Prevent Backscatter

classic Classic list List threaded Threaded
20 messages Options
Reply | Threaded
Open this post in threaded view
|

Prevent Backscatter

Postfix User
Hello,

I am trying to reject instead of sending bounce message back when email arrives to non existing account at domains hosted by my server.

This is my main.cf

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
append_dot_mydomain = no
readme_directory = no
smtpd_tls_cert_file=/etc/ssl/certs/domain.com.crt
smtpd_tls_CAfile=/etc/ssl/certs/domain.com.chain.crt
smtpd_tls_key_file=/etc/ssl/private/domain.com.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
#recipient_bcc_maps = mysql:/etc/postfix/sqlconf/recipient_bcc_maps.cf
virtual_alias_maps = mysql:/etc/postfix/sqlconf/virtual_mailbox_maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/sqlconf/mydestination.cf
virtual_transport = dovecot
smtpd_relay_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        check_sender_access $virtual_alias_maps,
        reject_unauth_destination
myhostname = domain.com
mydestination = localhost
relayhost =
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
dovecot_destination_recipient_limit = 1
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
resolve_numeric_domain = yes
message_size_limit = 102400000
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

/etc/postfix/sqlconf/virtual_mailbox_maps.cf

user            = vmail
password        = 123
dbname          = mails
query           = SELECT concat(u.username,'@',u.domain) FROM users u WHERE
u.username='%u' AND u.domain='%d' AND u.active='1' and u.type=0 UNION SELECT
n.address FROM users u LEFT JOIN next n ON n.id = u.id WHERE u.username='%u'
AND u.domain='%d' AND u.active='1';
hosts           = 127.0.0.1

I tried adding reject_unverified_recipient under smtpd_recipient_restrictions, but after entering non existing username at
existing domain, there was 1 second delay, and I still get "250 2.1.5 Ok" message.

Regards,
Robin
Reply | Threaded
Open this post in threaded view
|

Re: Prevent Backscatter

Wietse Venema
Is your server MX host for domains that are delivered to a different
mail server?
If not:
    Set relay_domains to empty.
If yes:
    DO Specify ONLY THOSE DOMAINS in relay_domains
    DO specify ONLY THOSE recipients in relay_recipient_maps

DO NOT specify virtual (alias or mailbox) stuff in relay_domains

DO NOT specify virtual (alias or mailbox) stuff in relay_recipient_maps

DO specify virtual alias DOMAINS in virtual_alias_DOMAINS.

        Wietse

Postfix User:

> Hello,
>
> I am trying to reject instead of sending bounce message back when email
> arrives to non existing account at domains hosted by my server.
>
> This is my main.cf
>
> smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
> biff = no
> append_dot_mydomain = no
> readme_directory = no
> smtpd_tls_cert_file=/etc/ssl/certs/domain.com.crt
> smtpd_tls_CAfile=/etc/ssl/certs/domain.com.chain.crt
> smtpd_tls_key_file=/etc/ssl/private/domain.com.key
> smtpd_use_tls=yes
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> #recipient_bcc_maps = mysql:/etc/postfix/sqlconf/recipient_bcc_maps.cf
> virtual_alias_maps = mysql:/etc/postfix/sqlconf/virtual_mailbox_maps.cf
> virtual_mailbox_domains = mysql:/etc/postfix/sqlconf/mydestination.cf
> virtual_transport = dovecot
> smtpd_relay_restrictions =
>         permit_mynetworks,
>         permit_sasl_authenticated,
>         check_sender_access $virtual_alias_maps,
>         reject_unauth_destination
> myhostname = domain.com
> mydestination = localhost
> relayhost =
> mynetworks = 127.0.0.0/8
> mailbox_size_limit = 0
> recipient_delimiter = +
> inet_interfaces = all
> inet_protocols = ipv4
> dovecot_destination_recipient_limit = 1
> smtpd_sasl_type = dovecot
> smtpd_sasl_path = private/auth
> smtpd_sasl_auth_enable = yes
> broken_sasl_auth_clients = yes
> smtpd_sasl_security_options = noanonymous
> smtpd_sasl_tls_security_options = noanonymous
> resolve_numeric_domain = yes
> message_size_limit = 102400000
> milter_default_action = accept
> milter_protocol = 2
> smtpd_milters = inet:localhost:8891
> non_smtpd_milters = inet:localhost:8891
>
> /etc/postfix/sqlconf/virtual_mailbox_maps.cf
>
> user            = vmail
> password        = 123
> dbname          = mails
> query           = SELECT concat(u.username,'@',u.domain) FROM users u WHERE
> u.username='%u' AND u.domain='%d' AND u.active='1' and u.type=0 UNION SELECT
> n.address FROM users u LEFT JOIN next n ON n.id = u.id WHERE u.username='%u'
> AND u.domain='%d' AND u.active='1';
> hosts           = 127.0.0.1
>
> I tried adding reject_unverified_recipient under
> smtpd_recipient_restrictions, but after entering non existing username at
> existing domain, there was 1 second delay, and I still get "250 2.1.5 Ok"
> message.
>
> Regards,
> Robin
>
>
>
> --
> View this message in context: http://postfix.1071664.n5.nabble.com/Prevent-Backscatter-tp88359.html
> Sent from the Postfix Users mailing list archive at Nabble.com.
>
Reply | Threaded
Open this post in threaded view
|

