Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Postfix submitting email not in Recipients List

    Scheduled Pinned Locked Moved pfSense Packages
    10 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      garthk
      last edited by

      I'm running v2 Postfix on 2.1.5 i386 and I've noticed that email for users not in the Recipients List on the PF Recipients tab are still being forwarded to the iRedMail server and are being refused by it. This puts info into the 550 5.1.1 rejection that I'd like to keep hidden. Is this expected behaviour or did I miss a setting?

      Thanx,
      Garth

      1 Reply Last reply Reply Quote 0
      • G
        garthk
        last edited by

        A bit of an update. PF is not actually sending the email as previously stated. What it is doing is verifying the creds against the email server instead of rejecting them outright when the user is not in the Recipients list. I have another pfSense/Postfix box that is doing it correctly so I'll compare the settings between the two to see what's different.

        Helpful pointers still appreciated.

        Thanx,
        Garth

        1 Reply Last reply Reply Quote 0
        • B
          biggsy
          last edited by

          Probably "basic" versus "strong" selected in Header verification under the Anti-spam tab.

          Strong inserts reject_unverified_recipient under smtp_recipient_restrictions

          1 Reply Last reply Reply Quote 0
          • G
            garthk
            last edited by

            Thanx for reply. I checked and Strong is selected. Below is a sanitized telnet 25 session with the PF server showing the response to a nonexistant user is coming from the internal mail server. This may be correct but I seem to remember that the internal email server was not contacted until after all of the checks were made. Is my memory incorrect?

            garthk@myws:~$ telnet 1.1.1.1 25
            Trying 1.1.1.1…
            Connected to 1.1.1.1.
            Escape character is '^]'.
            220 mail.abc.net ESMTP Postfix
            helo abc.com
            250 mail.abc.net
            mail from: garthk@abc.com250 2.1.0 Ok
            rcpt to: joe@abc.net550 5.1.1 joe@abc.net: Recipient address rejected: undeliverable address: host 10.10.10.10[10.10.10.10] said: 550 5.1.1 joe@abc.net: Recipient address rejected: User unknown in virtual mailbox table (in reply to RCPT TO command)
            quit
            221 2.0.0 Bye
            Connection closed by foreign host.

            Below is a section from a backup showing the settings for PF:

            <package><name>Postfix Forwarder</name>
            <website>http://www.postfix.org/</website>
            <descr>It can do first and second line antispam combat before sending incoming mail to local mail servers.<br />
            Postfix can also detect zombies, check RBLS, SPF, seach ldap for valid recipients and use third part antispam engines like policyd and mailscanner for better antispam solution.]]></descr>
            <category>Services</category>
            <pkginfolink>https://forum.pfsense.org/index.php/topic,40622.0.html</pkginfolink>
            <config_file>https://packages.pfsense.org/packages/config/postfix/postfix.xml</config_file>
            <depends_on_package_base_url>https://files.pfsense.org/packages/8/All/</depends_on_package_base_url>
            <depends_on_package>postfix-2.10.2,1.tbz</depends_on_package>
            <depends_on_package>perl5-5.16.3_4.tbz</depends_on_package>
            <depends_on_package_pbi>postfix-2.10.2-i386.pbi</depends_on_package_pbi>
            <version>2.10.2 pkg v.2.3.9</version>
            <status>Release</status>
            <required_version>2.1</required_version>
            <configurationfile>postfix.xml</configurationfile>
            <build_port_path>/usr/ports/mail/postfix</build_port_path>
            <build_options>WITH_PCRE=true;WITH_SPF=true;WITH_SASL2=true;WITH_TLS=true</build_options></package>
            <postfix><config><enable_postfix>on</enable_postfix>
            <inet_protocol>ipv4</inet_protocol>
            <enabled_interface>wan,lo0</enabled_interface>
            <message_size_limit><process_limit><maincf><log_to>maillog</log_to>
            <update_sqlite>01min</update_sqlite>
            <debug_list><debug_level>2</debug_level>
            <widget_days>3</widget_days>
            <widget_size>200000000</widget_size></debug_list></maincf></process_limit></message_size_limit></config></postfix>
            <postfixdomains><config><row><domain>abc.net</domain>
            <mailserverip>10.10.10.10</mailserverip></row></config></postfixdomains>
            <postfixrecipients><config><freq>30m</freq>
            <enable_ldap><row><dc><cn><username><password></password></username></cn></dc></row>
            <enable_url><custom_url><custom_recipients>cG9zdG1hc3RlckBnZGNqay5uZXQgT0sNCmdhcnRoa0BnZGNqay5uZXQgT0sNCmNhcm9sa0BnZGNqay5uZXQgT0s=</custom_recipients></custom_url></enable_url></enable_ldap></config></postfixrecipients>
            <postfixantispam><config><header_check>strong</header_check>
            <reject_unknown_helo_hostname>on</reject_unknown_helo_hostname>
            <zombie_blocker>enforce</zombie_blocker>
            <greet_time>2,6s</greet_time>
            <after_greeting>postscreen_bare_newline_enable,postscreen_disable_vrfy_command,postscreen_non_smtp_command_enable,postscreen_pipelining_enable,postscreen_greet_check</after_greeting>
            <soft_bounce>postscreen</soft_bounce>
            <anvil>postscreen</anvil>
            <rbl_servers>zen.spamhaus.org</rbl_servers>
            <rbl_threshold>2</rbl_threshold>
            <postfix_spf>reject_spf_invalid_sender</postfix_spf>
            <antispam_enabled><hold_mode>auto</hold_mode>
            <antispam_software>mailscanner</antispam_software>
            <antispam_location></antispam_location></antispam_enabled></config></postfixantispam>

