need to
postmap it to create the indexed table.


   -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Accepting messages only for valid users in a secondary MX server

Santiago Romero-2

> Postfix calls domains that it accepts mail for but delivers elsewhere
> (such as MX backups) relay_domains.  You can use a plain text file or
> any supported postfix map type.
>
> The list if valid recipients in those domains is specified in
> relay_recipient_maps.  Specify one or more map files listing the valid
> recipients; all other recipients are rejected.
> http://www.postfix.org/postconf.5.html#relay_recipient_maps

 My question is : Can I have domains in relay_domains for which I check
relay_recipient_maps and domains for which I don't check it?

 Example:

domain1.com   -> My main domain, I know accounts in the primary MX
customer.com  -> I work as MX backup for it, I don't know their accounts

relay_domains = domain1.com, customer.com
relay_recipient_maps = hash:/etc/postfix/valid_relay_accounts

 If I define N (let's say 100) accounts for @domain1.com in
valid_relay_accounts and 0 accounts for @customer.com, what would
postfix do with with @customer.com emails? Would postfix reject or
accept it (no accounts defined in relay_recipient_maps por it).

 My problem is that I have knowledge of accounts of SOME of the domains
I act as MXBackup for... and I want to "check rcpt to" only for those
domains, while accepting any RCPT TO for the others.

 Thanks.

--
Santiago Romero


Reply | Threaded
Open this post in threaded view
|

Re: Accepting messages only for valid users in a secondary MX server

Noel Jones-2
Santiago Romero wrote:

>
>> Postfix calls domains that it accepts mail for but delivers elsewhere
>> (such as MX backups) relay_domains.  You can use a plain text file or
>> any supported postfix map type.
>>
>> The list if valid recipients in those domains is specified in
>> relay_recipient_maps.  Specify one or more map files listing the valid
>> recipients; all other recipients are rejected.
>> http://www.postfix.org/postconf.5.html#relay_recipient_maps
>
> My question is : Can I have domains in relay_domains for which I check
> relay_recipient_maps and domains for which I don't check it?
>
> Example:
>
> domain1.com   -> My main domain, I know accounts in the primary MX
> customer.com  -> I work as MX backup for it, I don't know their accounts
>
> relay_domains = domain1.com, customer.com
> relay_recipient_maps = hash:/etc/postfix/valid_relay_accounts
>
> If I define N (let's say 100) accounts for @domain1.com in
> valid_relay_accounts and 0 accounts for @customer.com, what would
> postfix do with with @customer.com emails? Would postfix reject or
> accept it (no accounts defined in relay_recipient_maps por it).
>
> My problem is that I have knowledge of accounts of SOME of the domains I
> act as MXBackup for... and I want to "check rcpt to" only for those
> domains, while accepting any RCPT TO for the others.
>
> Thanks.
>

The link above says in part, "Specify @domain as a wild-card
for domains that have no valid recipient list, and become a
source of backscatter mail".
So a backscatter inducing wildcard entry would look like:
@example.com  anything

You can use a check_recipient_access map that returns
reject_unverified_recipient for the domains that don't provide
a list to mitigate the problem.
http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient

   -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Accepting messages only for valid users in a secondary MX server

Santiago Romero-2
In reply to this post by Noel Jones-2

>
> The list if valid recipients in those domains is specified in
> relay_recipient_maps.  Specify one or more map files listing the valid
> recipients; all other recipients are rejected.
> http://www.postfix.org/postconf.5.html#relay_recipient_maps
> If this file is scp'ed as a plain text file, you will need to postmap
> it to create the indexed table.

 Hi.

 Now I have a nice hash file with all the valid accounts, but ...

 How do I deal in a relay_recipient_maps file with qmail's mailing list
addresses?

 I mean:

[hidden email],
[hidden email],

 This shows users like:

[hidden email]
[hidden email]
[hidden email]
[hidden email]
mylist-unsubscribe-user=[hidden email]

 Can relay_recipient_maps use a pcre table? Is it in the same format
than a hash file  ("pattern \t OK")? Must pcre files be postmap'ed?

 Thanks.

--
Santiago Romero


Reply | Threaded
Open this post in threaded view
|

Re: Accepting messages only for valid users in a secondary MX server

Wietse Venema
Santiago Romero:
>  Now I have a nice hash file with all the valid accounts, but ...
>
>  How do I deal in a relay_recipient_maps file with qmail's mailing list
> addresses?

How does qmail know that an address is valid or not? If a Postfix
maptype can be invented that reads that type of file, then it could
be queried by the proxymap daemon. This is easiest to add on Linux
where maps can be dynamically linked into Postfix.

>  I mean:
>
> [hidden email],
> [hidden email],
>
>  This shows users like:
>
> [hidden email]
> [hidden email]
> [hidden email]
> [hidden email]
> mylist-unsubscribe-user=[hidden email]
>
>  Can relay_recipient_maps use a pcre table? Is it in the same format
> than a hash file  ("pattern \t OK")? Must pcre files be postmap'ed?

