Loading ...
Sorry, an error occurred while loading the content.

Configurable sender address for recipient verification

Expand Messages
  • Daniel L. Miller
    Is there a way to use the message sender as the address used by the recipient verification probe? Or is the only control a global address_verify_sender
    Message 1 of 12 , Jan 9, 2013
    • 0 Attachment
      Is there a way to use the message sender as the address used by the
      recipient verification probe? Or is the only control a global
      address_verify_sender change?

      I'm asking because a mailing list I use must have made a change in their
      filters, and is refusing the double-bounce sender address for the
      recipient verification probe from my server.

      On a unrelated note, my initial submission for this message contained
      the word "subscribe" and was rejected by the automatic filters. I'm
      trying again now with quotes to see if it gets through.
      --
      Daniel
    • Wietse Venema
      ... The feature is called sender address verification, not sender*AND*recipient address verification. If it had to send different sender address probes for
      Message 2 of 12 , Jan 9, 2013
      • 0 Attachment
        Daniel L. Miller:
        > Is there a way to use the message sender as the address used by the
        > recipient verification probe?

        The feature is called sender address verification, not sender*AND*recipient
        address verification. If it had to send different sender address
        probes for different recipients, the feature would perform even
        worse.

        > I'm asking because a mailing list I use must have made a change in their
        > filters, and is refusing the double-bounce sender address for the
        > recipient verification probe from my server.

        How about: don't address-verify a mailing list that you are subscribed
        to. Doing so is pointless. Worse, it may cause mail delivery delays
        when they use VERP-style sender addresses that are different with
        each mailing list posting.

        Wietse
      • Daniel L. Miller
        ... Fair enough. How do I turn off recipient address verification for my mailing lists? I see a way of forcing sender verification - but I don t see a
        Message 3 of 12 , Jan 9, 2013
        • 0 Attachment
          On 1/9/2013 4:26 PM, Wietse Venema wrote:
          > How about: don't address-verify a mailing list that you are subscribed
          > to. Doing so is pointless. Worse, it may cause mail delivery delays
          > when they use VERP-style sender addresses that are different with each
          > mailing list posting.

          Fair enough. How do I turn off recipient address verification for my
          mailing lists? I see a way of forcing sender verification - but I don't
          see a particular method for NOT verifying recipients.

          Or do I do that with:

          smtpd_recipient_restrictions =
          reject_unknown_recipient_domain,
          check_recipient_access = hash:/etc/postfix/maps/mailing_lists
          reject_unverified_recipient,
          permit_sasl_authenticated,
          permit_mynetworks,
          reject_unauth_destination,
          permit

          /etc/postfix/maps/mailing_lists
          mailinglist@... OK

          --
          Daniel
        • Wolfgang Zeikat
          I think there is some misunderstanding here. ... Wietse s above text refers to SENDER address verification if I am not mistaken. If you are subscribed to a
          Message 4 of 12 , Jan 9, 2013
          • 0 Attachment
            I think there is some misunderstanding here.

            On 2013-01-10 01:38, Daniel L. Miller wrote:
            > On 1/9/2013 4:26 PM, Wietse Venema wrote:
            > > How about: don't address-verify a mailing list that you are
            > > subscribed to. Doing so is pointless. Worse, it may cause mail
            > > delivery delays when they use VERP-style sender addresses that are
            > > different with each mailing list posting.

            Wietse's above text refers to SENDER address verification if I am not
            mistaken.

            If you are subscribed to a mailing list, that would mean: your server
            asks the MX host for the envelope sender address of the mailing list
            message if that host would accept a mail for that envelope sender
            address.

            >
            > Fair enough. How do I turn off recipient address verification for my
            > mailing lists? I see a way of forcing sender verification - but I
            > don't see a particular method for NOT verifying recipients.

            You keep asking about recipient verification. I dont understand how that
            relates to mailing lists you are subscribed to. Does your phrase "my
            mailing lists" refer to mailing lists you are subscribed to?


            > check_recipient_access = hash:/etc/postfix/maps/mailing_lists

            That means: postfix will query /etc/postfix/maps/mailing_lists to see
            if it should accept mails for local or virtual recipients.

            > /etc/postfix/maps/mailing_lists
            > mailinglist@... OK

            I think that
            mailinglist@...
            is neither a local nor a virtual address on your postfix server but
            the "To:" header line in mailing list mails like e.g.
            postfix-users@....

            If so, that is nothing that your server sees in smtpd connections at
            all, that is part of the mail DATA and nothing your
            smtpd_recpient_restrictions will hit ...

            I think you should post log lines that show what happens on your server
            so that the problem becomes more clear.

            Hope this helps.

            Cheers,

            wolfgang
          • Wietse Venema
            ... ... That will do it. Wietse
            Message 5 of 12 , Jan 9, 2013
            • 0 Attachment
              Daniel L. Miller:
              > On 1/9/2013 4:26 PM, Wietse Venema wrote:
              > > How about: don't address-verify a mailing list that you are subscribed
              > > to. Doing so is pointless. Worse, it may cause mail delivery delays
              > > when they use VERP-style sender addresses that are different with each
              > > mailing list posting.
              >
              > Fair enough. How do I turn off recipient address verification for my
              > mailing lists?

              > check_recipient_access = hash:/etc/postfix/maps/mailing_lists
              > reject_unverified_recipient,
              ...

              That will do it.

              Wietse
            • Daniel L. Miller
              ... My problem is not receiving mail - it s sending a new post to the list. Hence the recipient verification question - my server first tries to probe the
              Message 6 of 12 , Jan 9, 2013
              • 0 Attachment
                On 1/9/2013 4:57 PM, Wolfgang Zeikat wrote:
                > I think there is some misunderstanding here.
                >
                > On 2013-01-10 01:38, Daniel L. Miller wrote:
                >> On 1/9/2013 4:26 PM, Wietse Venema wrote:
                >>> How about: don't address-verify a mailing list that you are
                >>> subscribed to. Doing so is pointless. Worse, it may cause mail
                >>> delivery delays when they use VERP-style sender addresses that are
                >>> different with each mailing list posting.
                > Wietse's above text refers to SENDER address verification if I am not
                > mistaken.
                >
                > If you are subscribed to a mailing list, that would mean: your server
                > asks the MX host for the envelope sender address of the mailing list
                > message if that host would accept a mail for that envelope sender
                > address.
                >
                >> Fair enough. How do I turn off recipient address verification for my
                >> mailing lists? I see a way of forcing sender verification - but I
                >> don't see a particular method for NOT verifying recipients.
                > You keep asking about recipient verification. I dont understand how that
                > relates to mailing lists you are subscribed to. Does your phrase "my
                > mailing lists" refer to mailing lists you are subscribed to?
                My problem is not receiving mail - it's sending a new post to the list.
                Hence the recipient verification question - my server first tries to
                probe the mailing list server with a "double-bounce" address - and the
                mailing list server says the "double-bounce" address isn't a subscriber
                and rejects it.

                --
                Daniel
              • Daniel L. Miller
                ... Glad to know I m on the right track. I m still doing something wrong. Naturally I tried to get fancy - I m using cdb (which I use for other maps as well).
                Message 7 of 12 , Jan 9, 2013
                • 0 Attachment
                  On 1/9/2013 5:43 PM, Wietse Venema wrote:
                  >
                  >> check_recipient_access = hash:/etc/postfix/maps/mailing_lists
                  >> reject_unverified_recipient,
                  > ...
                  >
                  > That will do it.
                  >

                  Glad to know I'm on the right track. I'm still doing something wrong.
                  Naturally I tried to get fancy - I'm using cdb (which I use for other
                  maps as well).

                  A test results in:
                  postmap -q nginx@... cdb:/etc/postfix/maps/mailing-list-targets
                  OK

                  So I THINK my map is set correctly. Yet I'm still seeing:
                  Jan 9 17:51:57 bubba postfix/cleanup[24369]: EED1E40402A4:
                  message-id=<20130110015157.EED1E40402A4@...>
                  Jan 9 17:51:58 bubba postfix/qmgr[23232]: EED1E40402A4:
                  from=<double-bounce@...>, size=230, nrcpt=1 (queue active)
                  Jan 9 17:51:59 bubba postfix/smtp[24528]: EED1E40402A4:
                  to=<nginx@...>, relay=mail.nginx.org[206.251.255.65]:25,
                  delay=1.4, delays=0.02/0.01/1.3/0.02, dsn=5.7.1,
                  status=undeliverable-but-not-cached (host mail.nginx.org[206.251.255.65]
                  said: 554 5.7.1 <nginx@...>: Recipient address rejected:
                  envelope-sender address is not listed as subscribed for the mailing
                  list. You are either not subscribed or From: address differ from
                  envelope address (in reply to RCPT TO command))
                  Jan 9 17:51:59 bubba postfix/qmgr[23232]: EED1E40402A4: removed

