I note my Subject is inconsistent; I originally tried the forward as a virtual alias with the same result (verification of the external forward address, not the recipient address), then changed to virtual mailboxes.
On Fri, 2021-08-27 at 11:47 -0600, Jesse Norell wrote: > Hello, > > I am trying to utilize 'reject_unverified_recipient' selectively, > so > that only addresses for domains which I host are verified, ahead of > permitting sasl senders, in order to avoid bounces for unknown > recipients of local domains. In summary, the setup seems to work > correctly for mailboxes, but a problem arises with forwarded > addresses, > where verification is performed for the destination of the forward > (external domain), rather than the smtp recipient address (local > domain). > > I am using postfix 3.4.14-0+deb10u1 from Debian. > > I setup test.com to demonstrate and created a [email protected] > mailbo > x and a [email protected] forward to my gmail account: > > # postconf virtual_mailbox_domains virtual_mailbox_maps > virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql- > virtual_domains.cf > virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql- > virtual_mailboxes.cf > > # postmap -q test.com mysql:/etc/postfix/mysql-virtual_domains.cf > test.com > > # postmap -q [email protected] mysql:/etc/postfix/mysql- > virtual_mailboxes.cf > test.com/mailbox/ > > # postmap -q [email protected] mysql:/etc/postfix/mysql- > virtual_mailboxes.cf > [email protected] > > > I set 'reject_unverified_recipient' via the mysql- > virtual_recipient.cf map: > > smtpd_recipient_restrictions = permit_mynetworks, > reject_unknown_recipient_domain, > reject_unlisted_recipient, > check_recipient_access proxy:mysql:/etc/postfix/mysql- > verify_recipients.cf, > permit_sasl_authenticated, > reject_non_fqdn_recipient, > reject_unauth_destination, > check_recipient_access proxy:mysql:/etc/postfix/mysql- > virtual_recipient.cf, > check_recipient_access mysql:/etc/postfix/mysql- > virtual_policy_greylist.cf, > check_policy_service unix:private/quota-status > > # grep query /etc/postfix/mysql-verify_recipients.cf > query = SELECT 'reject_unverified_recipient' FROM mail_domain > WHERE domain = '%s' AND active = 'y' AND server_id = 1 > > > The mysql-verify_recipients.cf query works correctly to for domains I > host and for external domains: > > # postmap -q test.com mysql:/etc/postfix/mysql- > verify_recipients.cf > reject_unverified_recipient > # postmap -q gmail.com mysql:/etc/postfix/mysql- > verify_recipients.cf > # (<-- no output) > > > What I expect and want is that lookups for test.com recipient > addresses will undergo address verification, and addresses for > external > domains like gmail.com will not. However when send to > [email protected], what happens is address verification for > [email protected] > fails. The failure is correct, because my test server does not have > outbound smtp access (nor ipv6), but I don't want address > verification > for the gmail.com address to take place at all. > > Replies from my smtp conversations are: > > Rcpt To:<[email protected]> > 250 2.1.5 Ok > > and on first attempt: > > Rcpt To:<[email protected]> > 450 4.1.1 <[email protected]>: Recipient address rejected: > unverified address: Address verification in progress > > then on subsequent attempts with a verification cache entry > present: > > Rcpt To:<[email protected]> > 450 4.1.1 <[email protected]>: Recipient address rejected: > unverified address: connect to gmail-smtp- > in.l.google.com[142.250.138.26]:25: Connection timed out > > Logs show: > > Aug 27 11:31:15 dev postfix/smtpd[1091]: NOQUEUE: reject: RCPT > from my.host.name[xx.xx.xx.xx]: 450 4.1.1 <[email protected]>: > Recipient address rejected: unverified address: connect to gmail- > smtp-in.l.google.com[142.250.138.26]:25: Connection timed out; from=< > [email protected]> to=<[email protected]> proto=ESMTP > helo=<my.host.name> > Aug 27 11:31:15 dev postfix/qmgr[11728]: 1224C210A0: from=< > [email protected]>, size=275, nrcpt=1 (queue active) > Aug 27 11:31:15 dev postfix/smtp[1235]: connect to gmail-smtp- > in.l.google.com[2607:f8b0:4023:1006::1b]:25: Network is unreachable > > > So the recipient address [email protected] triggered the > verification, > but the verification itself is being performed against the > address I > forwarded to, [email protected]. If I remove the mysql- > verify_recipients.cf > check, the recipient is accepted: > > Rcpt To:<[email protected]> > 250 2.1.5 Ok > > I don't see any way to configure around this, but perhaps > I'm > overlooking something. Or possible bug? > > Thanks, > Jesse > > -- > Jesse Norell > Kentec Communications, Inc. > 970-522-8107 - www.kci.net > -- Jesse Norell Kentec Communications, Inc. 970-522-8107 - www.kci.net
