Hi list,
We are using address_verify_map to cache and limit the number of checks on remote smtp servers. This is done because we act as a spam/virus filter for some domains that have there own mail server. Now it seems the address_verify_map is also used for local domains. One of our clients created a mail address after a mail was send to that mail address. So that mail was rejected, but after the mail address was created mail is still being rejected. I suspect this is because of the address_verify_map (I don't know how to check the btree file?). How can I enable the address_verify_map only for the relay_domains? postconf -n address_verify_map = btree:${data_directory}/verify alias_maps = hash:/opt/csw/etc/postfix/aliases body_checks = regexp:/opt/csw/etc/postfix/maps/body_checks broken_sasl_auth_clients = yes command_directory = /opt/csw/sbin config_directory = /etc/postfix content_filter = amavisfeed:localhost:10024 daemon_directory = /opt/csw/libexec/postfix data_directory = /opt/csw/var/lib/postfix default_database_type = hash delay_warning_time = 4h disable_vrfy_command = yes header_checks = regexp:/opt/csw/etc/postfix/maps/header_checks home_mailbox = Maildir/ html_directory = /opt/csw/share/doc/postfix/html inet_interfaces = all mailbox_command = /opt/csw/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME mailbox_size_limit = 0 mailq_path = /opt/csw/bin/mailq manpage_directory = /opt/csw/share/man maximal_backoff_time = 8000s maximal_queue_lifetime = 7d message_size_limit = 20971520 mime_header_checks = regexp:/opt/csw/etc/postfix/maps/mime_header_checks minimal_backoff_time = 1000s mydestination = $myhostname, localhost.$mydomain myhostname = stevie.youngguns.nl mynetworks_style = host myorigin = $myhostname newaliases_path = /opt/csw/bin/newaliases readme_directory = /opt/csw/share/doc/postfix/README_FILES receive_override_options = no_address_mappings recipient_delimiter = + relay_domains = slagenlandwonen.nl, wfcommunicatie.nl, gooischebrink.com, interjute.nl, melamo.nl, fair-play.nl, loopbaankamer.nl, ospl.nl, ospl.de, printcontrol.nl, dankers-schilderwerken.nl, promonta.nl, interim-denbosch.nl relayhost = sample_directory = /opt/csw/share/doc/postfix/samples sendmail_path = /opt/csw/sbin/sendmail smtp_bind_address = 213.207.90.2 smtp_helo_timeout = 60s smtp_send_xforward_command = yes smtp_skip_quit_response = yes smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP smtpd_client_connection_count_limit = 10 smtpd_client_restrictions = reject_rbl_client virbl.dnsbl.bit.nl smtpd_data_restrictions = reject_unauth_pipelining smtpd_delay_reject = yes smtpd_hard_error_limit = 12 smtpd_helo_required = yes smtpd_recipient_limit = 100 smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unverified_recipient, reject_unauth_destination, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_rbl_client virbl.dnsbl.bit.nl check_policy_service inet:127.0.0.1:12525, check_policy_service inet:127.0.0.1:10023 smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_soft_error_limit = 3 smtpd_tls_cert_file = /home/yghosting/ssl/secure-youngguns-nl.pem smtpd_tls_key_file = /home/yghosting/ssl/secure-youngguns-nl.key smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes soft_bounce = no tls_random_source = dev:/dev/urandom transport_maps = hash:/opt/csw/etc/postfix/transport unknown_address_reject_code = 550 unknown_local_recipient_reject_code = 550 unverified_recipient_reject_code = 550 virtual_alias_maps = hash:/opt/csw/etc/postfix/virtual |
Martijn de Munnik wrote:
