DevHeads.net

Trying to understand smtpd_recipient_restrictions order

Hi,

I was under the impression, that smtpd_recipient_restrictions and other
restriction configuration items were being processed top to bottom.

I am running postfix 3.2.2 and as far as I can see my postfix is showing a
different behavior.

I have the following items in my config:

smtpd_recipient_restrictions = check_recipient_access proxy:mysql:/etc/postfix/bounce_spam_alias.cf
check_recipient_access proxy:mysql:/etc/postfix/bounce_routes.cf
reject_unknown_recipient_domain
reject_unverified_recipient
reject_unlisted_recipient

bounce_spam_alias.cf and bounce_routes.cf are two files querying a local
mysql server for addresses that should bounce.
This seems to be successful:

[root@mailin01 postfix]# postmap -q <a href="mailto:test- ... at example dot org">test- ... at example dot org</a> mysql:/etc/postfix/bounce_routes.cf
554 test-bounce successful Mail bounced
[root@mailin01 postfix]# postmap -q <a href="mailto:test- ... at example dot org">test- ... at example dot org</a> mysql:/etc/postfix/bounce_spam_alias.cf
554 Address marked as spamtrap, mail not accepted
[root@mailin01 postfix]#

If I now use swaks to actually send mail to the test address, I would
expect one such message, instead it seems these two files are not queried
and instead the reject_unverified_recipient rule triggers immediately:

[root@mailin01 postfix]# swaks --from '<>' --to <a href="mailto:test- ... at example dot org">test- ... at example dot org</a> --server=localhost
=== Trying localhost:25...
=== Connected to localhost.
<- 220 mailin01.lan ESMTP Postfix
-> EHLO mailin01.lan
<- 250-mailin01.lan
[...]
-> MAIL FROM:<>
<- 250 2.1.0 Ok
-> RCPT TO:<test- ... at example dot org>
<** 550 5.1.1 <test- ... at example dot org>: Recipient address rejected:
undeliverable address: host mailin01.lan[private/dovecot-lmtp] said: 550
5.1.1 <test- ... at example dot org> User doesn't exist:
<a href="mailto:test- ... at example dot org">test- ... at example dot org</a> (in reply to RCPT TO command)
-> QUIT
<- 221 2.0.0 Bye

So I am unclear why this is happening. I have a smtpd_sender_restrictions
entry that seems to work top-to-bottom.

smtpd_sender_restrictions = check_client_access inline:{10.1.1.1=OK}
reject_unknown_sender_domain

The host coming in from 10.1.1.1 is able to deliver mail even if the MAIL
FROM entry is not resovable.

If I look at the logs, it seems the two entries for check_recipient_access
are not consulted:

May 9 18:47:30 mailin01 postfix/smtpd[24094]: >>> START Recipient address
RESTRICTIONS <<<
May 9 18:47:30 mailin01 postfix/smtpd[24094]: generic_checks:
name=reject_unauth_destination
May 9 18:47:30 mailin01 postfix/smtpd[24094]: reject_unauth_destination:
<a href="mailto:test- ... at example dot org">test- ... at example dot org</a>
May 9 18:47:30 mailin01 postfix/smtpd[24094]: permit_auth_destination:
<a href="mailto:test- ... at example dot org">test- ... at example dot org</a>
May 9 18:47:30 mailin01 postfix/smtpd[24094]: ctable_locate: leave
existing entry key ?test- ... at example dot org
May 9 18:47:30 mailin01 postfix/smtpd[24094]: generic_checks:
name=reject_unauth_destination status=0
May 9 18:47:30 mailin01 postfix/smtpd[24094]: generic_checks:
name=reject_unverified_recipient
May 9 18:47:30 mailin01 postfix/smtpd[24094]: reject_unverified_address:
<a href="mailto:test- ... at example dot org">test- ... at example dot org</a>
May 9 18:47:30 mailin01 postfix/smtpd[24094]: connect to subsystem
private/verify
May 9 18:47:30 mailin01 postfix/smtpd[24094]: send attr request = query
May 9 18:47:30 mailin01 postfix/smtpd[24094]: send attr address =
<a href="mailto:test- ... at example dot org">test- ... at example dot org</a>
May 9 18:47:30 mailin01 postfix/smtpd[24094]: private/verify socket:
wanted attribute: status
May 9 18:47:30 mailin01 postfix/smtpd[24094]: input attribute name:
status
May 9 18:47:30 mailin01 postfix/smtpd[24094]: input attribute value: 0
May 9 18:47:30 mailin01 postfix/smtpd[24094]: private/verify socket:
wanted attribute: recipient_status
May 9 18:47:30 mailin01 postfix/smtpd[24094]: input attribute name:
recipient_status
May 9 18:47:30 mailin01 postfix/smtpd[24094]: input attribute value: 3
May 9 18:47:30 mailin01 postfix/smtpd[24094]: private/verify socket:
wanted attribute: reason
May 9 18:47:30 mailin01 postfix/smtpd[24094]: input attribute name:
reason
May 9 18:47:30 mailin01 postfix/smtpd[24094]: input attribute value:
Address verification in progress
May 9 18:47:30 mailin01 postfix/smtpd[24094]: private/verify socket:
wanted attribute: (list terminator)
May 9 18:47:30 mailin01 postfix/smtpd[24094]: input attribute name: (end)
May 9 18:47:33 mailin01 postfix/smtpd[24094]: send attr request = query
May 9 18:47:33 mailin01 postfix/smtpd[24094]: send attr address =
<a href="mailto:test- ... at example dot org">test- ... at example dot org</a>
May 9 18:47:33 mailin01 postfix/smtpd[24094]: private/verify socket:
wanted attribute: status
May 9 18:47:33 mailin01 postfix/smtpd[24094]: input attribute name:
status
May 9 18:47:33 mailin01 postfix/smtpd[24094]: input attribute value: 0
May 9 18:47:33 mailin01 postfix/smtpd[24094]: private/verify socket:
wanted attribute: recipient_status
May 9 18:47:33 mailin01 postfix/smtpd[24094]: input attribute name:
recipient_status
May 9 18:47:33 mailin01 postfix/smtpd[24094]: input attribute value: 2
May 9 18:47:33 mailin01 postfix/smtpd[24094]: private/verify socket:
wanted attribute: reason
May 9 18:47:33 mailin01 postfix/smtpd[24094]: input attribute name:
reason
May 9 18:47:33 mailin01 postfix/smtpd[24094]: input attribute value: host
mailin01.lan[private/dovecot-lmtp] said: 550 5.1.1
<test- ... at example dot org> User doesn't exist: <a href="mailto:test- ... at example dot org">test- ... at example dot org</a> (in
reply to RCPT TO command)
May 9 18:47:33 mailin01 postfix/smtpd[24094]: private/verify socket:
wanted attribute: (list terminator)
May 9 18:47:33 mailin01 postfix/smtpd[24094]: input attribute name: (end)
May 9 18:47:33 mailin01 postfix/smtpd[24094]: NOQUEUE: reject: RCPT from
localhost[127.0.0.1]: 550 5.1.1 <test- ... at example dot org>: Recipient
address rejected: undeliverable address: host
mailin01.lan[private/dovecot-lmtp] said: 550 5.1.1
<test- ... at example dot org> User doesn't exist: <a href="mailto:test- ... at example dot org">test- ... at example dot org</a> (in
reply to RCPT TO command); from=<> to=<test- ... at example dot org>
proto=ESMTP helo=<mailin01.lan>
May 9 18:47:33 mailin01 postfix/smtpd[24094]: generic_checks:
name=reject_unverified_recipient status=2
May 9 18:47:33 mailin01 postfix/smtpd[24094]: >>> END Recipient address
RESTRICTIONS <<<

