Re: bouncing bad extensions (Modified by gene)

gene wrote:
>
>
> I did get REJECT with that 'postmap -q' command, and in fact, the
> majority of the emails to REJECTed addresses are now properly rejected.

great!

> But here are the headers of an email that got through:
>
>
> Return-Path: <bnjhweriowei@chol.com>
> X-Original-To: hector@smalltime.com
> Delivered-To: hector@smalltime.com
> Received: by newt.smalltime.com (Postfix, from userid 65534)
> id 64E4B5BAD5; Thu, 26 May 2005 14:25:53 -0700 (PDT)
> X-Greylist: delayed 32285 seconds by postgrey-1.21 at
> newt.smalltime.com; Thu, 26 May 2005 14:25:44 PDT
> Received: from 66.92.15.192 (unknown [220.117.128.235])
> by newt.smalltime.com (Postfix) with SMTP id 084CC5BAD4
> for <hector@smalltime.com>; Thu, 26 May 2005 14:25:44 -0700 (PDT)
> Received: from [146.145.118.171] by 66.92.15.192 with ESMTP id
> <933351-60948> for <hector01@smalltime.com>; Thu, 26 May 2005 19:21:49 -0200
> [snip]
> To: hector01@smalltime.com


Assuming no header rewrite/forgery/..., this means some system has
expanded the alias hector01 to hector (or to hector + other addresses)
before giving it to the postfix system that does the reject. so the
latter receives mail for an authorized address (in the RCPT TO command).
Other things may happen too. the only thing that counts here is smtp
commands not message headers (which are checked in another place).

>
> The To field and the third Received field both list
> hector01@smalltime.com, an address that should be rejected. However,
> the X-Original-To, Delivered-To, and second Received fields list
> hector@smalltime.com, which is a legitimate address. In fact,
> hector01@smalltime.com was formerly an alias to hector@smalltime.com,
> but has since been retired. Nothing for hector01 should be getting
> through, with or without the check_recipient_access (that's not true for
> some other addresses which is why I asked the original question).
>
> I see in the logs that it looks like the same email is rejected for
> hector01 but accepted for hector:
> [snip]
>
> This all leads me to conclude that postfix is working fine now, but that
> a single email can be processed for multiple recipients. Is that correct?
>

yes, smtpd_recipient_restrictions are processed once for every recipient.

>
> Here is my 'postconf -n' for good measure:
> [snip]
> smtpd_client_restrictions = permit_mynetworks, reject_invalid_hostname,
> reject_non_fqdn_recipient, reject_unknown_recipient_domain,

why put reject_non_fqdn_recipient here? you have it in
smtpd_recipient_restrictions below. and it's more "readable" there.

> smtpd_data_restrictions = reject_unauth_pipelining
> smtpd_helo_required = yes
> smtpd_recipient_restrictions = permit_mynetworks
> reject_unauth_destination reject_invalid_hostname
> reject_non_fqdn_recipient reject_unknown_recipient_domain
> reject_unauth_destination

you have reject_unauth_destination twice.

check_policy_service inet:127.0.0.1:10937
> check_recipient_access hash:/etc/postfix/access

you should do recipient check before your policy service instead.

permit_mx_backup

the permit_mx_backup is useless after reject_unauth_destination. just
remove it (don't just put it before reject_unauth_destination. mx relay
ought to be controlled to some extent if not just denied).