            <dhcrelay><dhcrelay6>Let me know if I missed something.

            Thanx,
            Garth</dhcrelay6></dhcrelay>/joe@abc.net/joe@abc.net/joe@abc.net/garthk@abc.com

            1 Reply Last reply Reply Quote 0
            • B
              biggsy
              last edited by

              Your main.cf files would be more interesting to compare.

              Reading this:

              . . . recipient address verification is useful to block mail for undeliverable recipients on a mail relay host that does not have a list of all valid recipient addresses

              I don't understand why your mail server is being queried at all.

              1 Reply Last reply Reply Quote 0
              • G
                garthk
                last edited by

                Here is the main.cf. I've searched on the suspicious entries but have found nothing that looks wrong.

                Thanx,
                Garth

                /usr/pbi/postfix-i386/etc/postfix/main.cf
                #main.cf
                #Part of the Postfix package for pfSense
                #Copyright (C) 2010 Erik Fonnesbeck
                #Copyright (C) 2011-2013 Marcello Coutinho
                #All rights reserved.
                #DO NOT EDIT THIS FILE

                mynetworks = /usr/pbi/postfix-i386/etc/postfix/mynetwork_table
                mynetworks_style = host
                access_map_reject_code= 554
                access_map_defer_code = 451
                unverified_recipient_reject_code = 550
                unknown_client_reject_code = 550
                unknown_hostname_reject_code = 550

                relay_domains = abc.net
                transport_maps = hash:/usr/pbi/postfix-i386/etc/postfix/transport
                local_recipient_maps =
                relay_recipient_maps = hash:/usr/pbi/postfix-i386/etc/postfix/relay_recipients
                mydestination =
                mynetworks_style = host
                message_size_limit = 10240000
                default_process_limit = 100
                disable_vrfy_command = yes
                strict_rfc821_envelopes = yes

                #Just reject after helo,sender,client,recipient tests
                smtpd_delay_reject = yes

                Don't talk to mail systems that don't know their own hostname.

                smtpd_helo_required = yes
                smtpd_helo_restrictions = check_helo_access pcre:/usr/pbi/postfix-i386/etc/postfix/helo_check,
                reject_unknown_helo_hostname,
                reject_invalid_helo_hostname,
                reject_non_fqdn_helo_hostname,
                permit

                smtpd_sender_restrictions = reject_non_fqdn_sender,
                reject_unknown_sender_domain,
                reject_unauth_pipelining,
                reject_multi_recipient_bounce,
                permit

                Allow connections from specified local clients and strong check everybody else.

