Question about reject_unverified_recipient in smtpd_recipient_restrictions

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Question about reject_unverified_recipient in smtpd_recipient_restrictions

Gerben Wierda
Hello,

In my setup, I’m using the greylisting policy. Now, a spammer tries to send mail to a nonexistent address. But he still gets the greylisting temp failure sent:

Nov 21 16:35:42 vanroodewierda.rna.nl postfix/smtpd[21832]: connect from unknown[186.1.16.66]
Nov 21 16:35:43 vanroodewierda /usr/libexec/postfix/greylist.pl[21841]: Temporary message rejection to: <[hidden email]> from: <[hidden email]> sent from: [186.1.16.66] for: 60 seconds due to greylisting
Nov 21 16:35:43 vanroodewierda.rna.nl postfix/smtpd[21832]: NOQUEUE: reject: RCPT from unknown[186.1.16.66]: 450 4.7.1 <[hidden email]>: Recipient address rejected: Service is unavailable; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<chinandega1.casacross.com.ni>
Nov 21 16:35:43 vanroodewierda.rna.nl postfix/smtpd[21832]: disconnect from unknown[186.1.16.66]

rna.nl is in $mydestinations (it is $mydomain), g.c.th.wierdadd does not exist (is not a valid user or alias or virtual_user).

Config

smtpd_helo_restrictions =
permit_mynetworks
reject_non_fqdn_helo_hostname
reject_invalid_helo_hostname
permit
smtpd_client_restrictions =
permit_mynetworks
permit_sasl_authenticated
check_client_access regexp:/Library/Server/Mail/Config/postfix/rna_rbl_whitelist_clients
reject_rbl_client zen.spamhaus.org
permit
smtpd_recipient_restrictions =
permit_sasl_authenticated
permit_mynetworks
reject_unauth_destination
reject_unknown_recipient_domain
reject_unverified_recipient
check_client_access regexp:/Library/Server/Mail/Config/postfix/rna_policy_whitelist_clients
check_sender_access regexp:/Library/Server/Mail/Config/postfix/rna_policy_whitelist_senders
check_policy_service unix:private/policy
permit

Question: why does this message end up in greylisting while I have reject_unverified_recipient set?

Is this potentially an (unexpected) result of smtpd_delay_reject = yes?

Thanks,

G
Reply | Threaded
Open this post in threaded view
|

Re: Question about reject_unverified_recipient in smtpd_recipient_restrictions

Wietse Venema
Gerben Wierda:
> smtpd_recipient_restrictions =
> permit_sasl_authenticated
> permit_mynetworks
> reject_unauth_destination
> reject_unknown_recipient_domain
> reject_unverified_recipient

You may want to look at these settings (defaults shown):

    unverified_recipient_defer_code = 450
    unverified_recipient_reject_code = 450
    unverified_recipient_reject_reason =
    unverified_recipient_tempfail_action = $reject_tempfail_action
    reject_tempfail_action = defer_if_permit

I suspect that you're hitting a cached defer_if_permit response.

        Wietse

> check_client_access regexp:/Library/Server/Mail/Config/postfix/rna_policy_whitelist_clients
> check_sender_access regexp:/Library/Server/Mail/Config/postfix/rna_policy_whitelist_senders
> check_policy_service unix:private/policy
> permit
>
> Question: why does this message end up in greylisting while I have reject_unverified_recipient set?
>
> Is this potentially an (unexpected) result of smtpd_delay_reject = yes?
>
> Thanks,
>
> G
Reply | Threaded
Open this post in threaded view
|

Re: Question about reject_unverified_recipient in smtpd_recipient_restrictions

Gerben Wierda

On 21 Nov 2016, at 17:33, Wietse Venema <[hidden email]> wrote:

Gerben Wierda:
smtpd_recipient_restrictions =
permit_sasl_authenticated
permit_mynetworks
reject_unauth_destination
reject_unknown_recipient_domain
reject_unverified_recipient

You may want to look at these settings (defaults shown):

   unverified_recipient_defer_code = 450
   unverified_recipient_reject_code = 450
   unverified_recipient_reject_reason =
   unverified_recipient_tempfail_action = $reject_tempfail_action
   reject_tempfail_action = defer_if_permit

from postconf:

address_verify_map = btree:$data_directory/verify_cache
unverified_recipient_defer_code = 450
unverified_recipient_reject_code = 450
unverified_recipient_reject_reason =
unverified_recipient_tempfail_action = $reject_tempfail_action
reject_tempfail_action = defer_if_permit

I suspect that you're hitting a cached defer_if_permit response.

