7

So, right now I am halfway through trying to setup an outgoing-mail blacklist, by way of smtpd_recipient_restrictions.

The problem I am experiencing is that my test emails are being delivered when I am expecting them to be rejected by the system.

Here's the /etc/postfix/main.cf

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_recipient_restrictions =
        reject_unknown_recipient_domain,
        reject_unauth_destination,
        check_recipient_access hash:/etc/postfix/recipient_block

myhostname = hostname.domain.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = hostname.domain.com, hostname.domain.com, , localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

My /etc/postfix/recipient_block (this was run through postmap afterwards)

personalemail@anotheroneofmydomains.com REJECT

And then, I'm sending the test email like so:

$ echo test | mail -s "test email, please ignore" personalemail@anotheroneofmydomains.com

Postfix has had its conf reloaded, has been restarted a couple times to try and troubleshoot, all to no avail.

A chunk from tailing the /var/log/mail.log file reads like so:

Sep 25 02:27:17 antares postfix/master[3024]: reload -- version 2.7.0, configuration /etc/postfix
Sep 25 02:27:27 antares postfix/pickup[3104]: C723018770: uid=1001 from=<obsidian>
Sep 25 02:27:27 antares postfix/cleanup[3110]: C723018770: message-id=<20110925092727.C723018770@hostname.domain.com>
Sep 25 02:27:27 antares postfix/qmgr[3105]: C723018770: from=<obsidian@hostname.domain.com>, size=388, nrcpt=1 (queue active)
Sep 25 02:27:28 antares postfix/smtp[3112]: C723018770: to=<personalemail@anotheroneofmydomains.com>, relay=ASPMX.L.GOOGLE.COM[74.125.47.26]:25, delay=0.35, delays=0.01/0.01/0.12/0.21, dsn=2.0.0, status=sent (250 2.0.0 OK 1316942848 j50si8227610yhe.128)
Sep 25 02:27:28 antares postfix/qmgr[3105]: C723018770: removed

...So, I'm stumped. I don't see why the email isn't being rejected.

damianb
  • 173
  • 1
  • 4

2 Answers2

6

The problem is that the mail is sent via the pickup service (via sendmail inteface) and so it is an "outgoing" mail. For outgoing mail the smtpd_*_restrictions don't apply. These restrictions only apply for "incoming" mails that have been sent via SMTP.

Edit There is even a solution provided by Victor Duchovni (Postfix maintainer): http://marc.info/?l=postfix-users&m=120155612332393&w=1

masegaloeh
  • 17,978
  • 9
  • 56
  • 104
mailq
  • 16,882
  • 2
  • 36
  • 66
  • Bummer, I guess I was a bit misinformed then when reading through the docs. Thanks for the link and the info, I guess this is a lost cause that isn't worth the performance drain or timesink. – damianb Sep 25 '11 at 13:51
  • 1
    @Obsidian_ You **can** get it to work if you don't use sendmail (the interface) as delivery method. Send your mails locally via SMTP and it will work! Have look at [msmtp](http://msmtp.sourceforge.net/) to accomplish that. – mailq Sep 25 '11 at 13:58
  • Okay, I see. I'll have to make sure that I can run the various web-apps on the server through local SMTP just fine first though. – damianb Sep 25 '11 at 14:09
2

As @mailq says, the "mail" program does not inject messages via SMTP, the "smtpd_recipient_restrictions" only applies to messages received via SMTP. So, for example, if you run this you should see it showing the reject:

printf 'ehlo hostname.domain.com\nmail from: <user@domain.com>\nrcpt to:' \
    '<personalemail@anotheroneofmydomains.com>\nquit\n' | nc localhost 25

This does an SMTP connection via "netcat" (usually called "nc"), and should demonstrate that the block is indeed in place.

Perhaps this is enough? If not, the only way I can come up with to do a rejection for this remote address is to set up a transport that rejects messages sent to it, and then list that address in the transport table to be associated with the rejecting transport.

Sean Reifschneider
  • 10,370
  • 3
  • 24
  • 28