0

We run Postfix mail server. It's postfix + spamassasin + cyrus + MailScanner +MySQL. Primary mail server is used by one domain (example.com) (two domains in total). Postfix is using MySQL for virtual domains and users. Also I have rewrited one domain example.com to example.biz.

Server is set up (configured) about 7 years ago. Here is postconf -n

Problem is that in logfile I see some random recipients to virtual domain. I read Postfix Backscatter Howto and this question. At this moment server is sending back Delivery Status Notification to that senders. I tried various configurations but without luck. Here is output from smtp log

 postfix/smtpd[29764]: >>> CHECKING RECIPIENT MAPS <<<
 postfix/smtpd[29764]: ctable_locate: leave existing entry key randomuser@example.com
 postfix/smtpd[29764]: maps_find: recipient_canonical_maps: randomuser@example.com: not found
 postfix/smtpd[29764]: match_string: example.com ~? mysql:/etc/postfix/mysql-mydestination.cf(0,lock|fold_fix)
 postfix/smtpd[29764]: dict_mysql_get_active: attempting to connect to host unix:/var/run/mysqld/mysqld.sock
 postfix/smtpd[29764]: dict_mysql: successful connection to host unix:/var/run/mysqld/mysqld.sock
 postfix/smtpd[29764]: dict_mysql: successful query from host unix:/var/run/mysqld/mysqld.sock
 postfix/smtpd[29764]: dict_mysql_lookup: retrieved 0 rows
 postfix/smtpd[29764]: match_list_match: example.com: no match
 postfix/smtpd[29764]: maps_find: recipient_canonical_maps: hash:/etc/postfix/myrecipientmap(0,lock|fold_fix): @example.com = @example.biz
 postfix/smtpd[29764]: mail_addr_find: randomuser@example.com -> @example.biz
 postfix/smtpd[29764]: smtpd_check_rewrite: trying: permit_inet_interfaces
 postfix/smtpd[29764]: permit_inet_interfaces: mail-lf0-f51.google.com 209.85.215.51
 postfix/smtpd[29764]: before input_transp_cleanup: cleanup flags = enable_header_body_filter enable_automatic_bcc enable_address_mapp
 postfix/smtpd[29764]: after input_transp_cleanup: cleanup flags = enable_header_body_filter enable_automatic_bcc enable_address_mappi
 postfix/smtpd[29764]: connect to subsystem public/cleanup
 postfix/smtpd[29764]: public/cleanup socket: wanted attribute: queue_id
 postfix/smtpd[29764]: input attribute name: queue_id
 postfix/smtpd[29764]: input attribute value: 6564E15F890
 postfix/smtpd[29764]: public/cleanup socket: wanted attribute: (list terminator)
 postfix/smtpd[29764]: input attribute name: (end)
 postfix/smtpd[29764]: send attr flags = 50
 postfix/smtpd[29764]: 6564E15F890: client=mail-lf0-f51.google.com[209.85.215.51]
 postfix/smtpd[29764]: > mail-lf0-f51.google.com[209.85.215.51]: 250 2.1.5 Ok
 postfix/smtpd[29764]: < mail-lf0-f51.google.com[209.85.215.51]: DATA

At log I see, that random user not found in database dict_mysql_lookup: retrieved 0 rows. So, that's correct. But it isn't rejected at SMTP level. Obviously something is wrong with my config.

I tried adding virtual user lookup at smtpd_recipient_restrictions directive and changed permit to reject but without luck.

What I want to do then is change the postfix behaviour so that, instead of generating a bounce email form MAILER-DAEMON the mail is rejected during the SMTP transaction.

Community
  • 1
Guntis
  • 673
  • 1
  • 10
  • 20

1 Answers1

1

Well, it seems that while you don't have such an account under virtual domains in mysql, you actually have for some reason set canonical map for this domain:

postfix/smtpd[29764]: maps_find: recipient_canonical_maps: hash:/etc/postfix/myrecipientmap(0,lock|fold_fix): @example.com = @example.biz

Canonical(5) manual explicitly states that:

@domain address
          Replace other addresses in domain by address.  This form has the
          lowest precedence.

          Note: @domain is a wild-card.  When  this  form  is  applied  to
          recipient  addresses,  the  Postfix SMTP server accepts mail for
          any recipient in domain, regardless of  whether  that  recipient
          exists.   This  may  turn  your  mail  system into a backscatter
          source: Postfix first accepts mail for  non-existent  recipients
          and  then  tries  to  return that mail as "undeliverable" to the
          often forged sender address.

In short, you should stop using this form of aliasing in canonical maps and use virtual alias maps for this purpose.

Peter Zhabin
  • 2,276
  • 8
  • 10
  • Thanks. I try to change configuration in several days and then report it back. – Guntis Dec 19 '16 at 13:13
  • If I remove recipient_canonical_maps then blocking is working at smtp level. But then domain rewrite not working anymore. We have primary domain `example.com` After some time we registred another domain `example.biz` and rewriting example.biz to example.com – Guntis Dec 19 '16 at 18:37
  • I added domain rewrite in `canonical_maps`, that works but in this way it accepts mails for random accounts to :( – Guntis Dec 19 '16 at 18:58
  • If you need to rewrite domain part AND keep recipient validation before queue, you need to add individual address aliases for your existing virtual domain users into virtual_alias_maps. Any form of @domain on the left side of the lookup will turn off recipient validation in postfix. – Peter Zhabin Dec 19 '16 at 19:22
  • That looks like. I already tried adding various rewrites and unknown accounts still is accepted. Thanks Peter. – Guntis Dec 19 '16 at 19:34