Re: Prevent Backscatter

Postfix User
This post was updated on .
Thanks for the reply,

Just made the changes you suggested. I set relay_domains to empty, because all domains are served by the same server. Again I sent a message to non existing account, and I am still getting "250 2.1.5 Ok" instead of a reject message.

This is my current main.cf

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
append_dot_mydomain = no
readme_directory = no
smtpd_tls_cert_file=/etc/ssl/certs/domain.com.crt
smtpd_tls_CAfile=/etc/ssl/certs/domain.com.chain.crt
smtpd_tls_key_file=/etc/ssl/private/domain.com.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
virtual_alias_maps = mysql:/etc/postfix/sqlconf/virtual_mailbox_maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/sqlconf/mydestination.cf
virtual_alias_domains = mysql:/etc/postfix/sqlconf/mydestination.cf
virtual_transport = dovecot
relay_domains =
smtpd_relay_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        check_sender_access $virtual_alias_maps,
        reject_unauth_destination,
        reject_unverified_recipient
myhostname = domain.com
mydestination = localhost
relayhost =
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
dovecot_destination_recipient_limit = 1
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
#smtpd_tls_auth_only = yes
resolve_numeric_domain = yes
message_size_limit = 102400000
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
Reply | Threaded
Open this post in threaded view
|

Re: Prevent Backscatter

Noel Jones-2
On 1/20/2017 3:01 PM, Postfix User wrote:
> Thanks for the reply,
>
> Just made the changes you suggested. I set relay_domains to empty, because
> all domains are served by the same server. Again I sent a message to non
> existing account, and I am still getting "250 2.1.5 Ok" instead of a reject
> message.
>

I'm sure someone here can help, but we'll need more information.

To get help with a problem, please see:
http://www.postfix.org/DEBUG_README.html#mail

In particular, show "postconf -n" output, postfix log entries
demonstrating the problem, and describe your test procedure.


  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Prevent Backscatter

Bastian Blank-3
In reply to this post by Postfix User
On Fri, Jan 20, 2017 at 02:01:27PM -0700, Postfix User wrote:
>         check_sender_access $virtual_alias_maps,

You are creating an open relay, don't do that.

> #smtpd_tls_auth_only = yes

This is _not_ the postconf -n output we where asking for.

Bastian

--
Those who hate and fight must stop themselves -- otherwise it is not stopped.
                -- Spock, "Day of the Dove", stardate unknown
Reply | Threaded
Open this post in threaded view
|

Re: Prevent Backscatter

Postfix User
This post was updated on .
In reply to this post by Noel Jones-2
Noel Jones-2 wrote
In particular, show "postconf -n" output, postfix log entries
demonstrating the problem, and describe your test procedure.
My test procedure is
    telnet domain.com 25
    ehlo me
    mail from: <existing_external_username@existing_external_domain>
    rcpt to: <nonexistent_internal_username@existing_internal_domain>
At this point I get "Ok" message, and I can continue with the session. Because account doesn't exist, Postfix sends bounce notification back to sender address.