                  Configuration:
                  postconf -n
                  address_verify_map = btree:${data_directory}/verify
                  address_verify_negative_cache = no
                  address_verify_poll_count = 5
                  address_verify_poll_delay = 5s
                  alias_database = hash:/etc/aliases
                  alias_maps = hash:/etc/aliases
                  append_dot_mydomain = no
                  biff = no
                  bounce_template_file = /etc/postfix/bounce.cf
                  broken_sasl_auth_clients = yes
                  config_directory = /etc/postfix
                  delay_warning_time = 10m
                  dovecot_destination_recipient_limit = 1
                  fax_destination_recipient_limit = 1
                  html_directory = no
                  inet_interfaces = all
                  inet_protocols = all
                  mailbox_size_limit = 0
                  maildrop_destination_recipient_limit = 1
                  message_size_limit = 700000000
                  mydestination = localhost.amfeslan.local, localhost
                  mydomain = amfeslan.local
                  myhostname = mail.amfes.com
                  mynetworks = 127.0.0.0/8 192.168.0.0/24 192.168.56.0/24
                  myorigin = amfes.com
                  printfax_destination_recipient_limit = 1
                  proxy_interfaces = 24.120.114.53
                  readme_directory = no
                  recipient_bcc_maps = hash:/etc/postfix/maps/recipient_bcc
                  recipient_canonical_maps = hash:/etc/postfix/maps/canonical-maps
                  recipient_delimiter = +
                  sender_bcc_maps = hash:/etc/postfix/maps/sender_bcc
                  smtpd_authorized_xclient_hosts = 127.0.0.1 192.168.0.0/24
                  smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
                  smtpd_recipient_restrictions = reject_unknown_recipient_domain,
                  check_sender_access cdb:/etc/postfix/maps/mailing-list-targets,
                  reject_unverified_recipient, permit_sasl_authenticated,
                  permit_mynetworks, reject_unauth_destination, permit
                  smtpd_sasl_auth_enable = yes
                  smtpd_sasl_path = private/auth
                  smtpd_sasl_security_options = noanonymous
                  smtpd_sasl_type = dovecot
                  smtpd_sender_restrictions = reject_unlisted_sender
                  smtpd_tls_CAfile = /etc/postfix/tls/cakey.pem
                  smtpd_tls_cert_file = /etc/postfix/tls/cert.pem
                  smtpd_tls_key_file = /etc/postfix/tls/key.pem
                  smtpd_tls_received_header = yes
                  smtpd_tls_security_level = may
                  smtpd_tls_session_cache_timeout = 3600s
                  soft_bounce = no
                  tls_random_source = dev:/dev/urandom
                  transport_maps = hash:/etc/postfix/maps/transport
                  virtual_alias_maps =
                  pcre:/etc/postfix/maps/virtual-maps,ldap:/etc/postfix/maps/ldap-aliases.cf
                  virtual_gid_maps = static:8
                  virtual_mailbox_base = /var/mail
                  virtual_mailbox_domains = cdb:/etc/postfix/maps/virtual-domains
                  virtual_mailbox_maps = ldap:/etc/postfix/maps/ldap-virtual.cf
                  virtual_transport = lmtp:unix:private/dovecot-lmtp
                  virtual_uid_maps = static:5000

                  --
                  Daniel
                • Wietse Venema
                  ... That works. ... You changed more than hash- cdb. Wietse
                  Message 8 of 12 , Jan 10, 2013
                  • 0 Attachment
                    Daniel L. Miller:
                    > check_recipient_access = hash:/etc/postfix/maps/mailing_lists
                    > reject_unverified_recipient,

                    That works.

                    > check_sender_access cdb:/etc/postfix/maps/mailing-list-targets,
                    > reject_unverified_recipient

                    You changed more than hash->cdb.

                    Wietse
                  • Daniel L. Miller
                    ... Did you see something in my posted configuration? -- Daniel
                    Message 9 of 12 , Jan 10, 2013
                    • 0 Attachment
                      On 1/10/2013 3:57 AM, Wietse Venema wrote:
                      > Daniel L. Miller:
                      >> check_recipient_access = hash:/etc/postfix/maps/mailing_lists
                      >> reject_unverified_recipient,
                      > That works.
                      >
                      >> check_sender_access cdb:/etc/postfix/maps/mailing-list-targets,
                      >> reject_unverified_recipient
                      > You changed more than hash->cdb.
                      >
                      > Wietse
                      Did you see something in my posted configuration?

