OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
recipient restrictions: virtual mailboxes and check_policy_service interaction

From: Ion-Mihai Tetcu (itetcuFreeBSD.org)
Date: Mon Mar 03 2008 - 13:32:07 CST

Hi,

What I'm trying to understand is why mail for non-existent virtual
mailboxes is greylisted instead of rejected from the start.

This happens if the (client_name, client_address, sender triplet) is
greylisted:

Mar 3 20:08:20 worf postfix/smtpd[34590]: connect from risa.tecnik93.com[208.79.80.115]
Mar 3 20:08:20 worf postgrey[15192]: action=greylist, reason=new, client_name=risa.tecnik93.com, client_address=208.79.80.115, sender=itetcufreebsd.org, recipient=noncameradicommercio.ro
Mar 3 20:08:20 worf postfix/smtpd[34590]: NOQUEUE: filter: RCPT from risa.tecnik93.com[208.79.80.115]: <risa.tecnik93.com[208.79.80.115]>: Client host triggers FILTER lmtp:[127.0.0.1]:24; from=<itetcufreebsd.org> to=<noncameradicommercio.ro> proto=ESMTP helo=<risa.tecnik93.com>
Mar 3 20:08:20 worf postfix/smtpd[34590]: NOQUEUE: reject: RCPT from risa.tecnik93.com[208.79.80.115]: 450 4.2.0 <noncameradicommercio.ro>: Recipient address rejected: Try again in a few minutes; from=<itetcufreebsd.org> to=<noncameradicommercio.ro> proto=ESMTP helo=<risa.tecnik93.com>
Mar 3 20:08:20 worf postfix/smtpd[34590]: disconnect from risa.tecnik93.com[208.79.80.115]

but not if it's not greylisted:

Mar 3 21:21:08 worf postfix/smtpd[37005]: connect from risa.tecnik93.com[208.79.80.115]
Mar 3 21:21:08 worf postgrey[15192]: action=pass, reason=triplet found, delay=360, client_name=risa.tecnik93.com, client_address=208.79.80.115, sender=itetcufreebsd.org, recipient=noncameradicommercio.ro
Mar 3 21:21:08 worf postfix/smtpd[37005]: NOQUEUE: filter: RCPT from risa.tecnik93.com[208.79.80.115]: <risa.tecnik93.com[208.79.80.115]>: Client host triggers FILTER lmtp:[127.0.0.1]:24; from=<itetcufreebsd.org> to=<noncameradicommercio.ro> proto=ESMTP helo=<risa.tecnik93.com>
Mar 3 21:21:08 worf postfix/smtpd[37005]: NOQUEUE: reject: RCPT from risa.tecnik93.com[208.79.80.115]: 550 5.1.1 <noncameradicommercio.ro>: Recipient address rejec
ted: User unknown in virtual mailbox table; from=<itetcufreebsd.org> to=<noncameradicommercio.ro> proto=ESMTP helo=<risa.tecnik93.com>
Mar 3 21:21:08 worf postfix/smtpd[37005]: disconnect from risa.tecnik93.com[208.79.80.115]

And it also doesn't happen (irrespective of greylisting status)
if I drop the check_client_access
which /usr/local/etc/postfix/dspamd_filter_access would FILTER
everything via dspam:
/./ FILTER lmtp:[127.0.0.1]:24

It also won't happen for non-existing _local_ recipients.

 # postconf -n
broken_sasl_auth_clients = yes
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
daemon_directory = /usr/local/libexec/postfix
html_directory = no
mail_owner = postfix
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
mynetworks = 81.196.207.128/27, 127.0.0.0/8,
newaliases_path = /usr/local/bin/newaliases
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
queue_directory = /var/spool/postfix
readme_directory = no
recipient_delimiter = +
relay_domains = $mydestination
relocated_maps = hash:/usr/local/etc/postfix/relocated
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtpd_helo_restrictions = check_helo_access pcre:/usr/local/etc/postfix/hello_access
smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_invalid_helo_hostname, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_rhsbl_sender dsn.rfc-ignorant.org, reject_rhsbl_sender bogusmx.rfc-ignorant.org, check_policy_service inet:127.0.0.1:10023, check_client_access pcre:/usr/local/etc/postfix/dspamd_filter_access, permit_auth_destination
smtpd_restriction_classes = greylist
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /usr/local/etc/postfix/smtpd.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /usr/local/etc/postfix/smtpd.pem
smtpd_tls_key_file = /usr/local/etc/postfix/smtpd.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = no
transport_maps = hash:/usr/local/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = proxy:mysql:/usr/local/etc/postfix/mysql_virtual_alias_maps.cf, regexp:/usr/local/etc/postfix/virtual_regexp
virtual_gid_maps = static:125
virtual_mailbox_base = /var/mail/virtual
virtual_mailbox_domains = proxy:mysql:/usr/local/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_limit = 51200000
virtual_mailbox_limit_maps = proxy:mysql:/usr/local/etc/postfix/mysql_virtual_mailbox_limit_maps.cf
virtual_mailbox_limit_override = yes
virtual_mailbox_maps = proxy:mysql:/usr/local/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_maildir_limit_message = Sorry, the user's maildir has overdrawn his diskspace quota, please try again later.
virtual_minimum_uid = 125
virtual_overquota_bounce = yes
virtual_transport = maildrop
virtual_uid_maps = static:125

Thanks,

--
IOnut - Un^d^dregistered ;) FreeBSD "user"
  "Intellectual Property" is nowhere near as valuable as "Intellect"