From: Noel Jones (njonesmegan.vbhcs.org)
Date: Tue Aug 19 2008 - 10:53:24 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Jeff wrote:
> On Tue, Aug 12, 2008 at 3:23 PM, Noel Jones <njonesmegan.vbhcs.org> wrote:
>> Jeff wrote:
>>> We have an email gateway appliance at the network edge for spam/virus
>>> filtering. It relays mail to multiple postfix+imap servers behind the
>>> firewall. The back-end servers communicate directly with each other
>>> for internal mail accoss our VPN. The appliance will do smtp level
>>> recipient verification provided that our back-end services have it
>>> implemented. The problem is that we have some recipient addresses
>>> (linux /etc/alias entries as well as Active Directory distribution
>>> lists) that are intended for internal use only. We do not want these
>>> aliases to appear as valid recipients to the outside world.
>>>
>>> So, is there a way to configure postfix to report one set of valid
>>> recipients to our internal mail servers and clients and report a
>>> subset of valid recipients to the gateway appliance? I can easily
>>> break the recipient lists into separate maps, I just don't know how to
>>> apply them based on the address of the relay or client. The internal
>>> interface of the gateway appliance is on the same subnet as everything
>>> else, but does have a static IP address that could be used to identify
>>> it.
>>>
>>> # postconf -n
>>> alias_database = hash:/etc/aliases
>>> alias_maps = hash:/etc/aliases
>>> command_directory = /usr/sbin
>>> config_directory = /etc/postfix
>>> daemon_directory = /usr/libexec/postfix
>>> debug_peer_level = 2
>>> inet_interfaces = $myhostname, localhost
>>> local_destination_concurrency_limit = 5
>>> local_destination_recipient_limit = 300
>>> local_recipient_maps = $alias_maps, ldap:/etc/postfix/ldap-users.cf,
>>> ldap:/etc/postfix/ldap-aliases.cf
>>> mail_owner = postfix
>>> mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
>>> mailq_path = /usr/bin/mailq.postfix
>>> manpage_directory = /usr/share/man
>>> mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
>>> mynetworks = 192.168.0.0/16, 127.0.0.0/8
>>> myorigin = $mydomain
>>> newaliases_path = /usr/bin/newaliases.postfix
>>> queue_directory = /var/spool/postfix
>>> readme_directory = /usr/share/doc/packages/postfix/README_FILES
>>> sample_directory = /usr/share/doc/packages/postfix/samples
>>> sendmail_path = /usr/sbin/sendmail.postfix
>>> setgid_group = postdrop
>>> smtpd_recipient_restrictions = permit_mynetworks,
>>> reject_unauth_destination, reject_unverified_recipient
>>> transport_maps = hash:/etc/postfix/transport
>>> unknown_local_recipient_reject_code = 550
>>>
>>> The ldap-alias.cf and ldap-users.cf are lookups for Active Directory
>>> distribution lists and real users.
>>>
>>
>> If all your internal clients are listed in mynetworks you can just create a
>> recipient blacklist and reject mail to those addresses when it arrives from
>> outside.
>>
>> # main.cf
>> smtpd_recipient_restrictions =
>> permit_mynetworks
>> reject_unauth_destination
>> check_recipient_access
>> hash:/etc/postfix/recipients
>> reject_unverified_recipient
>>
>> # recipients
>> internal-example.com REJECT restricted recipient
>>
>> For this to work, you may need to remove your gateway appliance from
>> mynetworks:
>> # main.cf
>> mynetworks = !ip.of.gate.way 192.168.0.0/16 127.0.0.0/8
>
> It took me a while before I could test this. The recommended solution
> succeeds at blocking the specified aliases when relayed through our
> gateway, but it does not do so at the SMTP level. It generates bounce
> notifications, which in the end will create back-scatter. The bounce
> message I got in testing gave an error code of 554.
>
> Some additional background: Our gateway appliance acts as a proxy for
> recipient verification. When the gateway wants to test for a valid
> recipient, it opens an SMTP connection to the appropriate back-end
> server and pretends to send a mail to the recipient from
> postmastergateway.mydomain.com. If it get's a 550 from the back-end,
> it returns 550 to the sending MTA. So it seems that when it receives a
> 554 from the internal server as it did in this case, the gateway
> creates a bounce message instead of immediately notifying the external
> MTA of the failure.
>
> Can I tweak this so that the map in check_recipient_access returns 550
> instead of 554?
>

I strongly suspect your analysis is flawed, but here is the
knob to twiddle:
http://www.postfix.org/postconf.5.html#access_map_reject_code

--
Noel Jones

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]