This is the output of postconf -n

append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
dovecot_destination_recipient_limit = 1
inet_interfaces = all
inet_protocols = ipv4
mailbox_size_limit = 0
message_size_limit = 102400000
milter_default_action = accept
milter_protocol = 2
mydestination = localhost
myhostname = domain.com
mynetworks = 127.0.0.0/8
non_smtpd_milters = inet:localhost:8891
readme_directory = no
recipient_delimiter = +
relayhost =
resolve_numeric_domain = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_milters = inet:localhost:8891
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, check_sender_access $virtual_alias_maps, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/ssl/certs/domain.com.chain.crt
smtpd_tls_cert_file = /etc/ssl/certs/domain.com.crt
smtpd_tls_key_file = /etc/ssl/private/domain.com.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = mysql:/etc/postfix/sqlconf/virtual_mailbox_maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/sqlconf/mydestination.cf
virtual_transport = dovecot
Reply | Threaded
Open this post in threaded view
|

Re: Prevent Backscatter

Postfix User
In reply to this post by Bastian Blank-3
Bastian Blank-3 wrote
On Fri, Jan 20, 2017 at 02:01:27PM -0700, Postfix User wrote:
>         check_sender_access $virtual_alias_maps,

You are creating an open relay, don't do that.
Actually I am not creating an open relay, $virtual_alias_maps contains only internal addresses. When I try sending e-mail from not authenticated internal user to external address, or from external to another external address, I get "554 5.7.1 <recipient@domain>: Relay access denied"
Reply | Threaded
Open this post in threaded view
|

Re: Prevent Backscatter

Viktor Dukhovni
On Sat, Jan 21, 2017 at 04:38:57AM -0700, Postfix User wrote:

> Bastian Blank-3 wrote
> > On Fri, Jan 20, 2017 at 02:01:27PM -0700, Postfix User wrote:
> >>         check_sender_access $virtual_alias_maps,
> >
> > You are creating an open relay, don't do that.
>
> Actually I am not creating an open relay,

Actually, if when a sender-address access(5) table appears before
reject_unauth_destination in smtpd_relay_restrictions (Postfix >=
2.10) or in smtpd_recipient_restrictions (Postfix <= 2.9) then you
would be creating an open-relay, since the attacker can forge any
sender address of his choice.

However, more critically, the virtual(5) table is NOT an access(5)
table.  The result associated with each lookup key in virtual(5)
is an email address, not "OK", "REJECT", "DUNNO", which are in
turn not especially valid email addresses.

Secondly if "$virtual_alias_maps" where to list contains multiple
tables or no tables, you get unexpected results or syntax errors
respectively.

Therefore, "check_sender_access $virtual_alias_maps" is rather
wrong.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Prevent Backscatter

Tanstaafl
In reply to this post by Postfix User
Maybe I'm blind, but I don't see any recipient restrictions at all

On January 20, 2017 5:41:29 PM EST, Postfix User <[hidden email]> wrote:
My test procedure follows
telnet domain.com 25
ehlo me
mail from: <[hidden email]>
rcpt to: <[hidden email]>
At this point I get "Ok" message, and I can continue writing the body of the
e-mail. Because account doesn't exist, Postfix sends bounce notification
back to sender address.

This is the output of postconf -n

append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
dovecot_destination_recipient_limit = 1
inet_interfaces = all
inet_protocols = ipv4
mailbox_size_limit = 0
message_size_limit = 102400000
milter_default_action = accept
milter_protocol = 2
mydestination = localhost
myhostname = domain.com
mynetworks = 127.0.0.0/8
non_smtpd_milters = inet:localhost:8891
readme_directory = no
recipient_delimiter = +
relayhost =
resolve_numeric_domain = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_milters = inet:localhost:8891
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
check_sender_access $virtual_alias_maps, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/ssl/certs/domain.com.chain.crt
smtpd_tls_cert_file = /etc/ssl/certs/domain.com.crt
smtpd_tls_key_file = /etc/ssl/private/domain.com.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = mysql:/etc/postfix/sqlconf/virtual_mailbox_maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/sqlconf/mydestination.cf
virtual_transport = dovecot



--
View this message in context: http://postfix.1071664.n5.nabble.com/Prevent-Backscatter-tp88359p88372.html
Sent from the Postfix Users mailing list archive at Nabble.com.

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
Reply | Threaded
Open this post in threaded view
|

Re: Prevent Backscatter

Postfix User
In reply to this post by Viktor Dukhovni
Thanks for the tips Viktor,

For some reason the order of restrictions in smtpd_relay_restrictions (Postfix 2.11.0) was wrong. Luckily expected check_sender_access values are not valid email addresses. After I fix both problems I will post a new postconf -n output.

Robin

Viktor Dukhovni wrote
On Sat, Jan 21, 2017 at 04:38:57AM -0700, Postfix User wrote:

> Bastian Blank-3 wrote
> > On Fri, Jan 20, 2017 at 02:01:27PM -0700, Postfix User wrote:
> >>         check_sender_access $virtual_alias_maps,
> >
> > You are creating an open relay, don't do that.
>
> Actually I am not creating an open relay,

Actually, if when a sender-address access(5) table appears before
reject_unauth_destination in smtpd_relay_restrictions (Postfix >=
2.10) or in smtpd_recipient_restrictions (Postfix <= 2.9) then you
would be creating an open-relay, since the attacker can forge any
sender address of his choice.

