Re: smtpd_reject_unlisted_recipient and reject_unlisted_recipient behavior

2023-02-01 Thread Wietse Venema 
post...@ptld.com:
> >> Or does reject_unlisted_recipient get disabled completely
> >> when smtpd_reject_unlisted_recipient=no?
> > 
> > You can then use "reject_unlisted_recipient" explicitly at
> > the appropriate stage in the recipient restrictions.
> 
> 
> Okay, I understand why doing any of this in DATA is bad and I should have 
> realized that.
> 
> Just to clarify in trying to achieve my end goal, is there any way
> to get milters to run before postfix would evaluate
> reject_unlisted_recipient in the RCPT command?

No. If Postfix rejects information then Postfix will not pass it to Milters.
Otherwise, Milters would get out of sync with Postfix.

I recently added a section on this in the Postfix documentation.
https://www.postfix.org/MILTER_README.html#when-inspect

Wietse

Re: smtpd_reject_unlisted_recipient and reject_unlisted_recipient behavior

2023-02-01 Thread postfix 

Or does reject_unlisted_recipient get disabled completely
when smtpd_reject_unlisted_recipient=no?


You can then use "reject_unlisted_recipient" explicitly at
the appropriate stage in the recipient restrictions.



Okay, I understand why doing any of this in DATA is bad and I should have 
realized that.

Just to clarify in trying to achieve my end goal, is there any way to get 
milters to run before postfix would evaluate reject_unlisted_recipient in the 
RCPT command?

Re: smtpd_reject_unlisted_recipient and reject_unlisted_recipient behavior

2023-01-31 Thread Viktor Dukhovni 
On Tue, Jan 31, 2023 at 11:30:59PM -0500, post...@ptld.com wrote:
> I am looking to understand if I misinterpreted the documentation or if this 
> is an issue with postfix.
> 
> main.cf
>  smtpd_reject_unlisted_recipient = no
>  smtpd_data_restrictions = reject_unlisted_recipient

This won't work for multi-recipient messages.

> My intention is to prevent postfix from rejecting invalid recipients
> at the RCPT command and only reject them at the DATA command.

Sorry, that's not supported, and not semantically possible.  You'd end
up rejecting the entire message, valid recipients and all, which even if
that's what you want is not a sound approach.  In any case Postfix
smtpd(8) does not buffer up all the recipients in memory to run the
restriction for each in turn at the data stage.

> user (virtual_mailbox_maps) on the same valid domain
> (virtual_mailbox_domains). Just to be clear, a valid user would be
> ad...@example.com, the alias created was al...@example.com ->
> f...@example.com. There is no valid user f...@example.com in
> virtual_mailbox_maps.

Also, Postfix recipient validation is "shallow", existing aliases to
non-existent users will be accepted.

> I assumed smtpd_data_restrictions=reject_unlisted_recipient would have
> caught this and rejected the mail before sending it to LMTP.

Nope, that's not how it works.

> Was it supposed to?

No.

> Or does reject_unlisted_recipient get disabled completely
> when smtpd_reject_unlisted_recipient=no?

You can then use "reject_unlisted_recipient" explicitly at
the appropriate stage in the recipient restrictions.

> Is it possible to have the behavior I am expecting?

Only with a policy server, that buffers up the recipients, and does
something at the data stage in response to a policy query.

-- 
Viktor.