address_verify_map and relay_domains

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

address_verify_map and relay_domains

Martijn de Munnik-2
Hi list,

We are using address_verify_map to cache and limit the number of checks
on remote smtp servers. This is done because we act as a spam/virus
filter for some domains that have there own mail server. Now it seems
the address_verify_map is also used for local domains.

One of our clients created a mail address after a mail was send to that
mail address. So that mail was rejected, but after the mail address was
created mail is still being rejected. I suspect this is because of the
address_verify_map (I don't know how to check the btree file?).

How can I enable the address_verify_map only for the relay_domains?

postconf -n
address_verify_map = btree:${data_directory}/verify
alias_maps = hash:/opt/csw/etc/postfix/aliases
body_checks = regexp:/opt/csw/etc/postfix/maps/body_checks
broken_sasl_auth_clients = yes
command_directory = /opt/csw/sbin
config_directory = /etc/postfix
content_filter = amavisfeed:localhost:10024
daemon_directory = /opt/csw/libexec/postfix
data_directory = /opt/csw/var/lib/postfix
default_database_type = hash
delay_warning_time = 4h
disable_vrfy_command = yes
header_checks = regexp:/opt/csw/etc/postfix/maps/header_checks
home_mailbox = Maildir/
html_directory = /opt/csw/share/doc/postfix/html
inet_interfaces = all
mailbox_command = /opt/csw/bin/procmail-wrapper -o -a $DOMAIN -d
$LOGNAME
mailbox_size_limit = 0
mailq_path = /opt/csw/bin/mailq
manpage_directory = /opt/csw/share/man
maximal_backoff_time = 8000s
maximal_queue_lifetime = 7d
message_size_limit = 20971520
mime_header_checks = regexp:/opt/csw/etc/postfix/maps/mime_header_checks
minimal_backoff_time = 1000s
mydestination = $myhostname, localhost.$mydomain
myhostname = stevie.youngguns.nl
mynetworks_style = host
myorigin = $myhostname
newaliases_path = /opt/csw/bin/newaliases
readme_directory = /opt/csw/share/doc/postfix/README_FILES
receive_override_options = no_address_mappings
recipient_delimiter = +
relay_domains = slagenlandwonen.nl, wfcommunicatie.nl,
gooischebrink.com, interjute.nl, melamo.nl, fair-play.nl,
loopbaankamer.nl, ospl.nl, ospl.de, printcontrol.nl,
dankers-schilderwerken.nl, promonta.nl, interim-denbosch.nl
relayhost =
sample_directory = /opt/csw/share/doc/postfix/samples
sendmail_path = /opt/csw/sbin/sendmail
smtp_bind_address = 213.207.90.2
smtp_helo_timeout = 60s
smtp_send_xforward_command = yes
smtp_skip_quit_response = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP
smtpd_client_connection_count_limit = 10
smtpd_client_restrictions = reject_rbl_client virbl.dnsbl.bit.nl
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_delay_reject = yes
smtpd_hard_error_limit = 12
smtpd_helo_required = yes
smtpd_recipient_limit = 100
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,   reject_non_fqdn_recipient,
reject_non_fqdn_sender,   reject_unknown_sender_domain,
reject_unverified_recipient,   reject_unauth_destination,
reject_invalid_helo_hostname,   reject_non_fqdn_helo_hostname,
reject_rbl_client virbl.dnsbl.bit.nl   check_policy_service
inet:127.0.0.1:12525,   check_policy_service inet:127.0.0.1:10023
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_soft_error_limit = 3
smtpd_tls_cert_file = /home/yghosting/ssl/secure-youngguns-nl.pem
smtpd_tls_key_file = /home/yghosting/ssl/secure-youngguns-nl.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
soft_bounce = no
tls_random_source = dev:/dev/urandom
transport_maps = hash:/opt/csw/etc/postfix/transport
unknown_address_reject_code = 550
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550
virtual_alias_maps = hash:/opt/csw/etc/postfix/virtual


Reply | Threaded
Open this post in threaded view
|

Re: address_verify_map and relay_domains

Brian Evans - Postfix List
Martijn de Munnik wrote:
> Hi list,
>
> How can I enable the address_verify_map only for the relay_domains?
>
> postconf -n
>
> smtpd_client_restrictions = reject_rbl_client virbl.dnsbl.bit.nl
>  

This is rather redundant since you also specify it in recipient
restrictions and delay reject is yes.
Best to remove this line to avoid confusion and limit DNS queries to
destinations you control.

> smtpd_recipient_restrictions = permit_mynetworks,
> permit_sasl_authenticated,   reject_non_fqdn_recipient,
> reject_non_fqdn_sender,   reject_unknown_sender_domain,
> reject_unverified_recipient,   reject_unauth_destination,
> reject_invalid_helo_hostname,   reject_non_fqdn_helo_hostname,
> reject_rbl_client virbl.dnsbl.bit.nl   check_policy_service
> inet:127.0.0.1:12525,   check_policy_service inet:127.0.0.1:1002

To answer the query:
Replace reject_unverified_recipient with "check_recipient_access
hash:/path/to/file"

/path/to/file:
slagenlandwonen.nl  reject_unverified_recipient
wfcommunicatie.nl   reject_unverified_recipient
#add rest after
#Note: add periods before each in another entry if you want to cover
sub-domains as well
#Current default behavior will allow them without the period, but may
change in the future
#or if you change parent_domain_matches_subdomains setting

Reply | Threaded
Open this post in threaded view
|

Re: address_verify_map and relay_domains

Martijn de Munnik-2

On Wed, 2009-08-19 at 09:10 -0400, Brian Evans - Postfix List wrote:

> Martijn de Munnik wrote:
> > Hi list,
> >
> > How can I enable the address_verify_map only for the relay_domains?
> >
> > postconf -n
> >
> > smtpd_client_restrictions = reject_rbl_client virbl.dnsbl.bit.nl
> >  
>
> This is rather redundant since you also specify it in recipient
> restrictions and delay reject is yes.
> Best to remove this line to avoid confusion and limit DNS queries to
> destinations you control.

Thank you for the tip!

>
> > smtpd_recipient_restrictions = permit_mynetworks,
> > permit_sasl_authenticated,   reject_non_fqdn_recipient,
> > reject_non_fqdn_sender,   reject_unknown_sender_domain,
> > reject_unverified_recipient,   reject_unauth_destination,
> > reject_invalid_helo_hostname,   reject_non_fqdn_helo_hostname,
> > reject_rbl_client virbl.dnsbl.bit.nl   check_policy_service
> > inet:127.0.0.1:12525,   check_policy_service inet:127.0.0.1:1002
>
> To answer the query:
> Replace reject_unverified_recipient with "check_recipient_access
> hash:/path/to/file"
>
> /path/to/file:
> slagenlandwonen.nl  reject_unverified_recipient
> wfcommunicatie.nl   reject_unverified_recipient
> #add rest after
> #Note: add periods before each in another entry if you want to cover
> sub-domains as well
> #Current default behavior will allow them without the period, but may
> change in the future
> #or if you change parent_domain_matches_subdomains setting
>
Okay!

Met vriendelijke groet,

Martijn de Munnik

--
YoungGuns
Kasteleinenkampweg 7b
5222 AX 's-Hertogenbosch
T. 073 623 56 40
F. 073 623 56 39
www.youngguns.nl
KvK 18076568

Reply | Threaded
Open this post in threaded view
|

Re: address_verify_map and relay_domains

Martijn de Munnik-2
In reply to this post by Brian Evans - Postfix List

On Wed, 2009-08-19 at 09:10 -0400, Brian Evans - Postfix List wrote:

> Martijn de Munnik wrote:
> > Hi list,
> >
> > How can I enable the address_verify_map only for the relay_domains?
> >
> To answer the query:
> Replace reject_unverified_recipient with "check_recipient_access
> hash:/path/to/file"
>
> /path/to/file:
> slagenlandwonen.nl  reject_unverified_recipient
> wfcommunicatie.nl   reject_unverified_recipient

All the domains where this should be applied to are listed in
relay_domains. Can I apply the reject_unverified_recipient rule to those
domains without a separate file? I want a single place to manage the
relay_domains.

Reply | Threaded
Open this post in threaded view
|

Re: address_verify_map and relay_domains

Brian Evans - Postfix List
Martijn de Munnik wrote:

> On Wed, 2009-08-19 at 09:10 -0400, Brian Evans - Postfix List wrote:
>  
>> Martijn de Munnik wrote:
>>    
>>> Hi list,
>>>
>>> How can I enable the address_verify_map only for the relay_domains?
>>>
>>>      
>> To answer the query:
>> Replace reject_unverified_recipient with "check_recipient_access
>> hash:/path/to/file"
>>
>> /path/to/file:
>> slagenlandwonen.nl  reject_unverified_recipient
>> wfcommunicatie.nl   reject_unverified_recipient
>>    
>
> All the domains where this should be applied to are listed in
> relay_domains. Can I apply the reject_unverified_recipient rule to those
> domains without a separate file? I want a single place to manage the
> relay_domains.
>
>  

It is possible to use the same map as relay_domains itself.
This is because relay_domains just checks to see if the lookup key
exists and ignores the result.
http://www.postfix.org/postconf.5.html#relay_domains

It is discouraged to reuse maps as you must know what it is really doing
and not over use 1 map for everything.
In this case, it would do little harm.  However you *must* limit the use
to just those 2 parameters.