Rejecting email to unknown users at a virtual domain

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Rejecting email to unknown users at a virtual domain

Alan Boyd
Hello,

I'm trying to find a way to reject email which is sent to an unknown  
user (determined by an external program) at a virtual domain, such  
that the email doesn't even enter the mail queue.

Currently, my set up is as follows:
I use a virtual mapping to send email in the format  
*@virtualdomain.com to a localuser.
In my aliases file, email to localuser is piped to an external program  
for delivery.

I can set up my external program to return a sysexit code of 67 so  
that a bounce message is sent back to the sender. But since I'm using  
a catchall email address, this would result in a very large number of  
bounce messages being sent due to the spammer 'shotgun' approach of  
trying to find valid addresses. I'd much prefer it if I can find a way  
to query the address early on so that an email to an unknown user is  
rejected and doesn't even get in to the mail queue.

Any clues on how this might be accomplished? I can change my external  
program as desired and the 'valid' email addresses are variable (and  
fairly large) but known.

Cheers!
Reply | Threaded
Open this post in threaded view
|

Re: Rejecting email to unknown users at a virtual domain

Wietse Venema
Alan Boyd:

> Hello,
>
> I'm trying to find a way to reject email which is sent to an unknown  
> user (determined by an external program) at a virtual domain, such  
> that the email doesn't even enter the mail queue.
>
> Currently, my set up is as follows:
> I use a virtual mapping to send email in the format  
> *@virtualdomain.com to a localuser.
> In my aliases file, email to localuser is piped to an external program  
> for delivery.
>
> I can set up my external program to return a sysexit code of 67 so  
> that a bounce message is sent back to the sender. But since I'm using  
> a catchall email address, this would result in a very large number of  
> bounce messages being sent due to the spammer 'shotgun' approach of  
> trying to find valid addresses. I'd much prefer it if I can find a way  
> to query the address early on so that an email to an unknown user is  
> rejected and doesn't even get in to the mail queue.
>
> Any clues on how this might be accomplished? I can change my external  
> program as desired and the 'valid' email addresses are variable (and  
> fairly large) but known.

For Postfix to reject invalid recipients at the SMTP port, this
information must be available as a lookup table. You will have
to use one of the supported database types: file, SQL, LDAP, and
so on, or add your own table lookup mechanism.

See "man 1 postconf", option "-m".

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Rejecting email to unknown users at a virtual domain

Alan Boyd
Hi,

Thanks for the response. Two questions:

1) Which variable in main.cf should this lookup table be referenced in?
2) I've read the man page, but it isn't clear in whether I can  
reference a database or table which is produced as the output of a  
program? For example, whether postfix can read the output of some kind  
of generatetable.pl file?

Cheers!

On 26 Sep 2008, at 11:44, Wietse Venema wrote:

> Alan Boyd:
>> Hello,
>>
>> I'm trying to find a way to reject email which is sent to an unknown
>> user (determined by an external program) at a virtual domain, such
>> that the email doesn't even enter the mail queue.
>>
>> Currently, my set up is as follows:
>> I use a virtual mapping to send email in the format
>> *@virtualdomain.com to a localuser.
>> In my aliases file, email to localuser is piped to an external  
>> program
>> for delivery.
>>
>> I can set up my external program to return a sysexit code of 67 so
>> that a bounce message is sent back to the sender. But since I'm using
>> a catchall email address, this would result in a very large number of
>> bounce messages being sent due to the spammer 'shotgun' approach of
>> trying to find valid addresses. I'd much prefer it if I can find a  
>> way
>> to query the address early on so that an email to an unknown user is
>> rejected and doesn't even get in to the mail queue.
>>
>> Any clues on how this might be accomplished? I can change my external
>> program as desired and the 'valid' email addresses are variable (and
>> fairly large) but known.
>
> For Postfix to reject invalid recipients at the SMTP port, this
> information must be available as a lookup table. You will have
> to use one of the supported database types: file, SQL, LDAP, and
> so on, or add your own table lookup mechanism.
>
> See "man 1 postconf", option "-m".
>
> Wietse

Reply | Threaded
Open this post in threaded view
|

Re: Rejecting email to unknown users at a virtual domain

Wietse Venema
Alan Boyd:
> Hello,
>
> I'm trying to find a way to reject email which is sent to an unknown
> user (determined by an external program) at a virtual domain, such
> that the email doesn't even enter the mail queue.

