Loading ...
Sorry, an error occurred while loading the content.

relay_recipient_maps not working

Expand Messages
  • Richard Zinar
    Hi, I m undoubtedly overlooking something basic, but my relay_recipient_maps doesn t seem to be having the desired effect, since I see mail not being rejected
    Message 1 of 7 , Jul 12 7:03 PM
    • 0 Attachment
      Hi,
       
      I'm undoubtedly overlooking something basic, but my relay_recipient_maps doesn't seem
      to be having the desired effect, since I see mail not being rejected for non-existent users.
       
      The main.cf file looks as follows:
       
      disable_vrfy_command = yes
      smtpd_helo_required  = yes
      inet_interfaces      = $myhostname, localhost
       
      mydestination        =
      mynetworks_style     = host
      local_recipient_maps =
      local_transport      = error:local mail delivery is disabled
       
       
      header_checks  = pcre:/etc/postfix/header_checks.pcre
      relay_domains  = hash:/etc/postfix/relay_domains
      transport_maps = hash:/etc/postfix/transport
       
      smtpd_recipient_restrictions =
             reject_invalid_hostname
             reject_non_fqdn_hostname
             reject_non_fqdn_sender
             reject_non_fqdn_recipient
             reject_unknown_sender_domain
             reject_unknown_recipient_domain
             permit_mynetworks
             reject_unauth_destination
             check_recipient_access pcre:/etc/postfix/recipient_checks.pcre
             check_helo_access      hash:/etc/postfix/helo_checks
             check_sender_access    hash:/etc/postfix/sender_checks
             check_client_access    hash:/etc/postfix/client_checks
             check_client_access    pcre:/etc/postfix/client_checks.pcre
             reject_rbl_client cbl.abuseat.org
             reject_rbl_client list.dsbl.org
             reject_rbl_client sbl.spamhaus.org
             reject_rbl_client pbl.spamhaus.org
             permit
       
      smtpd_data_restrictions =
             reject_unauth_pipelining
             reject_multi_recipient_bounce
             permit
       
      canonical_maps =
         hash:/etc/postfix/canonical_jpusers
         hash:/etc/postfix/canonical_krusers
       
      relay_recipient_maps =
             hash:/etc/postfix/relay_recipients_crm
             hash:/etc/postfix/relay_recipients_jpusers
             hash:/etc/postfix/relay_recipients_jplists
             pcre:/etc/postfix/relay_recipients_jplists.pcre
             hash:/etc/postfix/relay_recipients_krusers
             hash:/etc/postfix/relay_recipients_krlists
             pcre:/etc/postfix/relay_recipients_krlists.pcre
             hash:/etc/postfix/relay_recipients_ovusers
       
      virtual_alias_maps =
             hash:/etc/postfix/virtual_base
             hash:/etc/postfix/virtual_crm
             hash:/etc/postfix/virtual_jpusers
             hash:/etc/postfix/virtual_jplists
             pcre:/etc/postfix/virtual_jplists.pcre
             hash:/etc/postfix/virtual_krusers
             hash:/etc/postfix/virtual_krlists
             pcre:/etc/postfix/virtual_krlists.pcre
             hash:/etc/postfix/virtual_ovusers
       
      The /etc/postfix/relay_domains file is as follows:
       
      overture.com         ok
      overture.co.jp        ok
      overture.co.kr       ok
      overture.at            ok
      overture.au          ok
      overture.ca          ok
      overture.ch          ok
      overture.de          ok
      overture.dk          ok
      overture.es          ok
      overture.fi           ok
      overture.fr           ok
      overture.it           ok
      overture.jp          ok
      overture.kr          ok
      overture.nl          ok
      overture.no          ok
      overture.se          ok
       
      There are no wildcards in the various relay_recipient_map files (or .pcre files).  There is a wildcard in the transport
      file, but I assumed the mail would be rejected before the transport file is even consulted.
       