                      --
                      Daniel
                    • Daniel L. Miller
                      ... When I (temporarily) commented out the reject_unverified_recipient - no verification is performed and the message is sent & accepted by the remote. So I
                      Message 10 of 12 , Jan 10, 2013
                      • 0 Attachment
                        On 1/10/2013 3:38 PM, Daniel L. Miller wrote:
                        > On 1/10/2013 3:57 AM, Wietse Venema wrote:
                        >> Daniel L. Miller:
                        >>> check_recipient_access = hash:/etc/postfix/maps/mailing_lists
                        >>> reject_unverified_recipient,
                        >> That works.
                        >>
                        >>> check_sender_access cdb:/etc/postfix/maps/mailing-list-targets,
                        >>> reject_unverified_recipient
                        >> You changed more than hash->cdb.
                        >>
                        >> Wietse
                        > Did you see something in my posted configuration?
                        >
                        When I (temporarily) commented out the "reject_unverified_recipient" -
                        no verification is performed and the message is sent & accepted by the
                        remote. So I assume either the check_sender_access map is not being
                        processed - or there's something wrong with my map. I'm confused
                        because the test "postmap -q nginx@... cdb:mailing-list-targets"
                        continues to return "OK".

                        Is there a way I can see the processing being performed for the
                        smtpd_recipient_restrictions evaluation, particularly the
                        check_sender_access call?
                        --
                        Daniel
                      • Wietse Venema
                        ... The first fragment was what you proposed, and that would work. The second fragment was your posted configuration. Putting then side-by-side: 1A
                        Message 11 of 12 , Jan 10, 2013
                        • 0 Attachment
                          Daniel L. Miller:
                          > On 1/10/2013 3:57 AM, Wietse Venema wrote:
                          > > Daniel L. Miller:
                          > >> check_recipient_access = hash:/etc/postfix/maps/mailing_lists
                          > >> reject_unverified_recipient,
                          > > That works.
                          > >
                          > >> check_sender_access cdb:/etc/postfix/maps/mailing-list-targets,
                          > >> reject_unverified_recipient
                          > > You changed more than hash->cdb.
                          > >
                          > Did you see something in my posted configuration?

                          The first fragment was what you proposed, and that would work.

                          The second fragment was your posted configuration.

                          Putting then side-by-side:


                          1A check_recipient_access = hash:/etc/postfix/maps/mailing_lists
                          2A check_sender_access cdb:/etc/postfix/maps/mailing-list-targets,

                          1B reject_unverified_recipient
                          2B reject_unverified_recipient

                          Obviously, the difference is with the first lines.

                          The first one has a mistake (the "=" does not belong there).

                          But the second does not do what the first one tried to achieve.

                          Wietse
                        • Daniel L. Miller
                          ... Thank you! On top of my own lack of standard lack of knowledge - it can be the difference between seeing what is actually there vs. seeing what is
                          Message 12 of 12 , Jan 10, 2013
                          • 0 Attachment
                            On 1/10/2013 4:27 PM, Wietse Venema wrote:
                            > Daniel L. Miller:
                            >> On 1/10/2013 3:57 AM, Wietse Venema wrote:
                            >>> Daniel L. Miller:
                            >>>> check_recipient_access = hash:/etc/postfix/maps/mailing_lists
                            >>>> reject_unverified_recipient,
                            >>> That works.
                            >>>
                            >>>> check_sender_access cdb:/etc/postfix/maps/mailing-list-targets,
                            >>>> reject_unverified_recipient
                            >>> You changed more than hash->cdb.
                            >>>
                            >> Did you see something in my posted configuration?
                            > The first fragment was what you proposed, and that would work.
                            >
                            > The second fragment was your posted configuration.
                            >
                            > Putting then side-by-side:
                            >
                            >
                            > 1A check_recipient_access = hash:/etc/postfix/maps/mailing_lists
                            > 2A check_sender_access cdb:/etc/postfix/maps/mailing-list-targets,
                            >
                            > 1B reject_unverified_recipient
                            > 2B reject_unverified_recipient
                            >
                            > Obviously, the difference is with the first lines.
                            >
                            > The first one has a mistake (the "=" does not belong there).
                            >
                            > But the second does not do what the first one tried to achieve.
                            >
                            > Wietse

                            Thank you! On top of my own lack of standard lack of knowledge - it can
                            be the difference between seeing what is actually there vs. seeing what
                            is expected.

                            --
                            Daniel
                          Your message has been successfully submitted and would be delivered to recipients shortly.