I don’t understand what that means or what to do about it. Should I just remove /Library/Server/Mail/Data/mta/verify_cache.db and do a reload?

Or should I just have to add to main.cf:
unverified_recipient_reject_code = 550
and do a reload? 

And is that last thing safe? Another question. The phrase “Reject the request when mail to the RCPT TO address is known to bounce, or when the recipient address destination is not reachable.” leads to some confusion for me. Does ‘not reachable’ also include temporary failures? If so, wouldn’t this mechanism turn normal 450 into 550 when it is not supposed to do?

What I’m looking for is a way that nonexistent local addresses are rejected. The strange thing is, they are of course at some point. When I try to mail to [hidden email] from a local machine (so ssl_authenticated and local network) I get The server response was: <[hidden email]>: Recipient address rejected: User unknown in local recipient table But when spammers do this, they currently get a policy response instead.

I don’t want to hit outgoing mail (my own users, all authenticated) with this, only incoming for my own destinations,

G

PS. What command do I use to get my exact postfix version?



Wietse

check_client_access regexp:/Library/Server/Mail/Config/postfix/rna_policy_whitelist_clients
check_sender_access regexp:/Library/Server/Mail/Config/postfix/rna_policy_whitelist_senders
check_policy_service unix:private/policy
permit

Question: why does this message end up in greylisting while I have reject_unverified_recipient set?

Is this potentially an (unexpected) result of smtpd_delay_reject = yes?

Thanks,

G

Reply | Threaded
Open this post in threaded view
|

Re: Question about reject_unverified_recipient in smtpd_recipient_restrictions

Wietse Venema
Gerben Wierda:

>
> > On 21 Nov 2016, at 17:33, Wietse Venema <[hidden email]> wrote:
> >
> > Gerben Wierda:
> >> smtpd_recipient_restrictions =
> >> permit_sasl_authenticated
> >> permit_mynetworks
> >> reject_unauth_destination
> >> reject_unknown_recipient_domain
> >> reject_unverified_recipient
> >
> > You may want to look at these settings (defaults shown):
> >
> >    unverified_recipient_defer_code = 450
> >    unverified_recipient_reject_code = 450
> >    unverified_recipient_reject_reason =
> >    unverified_recipient_tempfail_action = $reject_tempfail_action
> >    reject_tempfail_action = defer_if_permit
>
> from postconf:
>
> address_verify_map = btree:$data_directory/verify_cache
> unverified_recipient_defer_code = 450
> unverified_recipient_reject_code = 450
> unverified_recipient_reject_reason =
> unverified_recipient_tempfail_action = $reject_tempfail_action
> reject_tempfail_action = defer_if_permit
>
> > I suspect that you're hitting a cached defer_if_permit response.

Actually, the stored info is one of {accepted, deferred, rejected}.
I cannot quickly locate the code that uses the
unverified_recipient_tempfail_action setting.

> Or should I just have to add to main.cf:
> unverified_recipient_reject_code = 550
> and do a reload?

Yes, you probably want to reject mail immediately.

> Another question. The phrase ?Reject the request when mail to the
> RCPT TO address is known to bounce, or when the recipient address
> destination is not reachable.? leads to some confusion for me.
> Does ?not reachable? also include temporary failures?

Temporary failure means that the answer is not known. When making
an irreversible decision (like permanently rejecting mail), Postfix
is quite insistent on making the distinction between having and not
having authoritative information.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Question about reject_unverified_recipient in smtpd_recipient_restrictions

Gerben Wierda
Wietse, sorry, please bear with me here, but this is not easy to understand (given the complexity of all the settings). And I’m afraid to damage my mail in the sense that I start refusing legitimate mail.

On 21 Nov 2016, at 21:17, Wietse Venema <[hidden email]> wrote:

Gerben Wierda:

On 21 Nov 2016, at 17:33, Wietse Venema <[hidden email]> wrote:

Gerben Wierda:
smtpd_recipient_restrictions =
permit_sasl_authenticated
permit_mynetworks
reject_unauth_destination
reject_unknown_recipient_domain
reject_unverified_recipient

You may want to look at these settings (defaults shown):

  unverified_recipient_defer_code = 450
  unverified_recipient_reject_code = 450
  unverified_recipient_reject_reason =
  unverified_recipient_tempfail_action = $reject_tempfail_action
  reject_tempfail_action = defer_if_permit

from postconf:

address_verify_map = btree:$data_directory/verify_cache
unverified_recipient_defer_code = 450
unverified_recipient_reject_code = 450
unverified_recipient_reject_reason =
unverified_recipient_tempfail_action = $reject_tempfail_action
reject_tempfail_action = defer_if_permit

I suspect that you're hitting a cached defer_if_permit response.