      The various virtual_alias_maps also have no wildcard entries.  (I'd show these files, but they are quite long).
      Here's an example log file entry:
       
      Jul 12 18:38:26 sc8-smtp-001 postfix/smtpd[12444]: NOQUEUE: reject: RCPT from unknown[121.128.167.198]: 554 Service unavailable; Client host [121.128.167.198] blocked using cbl.abuseat.org; Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=121.128.167.198; from=<teena@...> to=<gorman@...> proto=ESMTP helo=<[121.128.167.198]>
       
      This user (gorman@...) doesn't exist in any of the relay_recipient_map files, and is not matched by any regexp in the pcre files, so I don't
      understand why the message didn't get rejected until it reached the rbl checks.

      If anyone can shed some light on this, I'd appreciate it. Thanks ...
       
      Richard
       
       
       
       
       
       
       
    • Richard Zinar
      One follow-up is that I do see some messages being rejected: Jul 12 19:27:55 sc8-smtp-001 postfix/smtpd[12959]: NOQUEUE: reject: RCPT from
      Message 2 of 7 , Jul 12 7:35 PM
      • 0 Attachment
        One follow-up is that I do see some messages being rejected:
         
        Jul 12 19:27:55 sc8-smtp-001 postfix/smtpd[12959]: NOQUEUE: reject: RCPT from unknown[203.121.8.2]: 550 <brenda@...>: Recipient address rejected: User unknown in relay recipient table; from=<bob@...> to=<brenda@...> proto=ESMTP helo=<kul.equatorial.com>
         
        But others which also do not exist are not being rejected until the rbl checks are reached:
         
        Jul 12 19:28:04 sc8-smtp-001 postfix/smtpd[12959]: NOQUEUE: reject: RCPT from unknown[222.252.41.190]: 554 Service unavailable; Client host [222.252.41.190] blocked using pbl.spamhaus.org; http://www.spamhaus.org/query/bl?ip=222.252.41.190; from=<support@...> to=<ray@...> proto=ESMTP helo=<overture.com>
         
        There is no entry for ray@... in any of the relay_recipient_maps, and it's not matched by any of the .pcre files.
         
        -Richard
         


        From: owner-postfix-users@... [mailto:owner-postfix-users@...] On Behalf Of Richard Zinar
        Sent: Thursday, July 12, 2007 7:04 PM
        To: postfix-users@...
        Subject: relay_recipient_maps not working

        Hi,
         
        I'm undoubtedly overlooking something basic, but my relay_recipient_maps doesn't seem
        to be having the desired effect, since I see mail not being rejected for non-existent users.
         
        The main.cf file looks as follows:
         
        disable_vrfy_command = yes
        smtpd_helo_required  = yes
        inet_interfaces      = $myhostname, localhost
         
        mydestination        =
        mynetworks_style     = host
        local_recipient_maps =
        local_transport      = error:local mail delivery is disabled
         
         
        header_checks  = pcre:/etc/postfix/header_checks.pcre
        relay_domains  = hash:/etc/postfix/relay_domains
        transport_maps = hash:/etc/postfix/transport
         
        smtpd_recipient_restrictions =
               reject_invalid_hostname
               reject_non_fqdn_hostname
               reject_non_fqdn_sender
               reject_non_fqdn_recipient
               reject_unknown_sender_domain
               reject_unknown_recipient_domain
               permit_mynetworks
               reject_unauth_destination
               check_recipient_access pcre:/etc/postfix/recipient_checks.pcre
               check_helo_access      hash:/etc/postfix/helo_checks
               check_sender_access    hash:/etc/postfix/sender_checks
               check_client_access    hash:/etc/postfix/client_checks
               check_client_access    pcre:/etc/postfix/client_checks.pcre
               reject_rbl_client cbl.abuseat.org
               reject_rbl_client list.dsbl.org
               reject_rbl_client sbl.spamhaus.org
               reject_rbl_client pbl.spamhaus.org
               permit
         
        smtpd_data_restrictions =
               reject_unauth_pipelining
               reject_multi_recipient_bounce
               permit
         
        canonical_maps =
           hash:/etc/postfix/canonical_jpusers
           hash:/etc/postfix/canonical_krusers
         