> Hi list, > > How can I enable the address_verify_map only for the relay_domains? > > postconf -n > > smtpd_client_restrictions = reject_rbl_client virbl.dnsbl.bit.nl > This is rather redundant since you also specify it in recipient restrictions and delay reject is yes. Best to remove this line to avoid confusion and limit DNS queries to destinations you control. > smtpd_recipient_restrictions = permit_mynetworks, > permit_sasl_authenticated, reject_non_fqdn_recipient, > reject_non_fqdn_sender, reject_unknown_sender_domain, > reject_unverified_recipient, reject_unauth_destination, > reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, > reject_rbl_client virbl.dnsbl.bit.nl check_policy_service > inet:127.0.0.1:12525, check_policy_service inet:127.0.0.1:1002 To answer the query: Replace reject_unverified_recipient with "check_recipient_access hash:/path/to/file" /path/to/file: slagenlandwonen.nl reject_unverified_recipient wfcommunicatie.nl reject_unverified_recipient #add rest after #Note: add periods before each in another entry if you want to cover sub-domains as well #Current default behavior will allow them without the period, but may change in the future #or if you change parent_domain_matches_subdomains setting |
On Wed, 2009-08-19 at 09:10 -0400, Brian Evans - Postfix List wrote: > Martijn de Munnik wrote: > > Hi list, > > > > How can I enable the address_verify_map only for the relay_domains? > > > > postconf -n > > > > smtpd_client_restrictions = reject_rbl_client virbl.dnsbl.bit.nl > > > > This is rather redundant since you also specify it in recipient > restrictions and delay reject is yes. > Best to remove this line to avoid confusion and limit DNS queries to > destinations you control. Thank you for the tip! > > > smtpd_recipient_restrictions = permit_mynetworks, > > permit_sasl_authenticated, reject_non_fqdn_recipient, > > reject_non_fqdn_sender, reject_unknown_sender_domain, > > reject_unverified_recipient, reject_unauth_destination, > > reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, > > reject_rbl_client virbl.dnsbl.bit.nl check_policy_service > > inet:127.0.0.1:12525, check_policy_service inet:127.0.0.1:1002 > > To answer the query: > Replace reject_unverified_recipient with "check_recipient_access > hash:/path/to/file" > > /path/to/file: > slagenlandwonen.nl reject_unverified_recipient > wfcommunicatie.nl reject_unverified_recipient > #add rest after > #Note: add periods before each in another entry if you want to cover > sub-domains as well > #Current default behavior will allow them without the period, but may > change in the future > #or if you change parent_domain_matches_subdomains setting > Met vriendelijke groet, Martijn de Munnik -- YoungGuns Kasteleinenkampweg 7b 5222 AX 's-Hertogenbosch T. 073 623 56 40 F. 073 623 56 39 www.youngguns.nl KvK 18076568 |
In reply to this post by Brian Evans - Postfix List
On Wed, 2009-08-19 at 09:10 -0400, Brian Evans - Postfix List wrote: > Martijn de Munnik wrote: > > Hi list, > > > > How can I enable the address_verify_map only for the relay_domains? > > > To answer the query: > Replace reject_unverified_recipient with "check_recipient_access > hash:/path/to/file" > > /path/to/file: > slagenlandwonen.nl reject_unverified_recipient > wfcommunicatie.nl reject_unverified_recipient All the domains where this should be applied to are listed in relay_domains. Can I apply the reject_unverified_recipient rule to those domains without a separate file? I want a single place to manage the relay_domains. |
Martijn de Munnik wrote:
> On Wed, 2009-08-19 at 09:10 -0400, Brian Evans - Postfix List wrote: > >> Martijn de Munnik wrote: >> >>> Hi list, >>> >>> How can I enable the address_verify_map only for the relay_domains? >>> >>> >> To answer the query: >> Replace reject_unverified_recipient with "check_recipient_access >> hash:/path/to/file" >> >> /path/to/file: >> slagenlandwonen.nl reject_unverified_recipient >> wfcommunicatie.nl reject_unverified_recipient >> > > All the domains where this should be applied to are listed in > relay_domains. Can I apply the reject_unverified_recipient rule to those > domains without a separate file? I want a single place to manage the > relay_domains. > > It is possible to use the same map as relay_domains itself. This is because relay_domains just checks to see if the lookup key exists and ignores the result. http://www.postfix.org/postconf.5.html#relay_domains It is discouraged to reuse maps as you must know what it is really doing and not over use 1 map for everything. In this case, it would do little harm. However you *must* limit the use to just those 2 parameters. |
Free forum by Nabble | Edit this page |