Mai to postmaster bypass recipient restrictions

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Mai to postmaster bypass recipient restrictions

Alf Vark
I have a small Postfix server that I'm using to familiarise more with
configuration of restrictions. I'm handing off all mail to a virtual
transport which delivers it elsewhere. I'm not using local transport at
all on this server.

While experimenting with smtpd_recipient_restrictions, I noticed that
mails sent to the postmaster (RCPT TO: <postmaster>) bypass all
restrictions. I don't understand why and I can't find any configuration
settings that would make that happen.

For example...

629 $ telnet test 25
Trying 192.168.108.124...
Connected to test.
Escape character is '^]'.
220 test.mytestdomain.org ESMTP Postfix
HELO .
250 test.mytestdomain.org
MAIL FROM:<[hidden email]>
250 2.1.0 Ok
RCPT TO: <[hidden email]>
501 5.5.2 <.>: Helo command rejected: Invalid name
RCPT TO: <postmaster>
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>

test
.
250 2.0.0 Ok: queued as 5AD8D2F2


This is with a vanilla install of Postfix 3.4.12 and the below main.cf:

compatibility_level = 2
myhostname = test.mytestdomain.org
myorigin = $mydomain
relayhost = [relay.somewhere.else]
inet_protocols = ipv4
smtpd_helo_required = yes

smtpd_recipient_restrictions =
  reject_non_fqdn_sender
  reject_unknown_sender_domain
  permit_mynetworks
  reject_unauth_destination
  reject_non_fqdn_recipient
  reject_invalid_hostname
  permit

virtual_mailbox_domains = hash:/etc/postfix/virtual_mailbox_domains
virtual_alias_maps = pcre:/etc/postfix/virtual_alias_maps
virtual_transport = lmtp:inet:imapserver:24

Only unqualified postmaster bypasses the restrictions, anything else
(including a postmaster fqdn) triggers them as expected. In the above,
the helo should fail, etc.

I've read that one should accept mail to postmaster but the
documentation seems to suggest this needs to be configured rather than
being default behaviour, so I'm surprised to see it doing that out of
the box - I'd like to understand why, if anyone can help?


Reply | Threaded
Open this post in threaded view
|

Re: Mai to postmaster bypass recipient restrictions

Wietse Venema
Alf Vark:
> I have a small Postfix server that I'm using to familiarise more with
> configuration of restrictions. I'm handing off all mail to a virtual
> transport which delivers it elsewhere. I'm not using local transport at
> all on this server.
>
> While experimenting with smtpd_recipient_restrictions, I noticed that
> mails sent to the postmaster (RCPT TO: <postmaster>) bypass all
> restrictions. I don't understand why and I can't find any configuration
> settings that would make that happen.

The postmaster address is special.

If a sysadmin screws up their recipient restriction configuration,
then someone can inform the postmaster that they screwed up.

If they broke their configuration so badly that it does not receive
email anymore, then people will usually notice.

So this is for sysadmins that screw up only mildly.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Mai to postmaster bypass recipient restrictions

Alf Vark


> On 23/06/2020 21:46, Wietse Venema wrote:
>
> The postmaster address is special.

Thanks for confirming that Wietse. I guess this is covered by the
documentation at http://www.postfix.org/BUILTIN_FILTER_README.html#what.

Should that not also apply to "postmaster@*" as well as "postmaster" ?

Reply | Threaded
Open this post in threaded view
|

Re: Mai to postmaster bypass recipient restrictions

Wietse Venema
Alf Vark:
>
>
> > On 23/06/2020 21:46, Wietse Venema wrote:
> >
> > The postmaster address is special.
>
> Thanks for confirming that Wietse. I guess this is covered by the
> documentation at http://www.postfix.org/BUILTIN_FILTER_README.html#what.

That text describes header/body checks, which require information
that is not available during RCPT TO command processing.

> The RCPT TO address
> Should that not also apply to "postmaster@*" as well as "postmaster" ?

RFC 2821 requires that "the special case of "RCPT TO:<Postmaster>"
(with no domain specification), MUST be supported.".

Postfix smtpd_mumble_restrictions handle only forms with a domain,
otherwise you would have to specify access rules twice, once with
domain and once without. Therefore, RCPT TO:<Postmaster@example>"
is handled as usual, while "RCPT TO:<Postmaster>" is given a free
pass. It is an imperfect world.

        Wietse