I have a small Postfix server that I'm using to familiarise more with
configuration of restrictions. I'm handing off all mail to a virtual
transport which delivers it elsewhere. I'm not using local transport at
all on this server.
While experimenting with smtpd_recipient_restrictions, I noticed that
mails sent to the postmaster (RCPT TO: <postmaster>) bypass all
restrictions. I don't understand why and I can't find any configuration
settings that would make that happen.
629 $ telnet test 25
Connected to test.
Escape character is '^]'.
220 test.mytestdomain.org ESMTP Postfix
MAIL FROM:<[hidden email]>
250 2.1.0 Ok
RCPT TO: <[hidden email]>
501 5.5.2 <.>: Helo command rejected: Invalid name
RCPT TO: <postmaster>
250 2.1.5 Ok
354 End data with <CR><LF>.<CR><LF>
250 2.0.0 Ok: queued as 5AD8D2F2
This is with a vanilla install of Postfix 3.4.12 and the below main.cf:
Only unqualified postmaster bypasses the restrictions, anything else
(including a postmaster fqdn) triggers them as expected. In the above,
the helo should fail, etc.
I've read that one should accept mail to postmaster but the
documentation seems to suggest this needs to be configured rather than
being default behaviour, so I'm surprised to see it doing that out of
the box - I'd like to understand why, if anyone can help?
Re: Mai to postmaster bypass recipient restrictions
> I have a small Postfix server that I'm using to familiarise more with
> configuration of restrictions. I'm handing off all mail to a virtual
> transport which delivers it elsewhere. I'm not using local transport at
> all on this server.
> While experimenting with smtpd_recipient_restrictions, I noticed that
> mails sent to the postmaster (RCPT TO: <postmaster>) bypass all
> restrictions. I don't understand why and I can't find any configuration
> settings that would make that happen.
The postmaster address is special.
If a sysadmin screws up their recipient restriction configuration,
then someone can inform the postmaster that they screwed up.
If they broke their configuration so badly that it does not receive
email anymore, then people will usually notice.
So this is for sysadmins that screw up only mildly.
That text describes header/body checks, which require information
that is not available during RCPT TO command processing.
> The RCPT TO address
> Should that not also apply to "postmaster@*" as well as "postmaster" ?
RFC 2821 requires that "the special case of "RCPT TO:<Postmaster>"
(with no domain specification), MUST be supported.".
Postfix smtpd_mumble_restrictions handle only forms with a domain,
otherwise you would have to specify access rules twice, once with
domain and once without. Therefore, RCPT TO:<Postmaster@example>"
is handled as usual, while "RCPT TO:<Postmaster>" is given a free
pass. It is an imperfect world.