        relay_recipient_maps =
               hash:/etc/postfix/relay_recipients_crm
               hash:/etc/postfix/relay_recipients_jpusers
               hash:/etc/postfix/relay_recipients_jplists
               pcre:/etc/postfix/relay_recipients_jplists.pcre
               hash:/etc/postfix/relay_recipients_krusers
               hash:/etc/postfix/relay_recipients_krlists
               pcre:/etc/postfix/relay_recipients_krlists.pcre
               hash:/etc/postfix/relay_recipients_ovusers
         
        virtual_alias_maps =
               hash:/etc/postfix/virtual_base
               hash:/etc/postfix/virtual_crm
               hash:/etc/postfix/virtual_jpusers
               hash:/etc/postfix/virtual_jplists
               pcre:/etc/postfix/virtual_jplists.pcre
               hash:/etc/postfix/virtual_krusers
               hash:/etc/postfix/virtual_krlists
               pcre:/etc/postfix/virtual_krlists.pcre
               hash:/etc/postfix/virtual_ovusers
         
        The /etc/postfix/relay_domains file is as follows:
         
        overture.com         ok
        overture.co.jp        ok
        overture.co.kr       ok
        overture.at            ok
        overture.au          ok
        overture.ca          ok
        overture.ch          ok
        overture.de          ok
        overture.dk          ok
        overture.es          ok
        overture.fi           ok
        overture.fr           ok
        overture.it           ok
        overture.jp          ok
        overture.kr          ok
        overture.nl          ok
        overture.no          ok
        overture.se          ok
         
        There are no wildcards in the various relay_recipient_map files (or .pcre files).  There is a wildcard in the transport
        file, but I assumed the mail would be rejected before the transport file is even consulted.
         
        The various virtual_alias_maps also have no wildcard entries.  (I'd show these files, but they are quite long).
        Here's an example log file entry:
         
        Jul 12 18:38:26 sc8-smtp-001 postfix/smtpd[12444]: NOQUEUE: reject: RCPT from unknown[121.128.167.198]: 554 Service unavailable; Client host [121.128.167.198] blocked using cbl.abuseat.org; Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=121.128.167.198; from=<teena@...> to=<gorman@...> proto=ESMTP helo=<[121.128.167.198]>
         
        This user (gorman@...) doesn't exist in any of the relay_recipient_map files, and is not matched by any regexp in the pcre files, so I don't
        understand why the message didn't get rejected until it reached the rbl checks.

        If anyone can shed some light on this, I'd appreciate it. Thanks ...
         
        Richard
         
         
         
         
         
         
         
      • Magnus Bäck
        On Friday, July 13, 2007 at 04:03 CEST, ... Next time, post postconf -n output as described in http://www.postfix.org/DEBUG_README.html#mail. [...] ...
        Message 3 of 7 , Jul 12 10:36 PM
        • 0 Attachment
          On Friday, July 13, 2007 at 04:03 CEST,
          Richard Zinar <zinarr@...> wrote:

          > I'm undoubtedly overlooking something basic, but my
          > relay_recipient_maps doesn't seem to be having the desired effect,
          > since I see mail not being rejected for non-existent users.
          >
          > The main.cf file looks as follows:

          Next time, post "postconf -n" output as described
          in http://www.postfix.org/DEBUG_README.html#mail.

          [...]

          > Here's an example log file entry:
          >
          > Jul 12 18:38:26 sc8-smtp-001 postfix/smtpd[12444]: NOQUEUE: reject: RCPT
          > from unknown[121.128.167.198]: 554 Service unavailable; Client host
          > [121.128.167.198] blocked using cbl.abuseat.org; Blocked - see
          > http://cbl.abuseat.org/lookup.cgi?ip=121.128.167.198;
          > from=<teena@...> to=<gorman@...> proto=ESMTP
          > helo=<[121.128.167.198]>
          >
          > This user (gorman@...) doesn't exist in any of the
          > relay_recipient_map files, and is not matched by any regexp in the
          > pcre files, so I don't understand why the message didn't get rejected
          > until it reached the rbl checks.