Actually, the stored info is one of {accepted, deferred, rejected}.
I cannot quickly locate the code that uses the
unverified_recipient_tempfail_action setting.

Or should I just have to add to main.cf:
unverified_recipient_reject_code = 550
and do a reload?

Yes, you probably want to reject mail immediately.

Another question. The phrase ?Reject the request when mail to the
RCPT TO address is known to bounce, or when the recipient address
destination is not reachable.? leads to some confusion for me.
Does ?not reachable? also include temporary failures?

Temporary failure means that the answer is not known. When making
an irreversible decision (like permanently rejecting mail), Postfix
is quite insistent on making the distinction between having and not
having authoritative information.

So, just that I understand. With *my* unverified_recipient_reject_code in the 5xx range, but a remote SMTP server giving a temporary failure (4xx) on an address (or just plain unreachable), *my* postfix would still return 4xx because it cannot be certain?

I still would like to understand why with a setting like this

smtpd_recipient_restrictions =
permit_sasl_authenticated
permit_mynetworks
reject_unauth_destination
reject_unknown_recipient_domain
reject_unverified_recipient
check_client_access regexp:/Library/Server/Mail/Config/postfix/rna_policy_whitelist_clients
check_sender_access regexp:/Library/Server/Mail/Config/postfix/rna_policy_whitelist_senders
check_policy_service unix:private/policy
permit

and a recipient that is not in the 'local recipient table’, check_policy_service is even reached. Is that *solely* because of unverified_recipient_reject_code is in the 4xx range? 

And the best thing is: how do I make sure that reject_unverified_recipient only works on local ($mydestination) addresses?

I am rna.nl. If foo.com sends mail to [hidden email] I want rejection on locally undeliverable recipients to be quick. If my users connect to my mail server for outgoing mail, I want no local cache of ‘verified’ recipients, I leave that to the MTA at the final destination.

G
Reply | Threaded
Open this post in threaded view
|

Re: Question about reject_unverified_recipient in smtpd_recipient_restrictions

Gerben Wierda
In reply to this post by Wietse Venema
I did another test. I changed the recipient restrictions to:

smtpd_recipient_restrictions =
reject_unauth_pipelining,
reject_non_fqdn_recipient,
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
reject_unknown_recipient_domain,
reject_unverified_recipient,
check_client_access regexp:/Library/Server/Mail/Config/postfix/rna_policy_whitelist_clients,
check_sender_access regexp:/Library/Server/Mail/Config/postfix/rna_policy_whitelist_senders,
        check_policy_service unix:private/policy,
        permit

But when I locally send mail to a non fqdn address, it just gets delivered:

Nov 21 22:14:49 vanroodewierda.rna.nl postfix/smtpd[26346]: 5E2B31BBECEC: client=hermione.rna.nl[192.168.2.86], sasl_method=DIGEST-MD5, sasl_username=gerben
Nov 21 22:14:49 vanroodewierda.rna.nl postfix/cleanup[26389]: 5E2B31BBECEC: message-id=<[hidden email]>
Nov 21 22:14:49 vanroodewierda.rna.nl postfix/qmgr[26379]: 5E2B31BBECEC: from=<[hidden email]>, size=517, nrcpt=1 (queue active)
Nov 21 22:14:49 vanroodewierda.rna.nl postfix/pipe[26392]: 5E2B31BBECEC: to=<[hidden email]>, orig_to=<gerben>, relay=dovecot, delay=0.24, delays=0.14/0.02/0/0.08, dsn=2.0.0, status=sent (delivered via dovecot service)
Nov 21 22:14:49 vanroodewierda.rna.nl postfix/qmgr[26379]: 5E2B31BBECEC: removed

Now, this is weird. Definitely non-fqdn (orig_to=<gerben>), reject_non_fqdn_recipient, but delivered nonetheless.