However, more critically, the virtual(5) table is NOT an access(5)
table.  The result associated with each lookup key in virtual(5)
is an email address, not "OK", "REJECT", "DUNNO", which are in
turn not especially valid email addresses.

Secondly if "$virtual_alias_maps" where to list contains multiple
tables or no tables, you get unexpected results or syntax errors
respectively.

Therefore, "check_sender_access $virtual_alias_maps" is rather
wrong.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Prevent Backscatter

Postfix User
This post was updated on .
In reply to this post by Tanstaafl
Tanstaafl wrote
Maybe I'm blind, but I don't see any recipient restrictions at all
You are right, there are no recipient restrictions, except permit_sasl_authenticated and reject_unauth_destination
Reply | Threaded
Open this post in threaded view
|

Re: Prevent Backscatter

Postfix User
In reply to this post by Wietse Venema
Postfix User wrote
After I fix both problems I will post a new postconf -n output.
I removed completely check_sender_access, it is not required anymore.

Wietse Venema wrote
Is your server MX host for domains that are delivered to a different
mail server?
If not:
    Set relay_domains to empty.
If yes:
    DO Specify ONLY THOSE DOMAINS in relay_domains
    DO specify ONLY THOSE recipients in relay_recipient_maps

DO NOT specify virtual (alias or mailbox) stuff in relay_domains

DO NOT specify virtual (alias or mailbox) stuff in relay_recipient_maps

DO specify virtual alias DOMAINS in virtual_alias_DOMAINS.
After specifying virtual_alias_domains, all messages sent from remote to local addresses are answered with error bounce message "User unknown in virtual alias table". I removed this line temporarily, and I set relay_domains to empty.

At the moment all works like expected, except the backscatter problem. This is latest postconf

append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
dovecot_destination_recipient_limit = 1
inet_interfaces = all
inet_protocols = ipv4
mailbox_size_limit = 0
message_size_limit = 102400000
milter_default_action = accept
milter_protocol = 2
mydestination = localhost
myhostname = domain.com
mynetworks = 127.0.0.0/8
non_smtpd_milters = inet:localhost:8891
readme_directory = no
recipient_delimiter = +
relay_domains =
relayhost =
resolve_numeric_domain = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_milters = inet:localhost:8891
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/ssl/certs/domain.com.chain.crt
smtpd_tls_cert_file = /etc/ssl/certs/domain.com.crt
smtpd_tls_key_file = /etc/ssl/private/domain.com.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = mysql:/etc/postfix/sqlconf/virtual_mailbox_maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/sqlconf/mydestination.cf
virtual_transport = dovecot
Reply | Threaded
Open this post in threaded view
|

Re: Prevent Backscatter

Wietse Venema
Postfix User:
> smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
> reject_unauth_destination

This will be an open relay if all your SMTP mail is logged with the
same client IP address, i.e. your SMTP mail comes from some box
that is in mynetworks, and Postfix never sees the original SMTP
client IP address.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Prevent Backscatter

Postfix User
Wietse Venema wrote
This will be an open relay if all your SMTP mail is logged with the
same client IP address, i.e. your SMTP mail comes from some box
that is in mynetworks, and Postfix never sees the original SMTP
client IP address.
I can remove permit_mynetworks, but only trusted people that have direct access to the server or authenticated webmail users can send from localhost
Reply | Threaded
Open this post in threaded view
|

Re: Prevent Backscatter

Wietse Venema
In reply to this post by Wietse Venema
Wietse Venema:
> Postfix User:
> > smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
> > reject_unauth_destination
>
> This will be an open relay if all your SMTP mail is logged with the
> same client IP address, i.e. your SMTP mail comes from some box
> that is in mynetworks, and Postfix never sees the original SMTP
> client IP address.

Meh, that wasn't the problem.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Prevent Backscatter

Postfix User
This post was updated on .
Wietse Venema wrote
Wietse Venema:
> Postfix User:
> > smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
> > reject_unauth_destination
>
> This will be an open relay if all your SMTP mail is logged with the
> same client IP address, i.e. your SMTP mail comes from some box
> that is in mynetworks, and Postfix never sees the original SMTP
> client IP address.