          Implicit recipient checks (with smtpd_reject_unlisted_recipient = yes)
          take place at the end of smtpd_recipient_restrictions. If you want the
          checks to be performed earlier (e.g. before your RBL checks) you need
          to manually place the reject_unlisted_recipient restriction at the
          desired place.

          http://www.postfix.org/postconf.5.html#reject_unlisted_recipient

          --
          Magnus Bäck
          magnus@...
        • Matthew Ceroni
          I am trying to setup the relay_recipient_maps option. I created my LDAP file (/etc/postfix/ldap-relay_recipients.cf) and tested it using postmap -q. When a
          Message 4 of 7 , Feb 12, 2013
          • 0 Attachment
            I am trying to setup the relay_recipient_maps option.

            I created my LDAP file (/etc/postfix/ldap-relay_recipients.cf) and tested it using postmap -q. When a valid user is supplied it returns 0 and when not it returns 1.

            However when I send an email (testing using the local command tool mail) it doesn't seem to matter and the message is sent to the relay anyways.

            To further troubleshoot I tried just using a hash map instead with one line in it. Same issue.

            I then tried to limit local users (local_recipient_maps) using the same LDAP file or set it explicitly to $alias_maps and then tried sending email (again using mail) to a user not in the aliases DB yet it still got sent to the local mailbox for that user.

            [root@mai01-smtp-01v mail]# postconf -n
            alias_database = hash:/etc/aliases
            alias_maps = hash:/etc/aliases
            canonical_maps = hash:/etc/postfix/canonical
            command_directory = /usr/sbin
            config_directory = /etc/postfix
            daemon_directory = /usr/libexec/postfix
            data_directory = /var/lib/postfix
            debug_peer_level = 2
            html_directory = no
            inet_interfaces = all
            inet_protocols = all
            mail_owner = postfix
            mailq_path = /usr/bin/mailq.postfix
            manpage_directory = /usr/share/man
            mydestination = $myhostname, localhost.$mydomain, localhost
            mydomain = mydomain.com
            myhostname = smtp03.mydomain.com
            myorigin = $mydomain
            newaliases_path = /usr/bin/newaliases.postfix
            notify_classes = bounce, delay, policy, protocol, resource, software
            proxy_interfaces = 173.228.xx.xx
            queue_directory = /var/spool/postfix
            readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
            relay_recipient_maps = ldap:/etc/postfix/ldap-relay_recipients.cf
            relayhost = [192.168.12.213]
            sample_directory = /usr/share/doc/postfix-2.6.6/samples
            sendmail_path = /usr/sbin/sendmail.postfix
            setgid_group = postdrop
            soft_bounce = yes
            unknown_local_recipient_reject_code = 550
            virtual_alias_domains = domain2.org

            And the maillog

            Feb 13 08:32:05 mai01-smtp-01v postfix/qmgr[2728]: 20486809: from=<root@...>, size=443, nrcpt=1 (queue active)
            Feb 13 08:32:05 mai01-smtp-01v postfix/smtp[2735]: 20486809: to=<matthew2.ceroni@...>, relay=192.168.12.213[192.168.12.213]:25, delay=0.25, delays=0.03/0.01/0.03/0.18, dsn=2.6.0, status=sent (250 2.6.0 <20130213083205.20486809@...> [InternalId=361531] Queued mail for delivery)
            Feb 13 08:32:05 mai01-smtp-01v postfix/qmgr[2728]: 20486809: removed

            The user matthew2.ceroni@... does not exist, yet it still got sent to the relay.

            Thanks
          • Wietse Venema
            ... As documented this is used in the SMTP daemon to reject mail for non-existent recipients. ... Local submission does not arrive via the SMTP daemon. Also, I
            Message 5 of 7 , Feb 12, 2013
            • 0 Attachment
              Matthew Ceroni:
              > I am trying to setup the relay_recipient_maps option.
              >
              > I created my LDAP file (/etc/postfix/ldap-relay_recipients.cf) and tested
              > it using postmap -q. When a valid user is supplied it returns 0 and when
              > not it returns 1.

