1

I have a small postfix server for a few domains of my own (matched with mydestination = pcre:/etc/postfix/mydestinations). I set some non-virtual aliases

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

In this file I defined generic aliases

generic: someuser

And with a recipient_delimiter = - I can now use generic-something@example.com as a disposable email address. As some of these generic addresses get spammed I can discard all email according to alias:

generic-spammed: /dev/null

This works beautifully, but it means I keep accepting those emails. Instead I would like to reject them. Reading the aliases doc, it seems I should be able to do the following to reject email with "user unknown" errors:

generic-spammed:    |"exit 67"

Unfortunately the emails are bounced instead of rejected, contributing to backscatter. This means they are initially accepted, with 250 OK returned to the sender, before being bounced.

This is similar to this question, except I am using local destinations, not virtual ones. I have smtpd_reject_unlisted_recipient on as the default, and I suspect my problem is due to the following sentence from the doc:

The recipient domain matches $mydestination, $inet_interfaces or $proxy_interfaces, but the recipient is not listed in $local_recipient_maps, and $local_recipient_maps is not null. 

Is the problem that the recipient is listed at all? Is there a way to reject these emails instead of bouncing them?

postconf -n returns the following:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
home_mailbox = Maildir/
inet_interfaces = all
mailbox_size_limit = 0
milter_default_action = accept
milter_protocol = 2
mua_client_restrictions = permit_sasl_authenticated, reject
mua_helo_restrictions = permit
mua_sender_restrictions = permit
mydestination = pcre:/etc/postfix/mydestinations
mydomain = xavasite.net
myhostname = dent.xavasite.net
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 185.26.124.183 [2001:4b98:dc2:47:216:3eff:fe3f:43d3]
myorigin = /etc/mailname
non_smtpd_milters = local:/var/run/opendkim/opendkim.sock
policy-spf_time_limit = 3600s
readme_directory = no
recipient_delimiter = -
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_junk_command_limit = 1
smtpd_milters = local:/var/run/opendkim/opendkim.sock
smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_policy_service unix:private/policy-spf, reject_rbl_client bl.spamcop.net, reject_rbl_client psbl.surriel.com, reject_rbl_client cbl.abuseat.org, reject_rbl_client zen.spamhaus.org,
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_unknown_sender_domain
smtpd_tls_CAfile = /etc/ssl/2015/GandiStandardSSLCA2.pem
smtpd_tls_cert_file = /etc/ssl/2015/xavier.robin.name.crt
smtpd_tls_key_file = /etc/ssl/2015/xavier.robin.name.key
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = RC4
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
Calimo
  • 400
  • 1
  • 4
  • 15

2 Answers2

1

I think you have the quote incorrectly on the aliases file

generic-spammed:    |"exit 67"

it should be

generic-spammed:    "|exit 67"

Also, by default postfix will disallow delivery to "|command" so you also need to include the following

allow_mail_to_commands = alias,forward,include

http://www.postfix.org/postconf.5.html#allow_mail_to_commands

Arul Selvan
  • 1,338
  • 12
  • 11
  • Interesting, both versions can be found on the internet, and they both seem to work and give the same result on my server at least. I happened to have allow_mail_to_commands = alias,forward so that isn't it either. But thanks for trying. – Calimo Oct 30 '16 at 20:40
0

I found a workaround to reject those emails using the check_recipient_access configuration. It allows creating a hash db file containing REJECT statements for specific email addresses.

I created a file named /etc/postfix/alias_disable with the following content:

generic-spammed@example.com     REJECT

Then I ran postmap alias_disable and added a line in main.cf within the scope of smtpd_recipient_restrictions:

smtpd_recipient_restrictions =
        [...]
       **check_recipient_access hash:/etc/postfix/alias_disable**

Now the emails are rejected, without a bounce:

554 5.7.1 <generic-spammed@example.com>: Recipient address rejected: Access denied;

Apparently it should be possible to customize the reject message, including with several postfix actions but I haven't tried yet.

Calimo
  • 400
  • 1
  • 4
  • 15