Thanks, Cameron. I suspected "postmaster" was a special case.

I have chosen to handle it outside of Postfix. I *never* receive legitimate
email to that address, so I set up an inbox rule that automatically deletes
anything addressed to postmaster. The volume of messages is not high
enough to affect performance of my mail server.

I, too, have set up a large number of addresses in the access.db table. I
knock out all of the Latin America and most of the Asia/Pacific addresses
at their Class A number. I have no email correspondants in those regions
of the world. The postfix logs show roughly 30 to 50 messages per day
blocked from those addresses. It shows in the range of 200 messages per
day blocked from servers with invalid names, invalid MX records or no DNS
entry.

Bill Gee



Cameron L. Spitzer wrote:

> In article <3R4sj.8081$0o7.6193@newssvr13.news.prodigy.net> , Bill Gee
> wrote:
>> Thanks for the ideas. I have put this in and it seems to work for admin
>> and root accounts, but postmaster is still getting through.
>
> postmaster is special. The smtpd table checks don't
> affect it. I believe this is the code for that.
> In postfix-2.4.1, src/smtpd/smtpd_check.c lines 4114-4119 or so.
>
>
> /*
> * XXX 2821: Section 3.6 requires that "postmaster" be accepted even
> when * specified without a fully qualified domain name.
> */
> if (strcasecmp(recipient, "postmaster") == 0)
> return (0);
>
>
> If you want to block messages to postmaster using table lookups
> under smtpd_recipient or _data _restrictions, you'll have to
> comment that test out and recompile.
>
> This feature is documented by the statement that Postfix
> complies with RFC2821.
>
> But remember client/recipient/data have
> to do with position in the SMTP dialog, not with categories
> of spam tests.
>
> smtpd_client_restrictions doesn't treat postmaster specially,
> because the recipient isn't yet known at that point in the dialog.
>
> I have two sets of sender restrictions. The worst spam sources
> are listed in tables under smtpd_client_restrictions.
> Those are the networks so corrupt that I don't care if
> I block postmaster messages from them.
>
> (Actually I have three sets. I've got about 300 CIDRs in
> Linux netfilter that aren't allowed to reach Postfix at all.
> You can do this with little performance hit if you keep
> them in their own table. Jump from INPUT to that table
> when you see a SYN packet to port 25. But I digress.)
>
> The rest of the known sources are listed in tables
> under smtpd_recipient or _data. I get spam to postmaster
> from them.
>
>
>
>
> Cameron

--
Bill Gee

There are no 'X' chars in my email address.