Wietse Venema:
> For Postfix to reject invalid recipients at the SMTP port, this
> information must be available as a lookup table. You will have
> to use one of the supported database types: file, SQL, LDAP, and
> so on, or add your own table lookup mechanism.
>
> See "man 1 postconf", option "-m".

Alan Boyd:
> Hi,
>
> Thanks for the response. Two questions:
>
> 1) Which variable in main.cf should this lookup table be referenced in?

Recipient validation is normally done with the lookup tables listed
in http://www.postfix.org/ADDRESS_CLASS_README.html, however you
can also use smtpd_***_restrictions to block recipients.

> 2) I've read the man page, but it isn't clear in whether I can  
> reference a database or table which is produced as the output of a  
> program? For example, whether postfix can read the output of some kind  
> of generatetable.pl file?

The following mechanisms are implemented as lookups from a static
file: hash, btree, dbm, cdb, regexp, pcre, cidr. In this case you
provide the data in the form of a file, and Postfix will do the
lookups from that file.  See "man postmap".

The following lookups are implemented by sending a query to a
running program:  mysql, pgsql, ldap, tcp, nis, nisplus (see
http://www.postfix.org/mysql_table.5.html etc.); the smtpd policy
protocol (http://www.postfix.org/SMTPD_POLICY_README.html); and
the Milter protocol (http://www.postfix.org/MILTER_README.html).
In this case you provide the running program that answers to
Postfix's queries.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Rejecting email to unknown users at a virtual domain

Alan Boyd
Gah.

I was hoping there'd be some means to do a simple pipe to an external  
application which provided the result. :(
I suppose the SMTPD_POLICY_README is the way to go, then. Though it's  
a little more heavyweight than I anticipated.

Still, it would allow me to easily ignore other domains

Cheers!

On 26 Sep 2008, at 13:34, Wietse Venema wrote:

> Alan Boyd:
>> Hello,
>>
>> I'm trying to find a way to reject email which is sent to an unknown
>> user (determined by an external program) at a virtual domain, such
>> that the email doesn't even enter the mail queue.
>
> Wietse Venema:
>> For Postfix to reject invalid recipients at the SMTP port, this
>> information must be available as a lookup table. You will have
>> to use one of the supported database types: file, SQL, LDAP, and
>> so on, or add your own table lookup mechanism.
>>
>> See "man 1 postconf", option "-m".
>
> Alan Boyd:
>> Hi,
>>
>> Thanks for the response. Two questions:
>>
>> 1) Which variable in main.cf should this lookup table be referenced  
>> in?
>
> Recipient validation is normally done with the lookup tables listed
> in http://www.postfix.org/ADDRESS_CLASS_README.html, however you
> can also use smtpd_***_restrictions to block recipients.
>
>> 2) I've read the man page, but it isn't clear in whether I can
>> reference a database or table which is produced as the output of a
>> program? For example, whether postfix can read the output of some  
>> kind
>> of generatetable.pl file?
>
> The following mechanisms are implemented as lookups from a static
> file: hash, btree, dbm, cdb, regexp, pcre, cidr. In this case you
> provide the data in the form of a file, and Postfix will do the
> lookups from that file.  See "man postmap".
>
> The following lookups are implemented by sending a query to a
> running program:  mysql, pgsql, ldap, tcp, nis, nisplus (see
> http://www.postfix.org/mysql_table.5.html etc.); the smtpd policy
> protocol (http://www.postfix.org/SMTPD_POLICY_README.html); and
> the Milter protocol (http://www.postfix.org/MILTER_README.html).
> In this case you provide the running program that answers to
> Postfix's queries.
>
> Wietse

Reply | Threaded
Open this post in threaded view
|

Re: Rejecting email to unknown users at a virtual domain

mouss-2
Alan Boyd wrote:
> Gah.
>
> I was hoping there'd be some means to do a simple pipe to an external
> application which provided the result. :(
> I suppose the SMTPD_POLICY_README is the way to go, then. Though it's a
> little more heavyweight than I anticipated.
>
> Still, it would allow me to easily ignore other domains
>

if you don't use a catchall or don't rbeak address validation with
wildcard virtual aliases, postfix would reject invalid recipients.

but since you're apparently breaking that, you need to reject recipients
you don't want to accept either using a policy service or a map
(check_recipient_access...).