Postfix Check Order

koby

Active Member
Jun 21, 2012
98
4
28
Natanya , Israel
I would like to know if I can set the postfix check order ,
because I need that the "check_recipient_access" will be checked
before all the blacklist ,
why , because if I get mail to unavailable address ,
I do not want to check any further and have a "reject" status

I did set the needed line as follow :
" check_recipient_access hash:/etc/postfix/rcpt_allow"
And also set the map as needed , and it's working fine , but NOT accroding the the order I need.

Please advice
Best regards ,
Koby Peleg Hen
 

Stoiko Ivanov

Proxmox Staff Member
Staff member
May 2, 2018
5,116
664
118
The checks on postfix level should be controlled by their order in the postfix main.cf - if you need to change that you need to use the templateing system (and afterwards run `pmgconfig sync` and restart postfix):
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_template_engine

However:
which blacklist are you referring to? - The rule-system only is reached if postfix does not reject a mail before - so this should not happen if the mail is rejected by postfix

please share some logs and the config
 

koby

Active Member
Jun 21, 2012
98
4
28
Natanya , Israel
Hi all ,


Here is the Log from arrived mail example :
(note : the recipient does not exists on my server)

Code:
Apr  9 08:21:35 smg-lab01 postfix/postscreen[31763]: CONNECT from [134.73.134.134]:55390 to [95.217.215.74]:25
Apr  9 08:21:35 smg-lab01 postfix/dnsblog[31764]: addr 134.73.134.134 listed by domain ***.combined.mail.abusix.zone as 127.0.0.3
Apr  9 08:21:35 smg-lab01 postfix/dnsblog[31764]: addr 134.73.134.134 listed by domain ***.combined.mail.abusix.zone as 127.0.0.12
Apr  9 08:21:35 smg-lab01 postfix/dnsblog[31764]: addr 134.73.134.134 listed by domain ***.combined.mail.abusix.zone as 127.0.0.2
Apr  9 08:21:35 smg-lab01 postfix/dnsblog[31768]: addr 134.73.134.134 listed by domain ***.zen.dq.spamhaus.net as 127.0.0.3
Apr  9 08:21:41 smg-lab01 postfix/postscreen[31763]: DNSBL rank 2 for [134.73.134.134]:55390
Apr  9 08:21:42 smg-lab01 postfix/postscreen[31763]: NOQUEUE: reject: RCPT from [134.73.134.134]:55390: 550 5.7.1 Service unavailable; client [134.73.134.134] blocked using mail.abusix.zone; from=<cross@hardhike.cam>, to=<meir@mksoft.co.il>, proto=ESMTP, helo=<hardhike.cam>
Apr  9 08:21:42 smg-lab01 postfix/postscreen[31763]: DISCONNECT [134.73.134.134]:55390

Here Is the relevant line on main.cf

Code:
postscreen_access_list =
        permit_mynetworks,
        cidr:/etc/postfix/postscreen_access

smtpd_recipient_restrictions =
        permit_mynetworks
        reject_unauth_destination
        reject_non_fqdn_recipient
        check_recipient_access  regexp:/etc/postfix/rcptaccess
      
        check_recipient_access hash:/etc/postfix/rcpt_allow
       
        check_sender_access  regexp:/etc/postfix/senderaccess
        check_client_access  cidr:/etc/postfix/clientaccess check_policy_service inet:127.0.0.1:10022


postscreen_dnsbl_sites = ******
postscreen_dnsbl_threshold = 2

As you can see on my main.cf has a line which contain :

Code:
     check_recipient_access hash:/etc/postfix/rcpt_allow

which come before the blacklist check.
But on the mail arrived example , you can see that it does check the blacklist list even that the recipient (meir@mksoft.co.il)
does NOT exists on my server.

Please advise ,
Koby Peleg Hen
 

Stoiko Ivanov

Proxmox Staff Member
Staff member
May 2, 2018
5,116
664
118
Here is the Log from arrived mail example :
this mail was rejected and did arrive:
Code:
 NOQUEUE: reject: RCPT from [134.73.134.134]:55390: 550 5.7.1 Service unavailable; client [134.73.134.134] blocked using mail.abusix.zone; from=<cross@hardhike.cam>, to=<meir@mksoft.co.il>, proto=ESMTP, helo=<hardhike.cam>
it was rejected during the smtp-dialogue (because 134.73.134.134 was listed on mail.abusix.zone) and there was no need to check the recipient
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!