G

On 21 Nov 2016, at 21:17, Wietse Venema <[hidden email]> wrote:

Gerben Wierda:

On 21 Nov 2016, at 17:33, Wietse Venema <[hidden email]> wrote:

Gerben Wierda:
smtpd_recipient_restrictions =
permit_sasl_authenticated
permit_mynetworks
reject_unauth_destination
reject_unknown_recipient_domain
reject_unverified_recipient

You may want to look at these settings (defaults shown):

  unverified_recipient_defer_code = 450
  unverified_recipient_reject_code = 450
  unverified_recipient_reject_reason =
  unverified_recipient_tempfail_action = $reject_tempfail_action
  reject_tempfail_action = defer_if_permit

from postconf:

address_verify_map = btree:$data_directory/verify_cache
unverified_recipient_defer_code = 450
unverified_recipient_reject_code = 450
unverified_recipient_reject_reason =
unverified_recipient_tempfail_action = $reject_tempfail_action
reject_tempfail_action = defer_if_permit

I suspect that you're hitting a cached defer_if_permit response.

Actually, the stored info is one of {accepted, deferred, rejected}.
I cannot quickly locate the code that uses the
unverified_recipient_tempfail_action setting.

Or should I just have to add to main.cf:
unverified_recipient_reject_code = 550
and do a reload? 

Yes, you probably want to reject mail immediately.

Another question. The phrase ?Reject the request when mail to the
RCPT TO address is known to bounce, or when the recipient address
destination is not reachable.? leads to some confusion for me.
Does ?not reachable? also include temporary failures?

Temporary failure means that the answer is not known. When making
an irreversible decision (like permanently rejecting mail), Postfix
is quite insistent on making the distinction between having and not
having authoritative information.

Wietse

Reply | Threaded
Open this post in threaded view
|

Re: Question about reject_unverified_recipient in smtpd_recipient_restrictions

Wietse Venema
Gerben Wierda:
> I did another test. I changed the recipient restrictions to:
>
> smtpd_recipient_restrictions =
> reject_unauth_pipelining,
> reject_non_fqdn_recipient,
> permit_sasl_authenticated,
> permit_mynetworks,

Due to permit_mynetworks, sending mail from a "local" client will
skip all further checks.

> reject_unauth_destination,
> reject_unknown_recipient_domain,
> reject_unverified_recipient,
> check_client_access regexp:/Library/Server/Mail/Config/postfix/rna_policy_whitelist_clients,
> check_sender_access regexp:/Library/Server/Mail/Config/postfix/rna_policy_whitelist_senders,
>         check_policy_service unix:private/policy,
>         permit
Reply | Threaded
Open this post in threaded view
|

Re: Question about reject_unverified_recipient in smtpd_recipient_restrictions

Gerben Wierda

On 22 Nov 2016, at 01:58, Wietse Venema <[hidden email]> wrote:

Gerben Wierda:
I did another test. I changed the recipient restrictions to:

smtpd_recipient_restrictions =
reject_unauth_pipelining,
reject_non_fqdn_recipient,
permit_sasl_authenticated,
permit_mynetworks,

Due to permit_mynetworks, sending mail from a "local" client will
skip all further checks.

But permit_mynetworks comes after reject_non_fqdn_recipient, and I was giving it a non-fqdn address. So, it should not reach the permit_mynetworks check at all. It shouldn’t have anyway, because the mail agent sends authenticated, but that doesn’t change the question here.

Note, this was a different issue than the one with greylisting, it was meant to check if the order of checks works as expected and it didn’t.

G


reject_unauth_destination,
reject_unknown_recipient_domain,
reject_unverified_recipient,
check_client_access regexp:/Library/Server/Mail/Config/postfix/rna_policy_whitelist_clients,
check_sender_access regexp:/Library/Server/Mail/Config/postfix/rna_policy_whitelist_senders,
       check_policy_service unix:private/policy,
       permit

Reply | Threaded
Open this post in threaded view
|

Re: Question about reject_unverified_recipient in smtpd_recipient_restrictions

Wietse Venema
Gerben Wierda:

>
> > On 22 Nov 2016, at 01:58, Wietse Venema <[hidden email]> wrote:
> >
> > Gerben Wierda:
> >> I did another test. I changed the recipient restrictions to:
> >>
> >> smtpd_recipient_restrictions =
> >> reject_unauth_pipelining,
> >> reject_non_fqdn_recipient,
> >> permit_sasl_authenticated,
> >> permit_mynetworks,
> >
> > Due to permit_mynetworks, sending mail from a "local" client will
> > skip all further checks.
>
> But permit_mynetworks comes after reject_non_fqdn_recipient, and I was giving it a non-fqdn address. So, it should not reach the permit_mynetworks check at all. It shouldn?t have anyway, because the mail agent sends authenticated, but that doesn?t change the question here.

