# [SOLVED] Postfix not rejecting invalid recipients

## gr0x0rd

I've been using postfix/amavisd-new/clamav as a mail gateway for a number of months now, and for the most part, it's been working great. There are a number of hosted exchange environments behind the mailfiltering gateway, but no local mailboxes. 

When setting up the system based on the documentation, one thing I was never able to get working was to not accept messages to invalid users in each domain. Once a relay domain was configured, postfix never seemed to care which user/mailbox a message was addressed to: it filtered and handed the messages off to exchange, which resulted in some nasty behavior and backscatter as exchange is configured by default to send NDRs to invalid recipients. I've since changed this behavior, but wanted to further lock down the postfix environment and drop messages to invalid recipients during the initial parts of the smtp conversation.

The documentation I followed was that for Postfix and other example since I couldn't find a lot of detail on this in the gentoo docs. I don't have a database containing the valid recipients, just a simple flat file with a hash table. My latest attempt was a simple one, for a single domain.

Here are the relevant config files:

/etc/postfix/verify-domains

```
gr0x0rd.com   reject_unverified_recipient
```

/etc/postfix/relay-recipients

```
gr0x0rd@gr0x0rd.com 1
```

/etc/postfix/main.cf

```

...

# transport and relaying settings

local_transport = error:no local delivery

local_recipient_maps =

transport_maps = hash:/etc/postfix/mailertable

mydestination = /etc/postfix/relay-domains

relay_recipient_maps = hash:/etc/postfix/relay-recipients

...

# reject messages to invalid senders that recipients that we don't relay for

smtpd_recipient_restrictions =

        reject_unauth_destination,

        reject_unauth_pipelining,

        reject_non_fqdn_sender,

        reject_non_fqdn_hostname,

        reject_non_fqdn_recipient,

        reject_unknown_recipient_domain,

        reject_unknown_sender_domain,

        reject_unverified_recipient,

        reject_unlisted_recipient,

        check_recipient_access hash:/etc/postfix/verify-domains

...

address_verify_map = btree:$data_directory/verify_cache

# Uncomment this next line when finished testing address verification:

unverified_recipient_reject_reason = Address lookup failed

unverified_recipient_reject_code = 550

...
```

Based on this configuration, postfix should look up the domain settings via the check_recipient_access directive, find reject_unverified_recipient set for the gr0x0rd domain, then look up the recipient in the verify_cache generated from the relay_recipient_maps hash table. However, the server still accepts any message for any user in the configured domain. Here is an example telnet session:

```
gr0x0rd@teletran4 ~ $ telnet <spam server ip> 25

Trying <spam server ip>...

Connected to <spam server ip>.

Escape character is '^]'.

220 spam-test.dmz: spam, phishing, unsolicited marketing and violators of the CASL will be BANNED!

helo teletran4.cybertron.local

250 spam-test.dmz

mail from: gr0x0rd@<somewhere>.com

250 2.1.0 Ok

rcpt to: nobody@gr0x0rd.com

250 2.1.5 Ok
```

