From: Dan Farrell on
On Mon, 05 Apr 2010 15:01:24 -0500
Noel Jones <njones(a)megan.vbhcs.org> wrote:

> On 4/5/2010 2:48 PM, Dan Farrell wrote:
> > Hi List! Hail, Postfix Gurus!
> >
> > I'm having problems using smtpd_recipient_restrictions with
> > check_recipient_access.
> >
> > My goal is to send mail from this machine only to email addresses I
> > specify. All other mail should be rejected, including mail from
> > localhost. (It's a development server used for testing websites,
> > and some of those websites have bulk mailing features so it's
> > important only developers and admins get the email). The machine
> > only delivers mail from local sources and needn't receive any mail
> > at all.
> >
> > I've managed to configure postfix to reject mail that I try to send
> > from the local machine with telnet[1]:
> >
> > However PHP's mail() function still sends. I think php's mail()
> > uses sendmail; I noticed that I can also send to unauthorized
> > recipients with postfix's sendmail program[2].
> >
> > My question is this: how do I reject recipients when I send mail
> > through postfix's sendmail, or through PHP?
> >
> > I've attached main.cf and relay_recipients as well. I'm trying to
> > use relay_recipients as an access table for check_recipient_access
> > as well as the relay_recipients table. Is that OK?
> >
> > It seems as though my telnet connections are triggering
> > reject_unauth_destination, because of the failed lookup in
> > relay_domains and/or relay_recipient_maps. Perhaps these lookups
> > don't apply in the case of sendmail submissions, which are "even
> > more local" than localhost:25 connections?
> >
> > I am clearly missing the magic words that impose recipient
> > restrictions on sendmail submissions just as my current config does
> > for localhost:25 submissions. I thought chech_recipient_access
> > seemed perfect, but it's inclusion in smtpd_recipient_restrictions
> > seems to have had no affect.
> >
> > Thank you very much for your help. I truly appreciate it.
> >
> > Exhibits:
> >
> > [1] telnet transcript
> >
> > [root(a)dev ~]# telnet localhost 25
> > Trying 127.0.0.1...
> > Connected to localhost.
> > Escape character is '^]'.
> > 220 dev.srv.inetglobal.com ESMTP Postfix (2.6.5)
> > helo localhost
> > 250 dev.srv.inetglobal.com
> > mail from: dan(a)localhost
> > 250 2.1.0 Ok
> > rcpt to: dan(a)spore.ath.cx
> > 554 5.7.1<dan(a)spore.ath.cx>: Relay access denied
> > rcpt to: dan(a)danf.us
> > 550 5.1.1<dan(a)danf.us>: Recipient address rejected: User unknown in
> > relay recipient table quit
> > 221 2.0.0 Bye
> > Connection closed by foreign host.
> >
> > [2] sendmail transcript
> >
> > [root(a)dev ~]# sendmail dan(a)danf.us
> > Hi Dan!
> > .<the mail can be found in dan(a)danf.us inbox>
>
>
> Perhaps surprisingly, postfix smtpd_*_restrictions only apply
> to mail submitted via SMTP. The sendmail(1) command does not
> submit mail via SMTP.
>
> One way to limit delivery for testing is to set
> "default_transport = error:" and then list valid recipients in
> transport_maps pointing to the smtp: or local: transport as
> appropriate.
>
> -- Noel Jones

Thank you Noel,

I was afraid of that. I guess it makes sense. So, if I actually sent
mail through a seperate postfix relay, my configuration would work
perfectly, but since submission is done via sendmail and therefore
submitted directly to postdrop, the smtpd restrictions don't apply.

I will do as you suggest. Anyone else have suggestions for blocking
most email in this situation?

Thanks All,

Dan F