check_recipient_access rejects?

I've got in main.cf:

smtpd_recipient_restrictions =
permit_mynetworks
reject_invalid_hostname
reject_non_fqdn_sender
reject_non_fqdn_recipient
reject_unauth_pipelining
reject_unknown_sender_domain
reject_unknown_recipient_domain
check_client_access hash:/etc/postfix/pop-before-smtp
reject_unauth_destination
check_recipient_access hash:/etc/postfix/recipient_access
check_policy_service inet:127.0.0.1:2525
reject_rbl_client relays.ordb.org
reject_rbl_client bl.spamcop.net
permit_mx_backup
check_relay_domains
permit_auth_destination
permit

and in recipient_access:

valid@domain.com OK
domain.com REJECT

However, I can see in the policy service that invalid@domain.com addresses
are still checked. How could have them definitely rejected before?

--
__Pascal Bourguignon__ http://www.informatimago.com/

In a World without Walls and Fences,
who needs Windows and Gates?

Pascal Bourguignon wrote:
> I've got in main.cf:
>
> smtpd_recipient_restrictions =
> permit_mynetworks
> reject_invalid_hostname
> reject_non_fqdn_sender
> reject_non_fqdn_recipient
> reject_unauth_pipelining
> reject_unknown_sender_domain
> reject_unknown_recipient_domain
> check_client_access hash:/etc/postfix/pop-before-smtp
> reject_unauth_destination
> check_recipient_access hash:/etc/postfix/recipient_access
> check_policy_service inet:127.0.0.1:2525
> reject_rbl_client relays.ordb.org
> reject_rbl_client bl.spamcop.net
> permit_mx_backup
> check_relay_domains
> permit_auth_destination
> permit
>
> and in recipient_access:
>
> valid@domain.com OK
> domain.com REJECT
>
> However, I can see in the policy service that invalid@domain.com addresses
> are still checked. How could have them definitely rejected before?

A couple of thoughts:

* If you are testing this by sending email from the same system via sendmail
instead of SMTP, it won't be blocked.

* If you are testing from a machine in $permit_mynetworks, it won't be blocked.

* If you are sending it from a pop-before-smtp IP address, it won't be blocked.

--
Greg

Greg Hackney <hackney@swbell.net> writes:

> Pascal Bourguignon wrote:
>> I've got in main.cf:
>> smtpd_recipient_restrictions =
>> permit_mynetworks
>> reject_invalid_hostname
>> reject_non_fqdn_sender
>> reject_non_fqdn_recipient
>> reject_unauth_pipelining
>> reject_unknown_sender_domain
>> reject_unknown_recipient_domain
>> check_client_access hash:/etc/postfix/pop-before-smtp
>> reject_unauth_destination
>> check_recipient_access hash:/etc/postfix/recipient_access
>> check_policy_service inet:127.0.0.1:2525
>> reject_rbl_client relays.ordb.org
>> reject_rbl_client bl.spamcop.net
>> permit_mx_backup
>> check_relay_domains
>> permit_auth_destination
>> permit
>> and in recipient_access:
>> valid@domain.com OK
>> domain.com REJECT
>> However, I can see in the policy service that invalid@domain.com
>> addresses
>> are still checked. How could have them definitely rejected before?
>
> A couple of thoughts:
>
> * If you are testing this by sending email from the same system via sendmail
> instead of SMTP, it won't be blocked.
>
> * If you are testing from a machine in $permit_mynetworks, it won't be blocked.
>
> * If you are sending it from a pop-before-smtp IP address, it won't be blocked.

Well I tried it from a host that is amongst the mx backups, but I
guess the main problem was that I had OK in the recipient_access.

If I put DUNNO instead there, then the messages still go thru the
remaining filters instead of being accepted and skipping out of the
restriction list.

recipient_access:

valid@domain.com DUNNO
domain.com REJECT


--
__Pascal Bourguignon__ http://www.informatimago.com/

"This statement is false." In Lisp: (defun Q () (eq nil (Q)))

Pascal Bourguignon wrote:

> Well I tried it from a host that is amongst the mx backups, but I
> guess the main problem was that I had OK in the recipient_access.
>
> If I put DUNNO instead there, then the messages still go thru the
> remaining filters instead of being accepted and skipping out of the
> restriction list.
>
> recipient_access:
>
> valid@domain.com DUNNO
> domain.com REJECT
>
>


I suspect you might be going about it the wrong way in regards
to checking for valid local recipient addresses.

The tables for valid local recipients should be specified in
local_recipient_maps.

http://www.postfix.org/LOCAL_RECIPIENT_README.html

--
Greg