Lars Hecking:
>
> Would it be possible to implement (from canonical(5), virtual(5))
>
> ADDRESS EXTENSION
> When table lookup fails, and the address localpart contains
> the optional recipient delimiter (e.g., user+foodomain),
> the search is repeated for the unextended address (e.g.
> userdomain),

That seems to be possible - just delete the extension.

> and the unmatched extension is propagated to
> the result of table lookup.

The right-hand side of access table is not an address, so there is
no place for the extension to go. Apart from that, copying the
extension allows the sender control over the result of an access
decision, which seems questionable.

> The matching order is:
> user+foodomain, userdomain, user+foo, user, and domain.
>
> for access(5)?

I'd simplify this to:

        strip the extension
        look up the address as already implemented

> Problem: to foil "Rumplestiltskin" attacks, I was going to set up an
> access restriction
>
> smtpd_recipient_restrictions =
> check_recipient_access hash:/etc/postfix/valid_rcpt
> reject
>
> where valid_rcpt contains a list of localparts gathered from
> aliases/yp/virtual tables.
>
> localpart1 OK
> localpart2 OK
> ...
>
> But this config rejects plussed addresses, and for now I have to use
> an ugly workaround with an additional regexp map before the reject.
>
> Is there a better solution? Do you think that access(5), too,
> should allow "$recipient_delimiter" delimited local-parts?

It probably should.

        Wietse

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]