I am trying to implement a blocklist for senders and domains in my postfix (Debian 12) setup. This is what I have so far:
smtpd_sender_restrictions =
permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unknown_client_hostname,
reject_unknown_reverse_client_hostname,
check_sender_access hash:/etc/postfix/access
And:
smtpd_recipient_restrictions =
permit_sasl_authenticated,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_unauth_destination,
reject_unauth_pipelining,
check_sender_access hash:/etc/postfix/access,
check_policy_service unix:private/policy, # SPF Checks
check_policy_service inet:127.0.0.1:10023 # Postgrey
As far as I got the Postfix docs the first one applies to the "MAIL FROM:" dalog while the second affects the "RCPT TO:" dialog in communication.
So my access file has the following (postmap done):
.toobena.or.mg DISCARD Spam domain
But I can still send emails to my local accounts in using an envelope address with the to be blocked domain from access. See dialog through telnet:
root@host:~# telnet mail.dom.com 25
Trying 18.16.42.16...
Connected to mail.dom.com.
Escape character is '^]'.
220 mail.dom.com ESMTP Postfix
ehlo mail.toobena.or.mg
250-mail.dom.com
[...]
mail from: [email protected]
250 2.1.0 Ok
I read somewhere the restrictions apply at a later stage instead of immediately. However, I expected the attempt to deliver mail will already be blocked here. But if not, I can easily insert mail for a local account which gets delivered. This is the log of a successful delivery (which should have been blocked):
Jun 12 20:51:41 nc postfix/smtpd[100170]: connect from mail.toobena.or.mg[5.104.111.28]
Jun 12 20:51:43 nc postfix/policy-spf[100175]: Policy action=PREPEND Received-SPF: pass (toobena.or.mg: 5.104.111.28 is authorized to use '[email protected]' in 'mfrom' identity (mechanism 'mx' matched)) receiver=mail.dom.com; identity=mailfrom; envelope-from="[email protected]"; helo=mail.toobena.or.mg; client-ip=5.104.111.28
Jun 12 20:51:43 nc postfix/smtpd[100170]: 07D1EDF910: client=mail.toobena.or.mg[5.104.111.28]
Jun 12 20:51:43 nc postfix/qmgr[99783]: 07D1EDF910: from=<[email protected]>, size=28861, nrcpt=1 (queue active)
Jun 12 20:51:43 nc postfix/smtpd[100170]: disconnect from mail.toobena.or.mg[5.104.111.28] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
So mail gets accepted and put into the queue for local delivery.
I just do not understand why it is getting accepted. Yes, the sender has a valid SPF record. But does it overwrite the other checks? I thought they are checked in order- and the spf-policy is the latest...
Anyone an idea what I am doing wrong here?
postconf smtpd_relay_restrictions?root@nc:/etc/postfix# postconf smtpd_relay_restrictions smtpd_relay_restrictions = ${{$compatibility_level} <level {1} ? {} : {permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination}}