The lookup result is the same.  

On the left-hand side, instead of a fixed string such as with hash
tables, you specify a regular expression with PCRE. postmap does
not "create" PCRE files. It only reads them with "postmap -q".

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Accepting messages only for valid users in a secondary MX server

Santiago Romero-2

>>  Now I have a nice hash file with all the valid accounts, but ...
>>
>>  How do I deal in a relay_recipient_maps file with qmail's mailing list
>> addresses?
>>    
>
> How does qmail know that an address is valid or not? If a Postfix
> maptype can be invented that reads that type of file, then it could
> be queried by the proxymap daemon. This is easiest to add on Linux
> where maps can be dynamically linked into Postfix.
>  

 Qmail mailing lists are implemented as .qmail (like .forward) files in
user's $HOME. In our case, we have an old qmail machine with an "alias"
user that implements lists, and accepts any email addressed to all valid
accounts PLUS "listname-ANYTHING".

>>  I mean:
>>
>> [hidden email],
>> [hidden email],
>>
>>  This shows users like:
>>
>> [hidden email]
>> [hidden email]
>> [hidden email]
>> [hidden email]
>> mylist-unsubscribe-user=[hidden email]
>>
>>  Can relay_recipient_maps use a pcre table? Is it in the same format
>> than a hash file  ("pattern \t OK")? Must pcre files be postmap'ed?
>>    
>
> The lookup result is the same.  
>
> On the left-hand side, instead of a fixed string such as with hash
> tables, you specify a regular expression with PCRE. postmap does
> not "create" PCRE files. It only reads them with "postmap -q".
>  
 Thanks for the answer.

 By "Must pcre files be postmap'ed?" I meant if pcre files must be
"converted" to ".db" using postmap, or if they are just like CIDR files,
where that's not needed.

 For relay_recipient_maps must I check against /^RCPT
TO:.*destemail_pattern/ or just /^destemail_pattern$/ ? What is checked
against the file? The "RCPT TO" line or just the email address?

 Thanks another time and sorry for the basic questions, I've seen pcre
tables for MIME, SENDER and RECIPIENT (using /^Header: pattern/) but not
"relay_recipient_maps".

--
Santiago Romero


Reply | Threaded
Open this post in threaded view
|

Re: Accepting messages only for valid users in a secondary MX server

Noel Jones-2
Santiago Romero wrote:

>
>>>  Now I have a nice hash file with all the valid accounts, but ...
>>>
>>>  How do I deal in a relay_recipient_maps file with qmail's mailing
>>> list addresses?
>>>    
>>
>> How does qmail know that an address is valid or not? If a Postfix
>> maptype can be invented that reads that type of file, then it could
>> be queried by the proxymap daemon. This is easiest to add on Linux
>> where maps can be dynamically linked into Postfix.
>>  
>
> Qmail mailing lists are implemented as .qmail (like .forward) files in
> user's $HOME. In our case, we have an old qmail machine with an "alias"
> user that implements lists, and accepts any email addressed to all valid
> accounts PLUS "listname-ANYTHING".
>
>>>  I mean:
>>>
>>> [hidden email],
>>> [hidden email],
>>>
>>>  This shows users like:
>>>
>>> [hidden email]
>>> [hidden email]
>>> [hidden email]
>>> [hidden email]
>>> mylist-unsubscribe-user=[hidden email]
>>>
>>>  Can relay_recipient_maps use a pcre table? Is it in the same format
>>> than a hash file  ("pattern \t OK")? Must pcre files be postmap'ed?
>>>    
>>
>> The lookup result is the same.
>> On the left-hand side, instead of a fixed string such as with hash
>> tables, you specify a regular expression with PCRE. postmap does
>> not "create" PCRE files. It only reads them with "postmap -q".
>>  
> Thanks for the answer.
>
> By "Must pcre files be postmap'ed?" I meant if pcre files must be
> "converted" to ".db" using postmap, or if they are just like CIDR files,
> where that's not needed.
>
> For relay_recipient_maps must I check against /^RCPT
> TO:.*destemail_pattern/ or just /^destemail_pattern$/ ? What is checked
> against the file? The "RCPT TO" line or just the email address?
>
> Thanks another time and sorry for the basic questions, I've seen pcre
> tables for MIME, SENDER and RECIPIENT (using /^Header: pattern/) but not
> "relay_recipient_maps".
>

most of your questions are answered in the documentation.
http://www.postfix.org/access.5.html
http://www.postfix.org/pcre_table.5.html

PCRE tables are used as plain text; it is not necessary to
index them with postmap.

The lookup key is the same regardless of the table type; use
the full email address.

Valid addresses may also be affected by the postfix
recipient_delimiter parameter.
http://www.postfix.org/postconf.5.html#recipient_delimiter

A sample regexp entry for <[hidden email]>
would look like:
/^user-foo-.*@example\.com$/  OK

   -- Noel Jones