Postfix REJECT (not BOUNCE) unknown virtual aliases
We run a small postfix (and dovecot) mail server for a number of hosted domains, using virtual alias maps and with spamassassin configured.
Recently it's become apparent that we're generating some backscatter; spam emails are coming into non-existant email addresses and they are being bounced back to the forged sender. This is obviously a problem in terms of reputation for our mail server and also means we're spamming on behalf of the spammers.
What I want to do then is change the postfix behaviour so that, instead of generating a bounce email form MAILER-DAEMON the mail is rejected during the SMTP transaction.
I've tried adding local_recipient_maps (http://www.postfix.org/LOCAL_RECIPIENT_README.html), but this made no difference. I think this is because I'm using virtual_alias_maps (and other virtual mailbox solutions don't seem to apply here either).
postconf -n generates:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
html_directory = no
inet_interfaces = all
inet_protocols = all
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 0
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = verrotech.com
myhostname = mail.verrotech.com
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.domain.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.domain.com/privkey.pem
smtpd_tls_security_level = may
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual
Thank you.
Solution 1:
After some research, your question made me realize that I had the same problem in my mail server, so first of all, thanx.
Second, you should note that, by default, postfix blocks this kind of traffic. In the manual smtpd_reject_unlisted_recipient:
smtpd_reject_unlisted_recipient (default: yes)
Request that the Postfix SMTP server rejects mail for unknown recipient addresses, even when no explicit reject_unlisted_recipient access restriction is specified. This prevents the Postfix queue from filling up with undeliverable MAILER-DAEMON messages.
So, why are you getting 250 OK
for unknown destination mails? Because of these lines:
mydestination = $myhostname, localhost.$mydomain, localhost
virtual_alias_maps = hash:/etc/postfix/virtual
The smtpd_reject_unlisted_recipient
checks destination mails but very specifically:
An address is always considered "known" when it matches a virtual(5) alias or a canonical(5) mapping.
The recipient domain matches $mydestination, $inet_interfaces or $proxy_interfaces, but the recipient is not listed in $local_recipient_maps, and $local_recipient_maps is not null. The recipient domain matches $virtual_alias_domains but the recipient is not listed in $virtual_alias_maps. The recipient domain matches $virtual_mailbox_domains but the recipient is not listed in $virtual_mailbox_maps, and $virtual_mailbox_maps is not null. The recipient domain matches $relay_domains but the recipient is not listed in $relay_recipient_maps, and $relay_recipient_maps is not null.
As your mydestination
does not include your $mydomain
(only the servername and localhost) and you do not have any *_domains
in place, there are no other checks for "known" destinations.
You only need to add:
virtual_alias_domains = $mydomain
an reload postfix. (If I'm getting your config right and all your mail are in the form "[email protected]")
If that does not work, you might try this:
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, reject_unverified_recipient
NOTE: it will check via RCPT TO
command if the destination trully exists for both incoming and outgoing messages. Use with caution since it makes an extra connection for each new destination and will take some time to respond to every mail your server processes (It can take a few seconds to test each destination).
Solution 2:
This answer isn't exactly what you asked for, but this is how I solved that problem for my own use cases.
Discarding Bounces:
In /etc/postfix/main.cfg, I have:
2bounce_notice_recipient = devnull
bounce_notice_recipient = devnull
bounce_queue_lifetime = 0d
delay_warning_time = 0h
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
In /etc/postfix/aliases, I have:
devnull: /dev/null
Then I run:
postmap aliases
postfix reload
The end result is that bounces go to /dev/null. It may not catch all of them, so YMMV. Please let me know if this works for you.