No, you gave an address without domain. That's not what reject_non_fqdn_xxx
looks for.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Question about reject_unverified_recipient in smtpd_recipient_restrictions

Mariusz Piasecki
In reply to this post by Wietse Venema
You should check master.cf, maybe you have some commands below services
which overrides main.cf.


W dniu 2016-11-21 o 21:17, Wietse Venema pisze:

> Gerben Wierda:
>>> On 21 Nov 2016, at 17:33, Wietse Venema <[hidden email]> wrote:
>>>
>>> Gerben Wierda:
>>>> smtpd_recipient_restrictions =
>>>> permit_sasl_authenticated
>>>> permit_mynetworks
>>>> reject_unauth_destination
>>>> reject_unknown_recipient_domain
>>>> reject_unverified_recipient
>>> You may want to look at these settings (defaults shown):
>>>
>>>     unverified_recipient_defer_code = 450
>>>     unverified_recipient_reject_code = 450
>>>     unverified_recipient_reject_reason =
>>>     unverified_recipient_tempfail_action = $reject_tempfail_action
>>>     reject_tempfail_action = defer_if_permit
>> from postconf:
>>
>> address_verify_map = btree:$data_directory/verify_cache
>> unverified_recipient_defer_code = 450
>> unverified_recipient_reject_code = 450
>> unverified_recipient_reject_reason =
>> unverified_recipient_tempfail_action = $reject_tempfail_action
>> reject_tempfail_action = defer_if_permit
>>
>>> I suspect that you're hitting a cached defer_if_permit response.
> Actually, the stored info is one of {accepted, deferred, rejected}.
> I cannot quickly locate the code that uses the
> unverified_recipient_tempfail_action setting.
>
>> Or should I just have to add to main.cf:
>> unverified_recipient_reject_code = 550
>> and do a reload?
> Yes, you probably want to reject mail immediately.
>
>> Another question. The phrase ?Reject the request when mail to the
>> RCPT TO address is known to bounce, or when the recipient address
>> destination is not reachable.? leads to some confusion for me.
>> Does ?not reachable? also include temporary failures?
> Temporary failure means that the answer is not known. When making
> an irreversible decision (like permanently rejecting mail), Postfix
> is quite insistent on making the distinction between having and not
> having authoritative information.
>
> Wietse
>


--
Pozdrawiam
[name] Mariusz Piasecki
[job] System Administrator
[e-mail] [hidden email]
[office] +48 56 61-97-520
[fax] +48 56 56 61-97-518
[www] http://www.extranet.pl


===============================
Jeżeli nie jest Pani/Pan adresatem tej wiadomości prosimy o poinformowanie nadawcy o jej otrzymaniu oraz niezwłoczne usunięcie treści wiadomości.   Ta wiadomość może zawierać informacje poufne.
Uprzejmie informujemy, iż kopiowanie, ujawnianie, dystrybuowanie, udostępnianie lub inne wykorzystywanie wiadomości jest zabronione i może rodzić konsekwencje prawne dla osoby naruszającej zakaz.

Reply | Threaded
Open this post in threaded view
|

Re: Question about reject_unverified_recipient in smtpd_recipient_restrictions

Mariusz Piasecki
Try add "reject_unlisted_recipient" to smtpd_recipient_restrictions.

W dniu 2016-11-22 o 12:38, Mariusz Piasecki pisze:

> You should check master.cf, maybe you have some commands below
> services which overrides main.cf.
>
>
> W dniu 2016-11-21 o 21:17, Wietse Venema pisze:
>> Gerben Wierda:
>>>> On 21 Nov 2016, at 17:33, Wietse Venema <[hidden email]> wrote:
>>>>
>>>> Gerben Wierda:
>>>>> smtpd_recipient_restrictions =
>>>>>     permit_sasl_authenticated
>>>>>     permit_mynetworks
>>>>>     reject_unauth_destination
>>>>>     reject_unknown_recipient_domain
>>>>>     reject_unverified_recipient
>>>> You may want to look at these settings (defaults shown):
>>>>
>>>>     unverified_recipient_defer_code = 450
>>>>     unverified_recipient_reject_code = 450
>>>>     unverified_recipient_reject_reason =
>>>>     unverified_recipient_tempfail_action = $reject_tempfail_action
>>>>     reject_tempfail_action = defer_if_permit
>>> from postconf:
>>>
>>> address_verify_map = btree:$data_directory/verify_cache
>>> unverified_recipient_defer_code = 450
>>> unverified_recipient_reject_code = 450
>>> unverified_recipient_reject_reason =
>>> unverified_recipient_tempfail_action = $reject_tempfail_action
>>> reject_tempfail_action = defer_if_permit
>>>
>>>> I suspect that you're hitting a cached defer_if_permit response.
>> Actually, the stored info is one of {accepted, deferred, rejected}.
>> I cannot quickly locate the code that uses the
>> unverified_recipient_tempfail_action setting.
>>
>>> Or should I just have to add to main.cf:
>>> unverified_recipient_reject_code = 550
>>> and do a reload?
>> Yes, you probably want to reject mail immediately.
>>
>>> Another question. The phrase ?Reject the request when mail to the
>>> RCPT TO address is known to bounce, or when the recipient address
>>> destination is not reachable.? leads to some confusion for me.
>>> Does ?not reachable? also include temporary failures?
>> Temporary failure means that the answer is not known. When making
>> an irreversible decision (like permanently rejecting mail), Postfix
>> is quite insistent on making the distinction between having and not
>> having authoritative information.
>>
>>     Wietse
>>
>
>