                smtpd_client_restrictions = permit_mynetworks,
                reject_unauth_destination,
                check_client_access pcre:/usr/pbi/postfix-i386/etc/postfix/cal_pcre,
                check_client_access cidr:/usr/pbi/postfix-i386/etc/postfix/cal_cidr,
                reject_unknown_client_hostname,
                reject_unauth_pipelining,
                reject_multi_recipient_bounce,
                permit

                smtpd_recipient_restrictions = permit_mynetworks,
                reject_unauth_destination,
                reject_unauth_pipelining,
                check_client_access pcre:/usr/pbi/postfix-i386/etc/postfix/cal_pcre,
                check_client_access cidr:/usr/pbi/postfix-i386/etc/postfix/cal_cidr,
                check_sender_access hash:/usr/pbi/postfix-i386/etc/postfix/sender_access,
                reject_non_fqdn_helo_hostname,
                reject_unknown_recipient_domain,
                reject_non_fqdn_recipient,
                reject_multi_recipient_bounce,
                reject_unverified_recipient,
                reject_spf_invalid_sender,
                permit

                inet_protocols = ipv4
                inet_interfaces = 1.2.3.4,127.0.0.1
                postscreen_greet_wait = ${stress?2}${stress:6}s
                postscreen_disable_vrfy_command = yes
                postscreen_non_smtp_command_enable = yes
                postscreen_non_smtp_command_action = enforce
                postscreen_pipelining_enable = yes
                postscreen_pipelining_action = enforce
                postscreen_bare_newline_enable = yes
                postscreen_bare_newline_action = enforce
                postscreen_greet_action = enforce
                postscreen_access_list = permit_mynetworks,
                cidr:/usr/pbi/postfix-i386/etc/postfix/cal_cidr
                postscreen_dnsbl_action= enforce
                postscreen_blacklist_action= enforce
                postscreen_dnsbl_sites=zen.spamhaus.org
                postscreen_dnsbl_threshold=2

                1 Reply Last reply Reply Quote 0
                • B
                  biggsy
                  last edited by

                  That looks pretty much the same as mine.  I don't use a valid recipients list, though, so postfix always queries the mail server if it hasn't got a cached positive or negative response from there before.  Those cached entries do expire after a time.

                  Is this the config for the one that's querying your mail server?  Maybe your other server is just not receiving many emails for address responses that aren't cached.

                  Unfortunately, from what I've read, I don't think there is any way to stop the queries completely but they should be relatively rare, unless you are seeing lots of spammers who get past the usual postscreen checks.

                  I suspect that reject_unverified_recipient should be reject_unlisted_recipient in main.cf.

                  1 Reply Last reply Reply Quote 0
                  • B
                    biggsy
                    last edited by

                    I did a little experiment:

                    Built a table of valid recipients from my mail server.

                    Replaced reject_unverified_recipient with reject_unlisted_recipient in main.cf and reloaded postfix

                    I get the error (which is to be expected because I didn't rebuild relay_recipients.db):

                    warning: database /usr/pbi/postfix-amd64/etc/postfix/relay_recipients.db is older than source file /usr/pbi/postfix-amd64/etc/postfix/relay_recipients
                    

                    However, I don't get the double-bounce query to the mail server with this configuration.

                    So it looks as though, when you have a valid recipients list, reject_unlisted_recipient should be in main.cf, rather than reject_unverified_recipient.

                    1 Reply Last reply Reply Quote 0
                    • G
                      garthk
                      last edited by

                      Good work and I agree. I changed from unverified to unlisted in main.cf and the unknown user is rejected immediately by pfSense/Postfix rather than asking the email server to verify. Much better.

                      Now, how long will the change remain in place before the main.cf gets regenerated? There is a cap warning about not editing near the top of the file. Should this be reported as a bug?

                      Thanx,
                      Garth

                      1 Reply Last reply Reply Quote 0
                      • B
                        biggsy
                        last edited by

                        I'm hoping marcelloc will notice this thread.

                        Not that I think it's a really a bug.  There are so many config options in postfix that I'm not surprised he would have had to make some tough choices about how to manage certain things through the GUI.

                        I suspect any save through the GUI or reinstall of the package would wipe out the change.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.