Does anyone have any pointers what I might be missing?

cheers,
Andreas

Comments

Re: Trying to understand smtpd_recipient_restrictions order

By Viktor Dukhovni at 05/09/2019 - 13:45

<a href="http://www.postfix.org/DEBUG_README.html#mail" title="http://www.postfix.org/DEBUG_README.html#mail">http://www.postfix.org/DEBUG_README.html#mail</a>

Re: Trying to understand smtpd_recipient_restrictions order

By Andreas Thienemann at 05/09/2019 - 14:24

Hi Viktor,

fair enough...

Problem description:

smtpd_recipient_restrictions seems to be working different than expected.
I would expect addresses listed in check_recipient_access tables to be
bounced.
I would have expected a client sending to <a href="mailto:bounce- ... at example dot org">bounce- ... at example dot org</a> to get
554 test-bounce successful Mail bounced.
Instead I am seeing an error that seems to come from
recipient verification:

-> RCPT TO:<test- ... at example dot org>
<** 550 5.1.1 <test- ... at example dot org>: Recipient address rejected:
undeliverable address: host mailin01.lan[private/dovecot-lmtp]
said: 550 5.1.1 <test- ... at example dot org> User doesn't exist:
<a href="mailto:test- ... at example dot org">test- ... at example dot org</a> (in reply to RCPT TO command)

log extract:

May 9 20:02:18 mailin01 postfix/smtpd[32352]: connect from
localhost[127.0.0.1]
May 9 20:02:52 mailin01 postfix/smtpd[32352]: NOQUEUE: reject: RCPT from
localhost[127.0.0.1]: 550 5.1.1 <bounce- ... at example dot org>: Recipient
address rejected: undeliverable address: host
mailin01.lan[private/dovecot-lmtp] said: 550 5.1.1
<bounce- ... at example dot org> User doesn't exist: <a href="mailto:bounce- ... at example dot org">bounce- ... at example dot org</a> (in
reply to RCPT TO command); from=< ... at example dot com>
to=<bounce- ... at example dot org> proto=ESMTP helo=<mailin01.lan>
May 9 20:02:52 mailin01 postfix/smtpd[32352]: disconnect from
localhost[127.0.0.1] ehlo=1 mail=1 rcpt=0/1 quit=1 commands=3/4

postconf -n output:

[root@mailin01 ~]# postconf -n
address_verify_relayhost =
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases hash:/etc/postfix/mailinglist_aliases
append_dot_mydomain = no
biff = no
enable_original_recipient = yes
inet_interfaces = 10.1.1.38, 127.0.0.1
inet_protocols = ipv4
local_recipient_maps = proxy:mysql:/etc/postfix/local_recipients.cf $alias_maps
mailbox_size_limit = 0
mailbox_transport = lmtp:unix:private/dovecot-lmtp
message_size_limit = 41943040
milter_connect_macros = j {daemon_name} {daemon_addr} v _
milter_rcpt_macros = i {rcpt_addr} {rcpt_host} {rcpt_mailer} b r v Z
mydestination = mailin01.mx.example.net, localhost.localdomain, localhost, example.org, example.net, srs.example.net
myhostname = mailin01.mx.example.net
mynetworks = 127.0.0.0/8
non_smtpd_milters = { inet:localhost:10005, connect_timeout=10s, default_action=accept }
proxy_read_maps = $local_recipient_maps $smtpd_sender_restrictions $smtpd_recipient_restrictions $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $transport_maps $relay_domains
readme_directory = no
recipient_canonical_classes = envelope_recipient,header_recipient
recipient_canonical_maps = tcp:127.0.0.1:10002
recipient_delimiter = +
relay_domains = proxy:mysql:/etc/postfix/relay_hostnames.cf proxy:mysql:/etc/postfix/relay_domains.cf /etc/postfix/mailinglist_relay
relayhost = [relay01.mx.example.net]
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_connection_count_limit = 10
smtpd_client_connection_rate_limit = 60
smtpd_client_event_limit_exceptions = 127.0.0.1 10.1.1.67
smtpd_error_sleep_time = 0
smtpd_hard_error_limit = 4
smtpd_milters = { unix:/run/spamass-milter/postfix/sock, connect_timeout=10s, default_action=accept } { inet:localhost:10003, connect_timeout=10s, default_action=accept } { inet:localhost:10004, connect_timeout=10s, default_action=accept } { inet:localhost:10006, connect_timeout=10s, default_action=accept } { inet:localhost:10007, connect_timeout=10s, default_action=accept }
smtpd_recipient_restrictions = check_recipient_access
proxy:mysql:/etc/postfix/bounce_spam_alias.cf check_recipient_access
proxy:mysql:/etc/postfix/bounce_routes.cf reject_unknown_recipient_domain
reject_unverified_recipient reject_unlisted_recipient
smtpd_relay_restrictions = reject_unauth_destination
reject_unverified_recipient
smtpd_sasl_auth_enable = no
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = check_client_access inline:{10.1.1.67=OK} reject_unknown_sender_domain proxy:mysql:/etc/postfix/sender_access_example.cf
smtpd_soft_error_limit = 2
smtpd_tls_CAfile = /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/ssl/mailin01.mx.example.net.crt
smtpd_tls_exclude_ciphers = aNULL
smtpd_tls_key_file = /etc/postfix/ssl/mailin01.mx.example.net.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL MD5
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
tls_preempt_cipherlist = yes
tls_ssl_options = NO_COMPRESSION
transport_maps = hash:/etc/postfix/transport proxy:mysql:/etc/postfix/transport.cf
unverified_recipient_reject_code = 550
virtual_alias_domains = proxy:mysql:/etc/postfix/virtual_domains.cf proxy:mysql:/etc/postfix/virtual_hostnames.cf
virtual_alias_maps = proxy:mysql:/etc/postfix/virtual_aliases.cf proxy:mysql:/etc/postfix/virtual_transport.cf

postconf --Mf output:

smtp inet n - n - - smtpd
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - n n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)

I hope that the postconf -n output makes things clearer.

cheers,
Andreas

Re: Trying to understand smtpd_recipient_restrictions order

By Bastian Blank at 05/09/2019 - 13:44

Hi Andreas

On Thu, May 09, 2019 at 07:13:22PM +0200, Andreas Thienemann wrote:
What I forgot: don't bounce mails. But it's okay, as
check_recipient_access can't be used to bounce mails, just to reject
them.

Also don't list maps that should not be able to unconditionally accept
mails before something like reject_unauth_destination.

Bastian

Re: Trying to understand smtpd_recipient_restrictions order

By Bastian Blank at 05/09/2019 - 13:37

On Thu, May 09, 2019 at 07:13:22PM +0200, Andreas Thienemann wrote:
Show logs. Show complete config.

See <a href="http://www.postfix.org/DEBUG_README.html#mail" title="http://www.postfix.org/DEBUG_README.html#mail">http://www.postfix.org/DEBUG_README.html#mail</a>. As this is not your
first question on this list, I assume you have been told about that
already.

Don't split restrictions into multiple lists.

_Don't_ enable verbose logging unless instructed to.

I don't see reject_unauth_destination in anything you showed. I'm
currently not sure if it can be use implicit, but I don't think so.

You don't want to use recipient verification, make sure you can live
without.

Drop mysql until you know how it works.

Bastian

Re: Trying to understand smtpd_recipient_restrictions order

By Viktor Dukhovni at 05/09/2019 - 13:48

I disagree. Indeed as of Postfix 2.10 we have separate relay restrictions
by default. The OP's problem will be evident once the "postconf -n" output
is posted.