Reply | Threaded
Open this post in threaded view
|

Re: Question about reject_unverified_recipient in smtpd_recipient_restrictions

Gerben Wierda

On 23 Nov 2016, at 09:29, Mariusz Piasecki <[hidden email]> wrote:

Try add "reject_unlisted_recipient" to smtpd_recipient_restrictions.

Thank you. That was, it seems, what I was looking for. With

smtpd_recipient_restrictions =
reject_unauth_pipelining,
reject_non_fqdn_recipient,
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
reject_unlisted_recipient,
# reject_unknown_recipient_domain,
# reject_unverified_recipient,
check_client_access regexp:/Library/Server/Mail/Config/postfix/rna_policy_whitelist_clients,
check_sender_access regexp:/Library/Server/Mail/Config/postfix/rna_policy_whitelist_senders,
check_policy_service unix:private/policy,
permit

authenticated/local users can use the MTA without real restrictions, whereas the open service on port 25 is limited to the local domains and then only known recipients. t worked immediately:

Nov 23 12:48:19 vanroodewierda.rna.nl postfix/smtpd[41019]: NOQUEUE: reject: RCPT from deric.instagolf.es[185.46.165.53]: 550 5.1.1 <[hidden email]>: Recipient address rejected: User unknown in local recipient table; from=<[hidden email]> to=<[hidden email]> proto=SMTP helo=<instagolf.es>
Nov 23 12:48:19 vanroodewierda.rna.nl postfix/smtpd[41019]: disconnect from deric.instagolf.es[185.46.165.53]

The commented entries are now unnecessary. I could move them up before ssl_authenticated to protect my own users against errors.

G


W dniu 2016-11-22 o 12:38, Mariusz Piasecki pisze:
You should check master.cf, maybe you have some commands below services which overrides main.cf.


W dniu 2016-11-21 o 21:17, Wietse Venema pisze:
Gerben Wierda:
On 21 Nov 2016, at 17:33, Wietse Venema <[hidden email]> wrote:

Gerben Wierda:
smtpd_recipient_restrictions =
   permit_sasl_authenticated
   permit_mynetworks
   reject_unauth_destination
   reject_unknown_recipient_domain
   reject_unverified_recipient
You may want to look at these settings (defaults shown):

   unverified_recipient_defer_code = 450
   unverified_recipient_reject_code = 450
   unverified_recipient_reject_reason =
   unverified_recipient_tempfail_action = $reject_tempfail_action
   reject_tempfail_action = defer_if_permit
from postconf:

address_verify_map = btree:$data_directory/verify_cache
unverified_recipient_defer_code = 450
unverified_recipient_reject_code = 450
unverified_recipient_reject_reason =
unverified_recipient_tempfail_action = $reject_tempfail_action
reject_tempfail_action = defer_if_permit

I suspect that you're hitting a cached defer_if_permit response.
Actually, the stored info is one of {accepted, deferred, rejected}.
I cannot quickly locate the code that uses the
unverified_recipient_tempfail_action setting.

Or should I just have to add to main.cf:
unverified_recipient_reject_code = 550
and do a reload?
Yes, you probably want to reject mail immediately.

Another question. The phrase ?Reject the request when mail to the
RCPT TO address is known to bounce, or when the recipient address
destination is not reachable.? leads to some confusion for me.
Does ?not reachable? also include temporary failures?
Temporary failure means that the answer is not known. When making
an irreversible decision (like permanently rejecting mail), Postfix
is quite insistent on making the distinction between having and not
having authoritative information.

   Wietse