              As documented this is used in the SMTP daemon to reject mail for
              non-existent recipients.

              > However when I send an email (testing using the local command tool mail) it
              > doesn't seem to matter and the message is sent to the relay anyways.

              Local submission does not arrive via the SMTP daemon. Also, I wonder
              what you want, Postfix returning an error status when you use the
              "mail" command? How should such mail be returned to sender if it
              never makes it into the mail system in the first place?

              Wietse
            • Matthew Ceroni
              I thought that was the issue, but when I try submitting via SMTP (using telnet as my test) it still doesn t work. I supply an invalid email and it still relays
              Message 6 of 7 , Feb 12, 2013
              • 0 Attachment
                I thought that was the issue, but when I try submitting via SMTP (using telnet as my test) it still doesn't work. I supply an invalid email and it still relays it to the relay server. 

                When I run postmap -q to test (with debug turned on) it logs everything in /var/log/maillog. But I don't see that same debug output when testing through telnet to the SMTP port. 




                On Tue, Feb 12, 2013 at 5:17 PM, Wietse Venema <wietse@...> wrote:
                Matthew Ceroni:
                > I am trying to setup the relay_recipient_maps option.
                >
                > I created my LDAP file (/etc/postfix/ldap-relay_recipients.cf) and tested
                > it using postmap -q. When a valid user is supplied it returns 0 and when
                > not it returns 1.

                As documented this is used in the SMTP daemon to reject mail for
                non-existent recipients.

                > However when I send an email (testing using the local command tool mail) it
                > doesn't seem to matter and the message is sent to the relay anyways.

                Local submission does not arrive via the SMTP daemon. Also, I wonder
                what you want, Postfix returning an error status when you use the
                "mail" command? How should such mail be returned to sender if it
                never makes it into the mail system in the first place?

                        Wietse

              • Matthew Ceroni
                Well now I am even more confused. So I was doing some further testing and was getting a 454 relay access denied when trying to send mail through postfix to
                Message 7 of 7 , Feb 12, 2013
                • 0 Attachment
                  Well now I am even more confused.

                  So I was doing some further testing and was getting a 454 relay access denied when trying to send mail through postfix to user@.... In my postfix config mydomain was set to mydomain and mydestination was set to $myhostname, localhost.$mydomain and localhost.

                  The default setting for relay_domains is mydestination and subdomains thereof. So since mydestination contains $myhostname which is set to hostname.$mydomain  mydomain should be in that list for relay_domains. But I had to explicitly add mydomain to relay_domains. Once I did that it honored the relay_recipient_maps. 

                  I guess my understanding of the default value relay_domains takes is incorrect.

                  Thanks


                  On Tue, Feb 12, 2013 at 9:41 PM, Matthew Ceroni <matthewceroni@...> wrote:
                  I thought that was the issue, but when I try submitting via SMTP (using telnet as my test) it still doesn't work. I supply an invalid email and it still relays it to the relay server. 

                  When I run postmap -q to test (with debug turned on) it logs everything in /var/log/maillog. But I don't see that same debug output when testing through telnet to the SMTP port. 




                  On Tue, Feb 12, 2013 at 5:17 PM, Wietse Venema <wietse@...> wrote:
                  Matthew Ceroni:
                  > I am trying to setup the relay_recipient_maps option.
                  >
                  > I created my LDAP file (/etc/postfix/ldap-relay_recipients.cf) and tested
                  > it using postmap -q. When a valid user is supplied it returns 0 and when
                  > not it returns 1.

                  As documented this is used in the SMTP daemon to reject mail for
                  non-existent recipients.

                  > However when I send an email (testing using the local command tool mail) it
                  > doesn't seem to matter and the message is sent to the relay anyways.

                  Local submission does not arrive via the SMTP daemon. Also, I wonder
                  what you want, Postfix returning an error status when you use the
                  "mail" command? How should such mail be returned to sender if it
                  never makes it into the mail system in the first place?

                          Wietse


                Your message has been successfully submitted and would be delivered to recipients shortly.