Meh, that wasn't the problem.
Can you please be more specific about this problem? Do you think this will be an
open relay because I removed the check_sender_access restriction? I tested this
config, and it seems like it is an open relay for authenticated users, here is
the result :

Authenticated sender

        From    local address
        To      any
        Action  OK

        From    remote address
        To      remote address
        Action  OK ( this should be REJECT if authenticated user is not the same with the from address )

        From    remote address
        To      local address
        Action  OK

Not authenticated sender

        From    remote address
        To      local address
        Action  OK

        From    remote address
        To      remote address
        Action  REJECT

To fix the open relay problem for authenticated sender address, I added
check_sender_access parameter, but now it is not possible to send emails from
remote to local addresses, I get 554 5.7.1 <remote address>: Sender address
rejected: Access denied. This makes sense, because remote sender is not

        permit_mynetworks               : in mynetworks
        permit_sasl_authenticated       : authenticated
        reject_unauth_destination       : rejected, but not permited either
        check_sender_access             : in allowed senders lookup table

postconf -n | grep smtpd_relay_restrictions

        smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_sender_access mysql:/etc/postfix/sqlconf/sender_access.cf

sender_access.cf

        query           = SELECT if(count(*) = 0, "REJECT", "OK") FROM users u WHERE u.username='%u' AND u.domain='%d' AND u.active='1';

To fix the 554 problem, I added permit_auth_destination restriction, and now it
is possible to receive emails from remote senders. The open relay problem for
authenticated users from remote to remote address is still there, because
check_sender_access is after permit_sasl_authenticated

postconf -n | grep smtpd_relay_restrictions

        smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, permit_auth_destination, check_sender_access mysql:/etc/postfix/sqlconf/sender_access.cf

Authenticated sender

        From    local address
        To      any
        Action  OK

        From    remote address
        To      remote address
        Action  OK ( this should be REJECT if authenticated user is not the same with the from address )

        From    remote address
        To      local address
        Action  OK

Not authenticated sender

        From    any
        To      local address
        Action  OK

        From    remote address
        To      remote address
        Action  REJECT
Reply | Threaded
Open this post in threaded view
|

Re: Prevent Backscatter

Postfix User
In reply to this post by Wietse Venema
Wietse Venema wrote
DO NOT specify virtual (alias or mailbox) stuff in relay_domains
relay_domains is empty
Wietse Venema wrote
DO NOT specify virtual (alias or mailbox) stuff in relay_recipient_maps
relay_recipient_maps is empty
Wietse Venema wrote
DO specify virtual alias DOMAINS in virtual_alias_DOMAINS.
I set a lookup table for virtual_alias_domains. Before it didn't work, because I used $virtual_mailbox_domains, and it has different format

postconf -n | grep virtual_alias_domains

        virtual_alias_domains = mysql:/etc/postfix/sqlconf/virtual_alias_domains.cf

virtual_alias_domains.cf

        query           = SELECT u.domain FROM users u WHERE u.username='%u' AND u.domain='%d' AND u.active='1';
Reply | Threaded
Open this post in threaded view
|

Re: Prevent Backscatter

Postfix User
In reply to this post by Postfix User
Postfix User wrote
I am trying to reject instead of sending bounce message back when email arrives to non existing account at domains hosted by my server.
Anyone having similar problem, check_recipient_access map fixed my problem

postconf -n | grep smtpd_relay_restrictions

smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/sqlconf/sender_access.cf

sender_access.cf
query           = SELECT if(count(*) = 0, "REJECT 'User doesn't exist'", "OK") FROM users u WHERE u.username='%u' AND u.domain='%d' AND u.active='1';
Reply | Threaded
Open this post in threaded view
|

Re: Prevent Backscatter

Wietse Venema
Postfix User:
> Postfix User wrote
> > I am trying to reject instead of sending bounce message back when email
> > arrives to non existing account at domains hosted by my server.
>
> Anyone having similar problem, check_recipient_access map fixed my problem

That is bad advice that covers up a badly-broken configuration.

If anyone has a similar problem, don't set up check_recipient_access.
Instead, study http://www.postfix.org/ADDRESS_CLASS_README.html and
configure the valid recipient maps accordingly.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Prevent Backscatter

Postfix User
Wietse Venema wrote
If anyone has a similar problem, don't set up check_recipient_access.
Instead, study http://www.postfix.org/ADDRESS_CLASS_README.html and
configure the valid recipient maps accordingly.
Give a man a fish, and you feed him for a day. Teach a man to fish, and you feed him for a lifetime.