With each new address I try, there is a delay as the new entry is looked up and cached. But, the message is accepted. Here is what results in the log:

```
...

May 15 11:24:32 spam-test postfix/smtpd[9500]: >>> CHECKING RECIPIENT MAPS <<<

May 15 11:24:32 spam-test postfix/smtpd[9500]: ctable_locate: move existing entry key nobody@gr0x0rd.com

May 15 11:24:32 spam-test postfix/smtpd[9500]: maps_find: recipient_canonical_maps: nobody@gr0x0rd.com: not found

May 15 11:24:32 spam-test postfix/smtpd[9500]: match_string: gr0x0rd.com ~? gr0x0rd.com

May 15 11:24:32 spam-test postfix/smtpd[9500]: maps_find: recipient_canonical_maps: nobody: not found

May 15 11:24:32 spam-test postfix/smtpd[9500]: maps_find: recipient_canonical_maps: @gr0x0rd.com: not found

May 15 11:24:32 spam-test postfix/smtpd[9500]: mail_addr_find: nobody@gr0x0rd.com -> (not found)

May 15 11:24:32 spam-test postfix/smtpd[9500]: maps_find: canonical_maps: nobody@gr0x0rd.com: not found

May 15 11:24:32 spam-test postfix/smtpd[9500]: match_string: gr0x0rd.com ~? gr0x0rd.com

May 15 11:24:32 spam-test postfix/smtpd[9500]: maps_find: canonical_maps: nobody: not found

May 15 11:24:32 spam-test postfix/smtpd[9500]: maps_find: canonical_maps: @gr0x0rd.com: not found

May 15 11:24:32 spam-test postfix/smtpd[9500]: mail_addr_find: nobody@gr0x0rd.com -> (not found)

May 15 11:24:32 spam-test postfix/smtpd[9500]: maps_find: virtual_alias_maps: nobody@gr0x0rd.com: not found

May 15 11:24:32 spam-test postfix/smtpd[9500]: match_string: gr0x0rd.com ~? gr0x0rd.com

May 15 11:24:32 spam-test postfix/smtpd[9500]: maps_find: virtual_alias_maps: nobody: not found

May 15 11:24:32 spam-test postfix/smtpd[9500]: maps_find: virtual_alias_maps: @gr0x0rd.com: not found

May 15 11:24:32 spam-test postfix/smtpd[9500]: mail_addr_find: nobody@gr0x0rd.com -> (not found)

May 15 11:24:32 spam-test postfix/smtpd[9500]: generic_checks: name=reject_unlisted_recipient status=0

May 15 11:24:32 spam-test postfix/smtpd[9500]: generic_checks: name=check_recipient_access

May 15 11:24:32 spam-test postfix/smtpd[9500]: check_mail_access: nobody@gr0x0rd.com

May 15 11:24:32 spam-test postfix/smtpd[9500]: ctable_locate: leave existing entry key nobody@gr0x0rd.com

May 15 11:24:32 spam-test postfix/smtpd[9500]: check_access: nobody@gr0x0rd.com

May 15 11:24:32 spam-test postfix/smtpd[9500]: check_domain_access: gr0x0rd.com

May 15 11:24:32 spam-test postfix/smtpd[9500]: check_table_result: hash:/etc/postfix/verify-domains reject_unverified_recipient gr0x0rd.com

May 15 11:24:32 spam-test postfix/smtpd[9500]: >>> START Recipient address RESTRICTIONS <<<

May 15 11:24:32 spam-test postfix/smtpd[9500]: generic_checks: name=reject_unverified_recipient

May 15 11:24:32 spam-test postfix/smtpd[9500]: reject_unverified_address: nobody@gr0x0rd.com

May 15 11:24:32 spam-test postfix/smtpd[9500]: send attr request = query

May 15 11:24:32 spam-test postfix/smtpd[9500]: send attr address = nobody@gr0x0rd.com

May 15 11:24:32 spam-test postfix/smtpd[9500]: private/verify socket: wanted attribute: status

May 15 11:24:32 spam-test postfix/smtpd[9500]: input attribute name: status

May 15 11:24:32 spam-test postfix/smtpd[9500]: input attribute value: 0

May 15 11:24:32 spam-test postfix/smtpd[9500]: private/verify socket: wanted attribute: recipient_status

May 15 11:24:32 spam-test postfix/smtpd[9500]: input attribute name: recipient_status

May 15 11:24:32 spam-test postfix/smtpd[9500]: input attribute value: 0

May 15 11:24:32 spam-test postfix/smtpd[9500]: private/verify socket: wanted attribute: reason

May 15 11:24:32 spam-test postfix/smtpd[9500]: input attribute name: reason

May 15 11:24:32 spam-test postfix/smtpd[9500]: input attribute value: 250 2.1.5 Recipient OK

May 15 11:24:32 spam-test postfix/smtpd[9500]: private/verify socket: wanted attribute: (list terminator)

May 15 11:24:32 spam-test postfix/smtpd[9500]: input attribute name: (end)

May 15 11:24:32 spam-test postfix/smtpd[9500]: generic_checks: name=reject_unverified_recipient status=0

May 15 11:24:32 spam-test postfix/smtpd[9500]: >>> END Recipient address RESTRICTIONS <<<

May 15 11:24:32 spam-test postfix/smtpd[9500]: generic_checks: name=check_recipient_access status=0

May 15 11:24:32 spam-test postfix/smtpd[9500]: >>> END Recipient address RESTRICTIONS <<<

```

So it is performing the lookup, but it's returning that the recipient is OK and thus accepts the message. What am I missing here?... 

Thanks as always for any help or suggestions.

Cheers,

----------

## freke

According to this, main.cf should not have a 'mydestination' when using relay_recipients

http://www200.pair.com/mecham/spam/relay_recipients.html

----------

## gr0x0rd

Thanks freke, that was just the ticket. I had relay_domains set to $mydestination in my main.conf, once I removed that and the mydestination directive the recipient lookups started working.

Sure wish I would have stumbled across that document in my searches... Gentoo forums FTW!

Cheers,

----------

