0

I am trying to implement a blocklist for senders and domains in my postfix (Debian 12) setup. This is what I have so far:

smtpd_sender_restrictions = 
    permit_sasl_authenticated,
    reject_non_fqdn_sender,
    reject_unknown_sender_domain,
    reject_unknown_client_hostname,
    reject_unknown_reverse_client_hostname,
    check_sender_access hash:/etc/postfix/access

And:

smtpd_recipient_restrictions = 
    permit_sasl_authenticated,
    reject_non_fqdn_recipient,
    reject_unknown_recipient_domain,
    reject_invalid_hostname,
    reject_non_fqdn_hostname,
    reject_unauth_destination,
    reject_unauth_pipelining,
    check_sender_access hash:/etc/postfix/access,
    check_policy_service unix:private/policy, # SPF Checks
    check_policy_service inet:127.0.0.1:10023 # Postgrey

As far as I got the Postfix docs the first one applies to the "MAIL FROM:" dalog while the second affects the "RCPT TO:" dialog in communication.

So my access file has the following (postmap done):

.toobena.or.mg DISCARD Spam domain

But I can still send emails to my local accounts in using an envelope address with the to be blocked domain from access. See dialog through telnet:

root@host:~# telnet mail.dom.com 25
Trying 18.16.42.16...
Connected to mail.dom.com.
Escape character is '^]'.
220 mail.dom.com ESMTP Postfix
ehlo mail.toobena.or.mg
250-mail.dom.com
[...]
mail from: [email protected]
250 2.1.0 Ok

I read somewhere the restrictions apply at a later stage instead of immediately. However, I expected the attempt to deliver mail will already be blocked here. But if not, I can easily insert mail for a local account which gets delivered. This is the log of a successful delivery (which should have been blocked):

Jun 12 20:51:41 nc postfix/smtpd[100170]: connect from mail.toobena.or.mg[5.104.111.28]
Jun 12 20:51:43 nc postfix/policy-spf[100175]: Policy action=PREPEND Received-SPF: pass (toobena.or.mg: 5.104.111.28 is authorized to use '[email protected]' in 'mfrom' identity (mechanism 'mx' matched)) receiver=mail.dom.com; identity=mailfrom; envelope-from="[email protected]"; helo=mail.toobena.or.mg; client-ip=5.104.111.28
Jun 12 20:51:43 nc postfix/smtpd[100170]: 07D1EDF910: client=mail.toobena.or.mg[5.104.111.28]
Jun 12 20:51:43 nc postfix/qmgr[99783]: 07D1EDF910: from=<[email protected]>, size=28861, nrcpt=1 (queue active)
Jun 12 20:51:43 nc postfix/smtpd[100170]: disconnect from mail.toobena.or.mg[5.104.111.28] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5

So mail gets accepted and put into the queue for local delivery.

I just do not understand why it is getting accepted. Yes, the sender has a valid SPF record. But does it overwrite the other checks? I thought they are checked in order- and the spf-policy is the latest...

Anyone an idea what I am doing wrong here?

2
  • Can you post the output of postconf smtpd_relay_restrictions? Commented Jun 21 at 6:44
  • Here you are:root@nc:/etc/postfix# postconf smtpd_relay_restrictions smtpd_relay_restrictions = ${{$compatibility_level} <level {1} ? {} : {permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination}}
    – Christian
    Commented Jun 22 at 7:36

1 Answer 1

1

You may need to alter /etc/postfix/access to contain a more flexible match. So rather than:

.toobena.or.mg DISCARD Spam domain

Which I think (in the BerkleyDB "hash" format) only matches .toobena.or.mg

make it match the domain:

toobena.or.mg DISCARD Spam domain

or perhaps:

*@toobena.or.mg DISCARD Spam domain

4
  • When reading in man 5 access I read ` domain.tld Matches domain.tld as the domain part of an email address.` So I tend to say my syntax is correct, isn't it?
    – Christian
    Commented Jun 23 at 15:35
  • Yes, but you have .toobena.or.mg not toobena.or.mg so it's possible the . prefix is causing a problem. Commented Jun 23 at 15:48
  • Hi, sorry I copied the wrong par from the manpage. I reads .domain.tld Matches subdomains of ... but only when the string "smpd_access_maps is ***not*** listed in parent_domain_matches_subdomains". Which is not listed. So it should apply. Only idea I have it might matchin only subdomains, but not parent domain. I will check.
    – Christian
    Commented Jun 24 at 8:24
  • I am wondering. But yes, without the "." it works. Thank you!
    – Christian
    Commented Jun 25 at 3:56

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .