Postfix Check Order

koby

Renowned Member
Jun 21, 2012
138
4
83
Natanya , Israel
I would like to know if I can set the postfix check order ,
because I need that the "check_recipient_access" will be checked
before all the blacklist ,
why , because if I get mail to unavailable address ,
I do not want to check any further and have a "reject" status

I did set the needed line as follow :
" check_recipient_access hash:/etc/postfix/rcpt_allow"
And also set the map as needed , and it's working fine , but NOT accroding the the order I need.

Please advice
Best regards ,
Koby Peleg Hen
 
The checks on postfix level should be controlled by their order in the postfix main.cf - if you need to change that you need to use the templateing system (and afterwards run `pmgconfig sync` and restart postfix):
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_template_engine

However:
which blacklist are you referring to? - The rule-system only is reached if postfix does not reject a mail before - so this should not happen if the mail is rejected by postfix

please share some logs and the config
 
Hi all ,


Here is the Log from arrived mail example :
(note : the recipient does not exists on my server)

Code:
Apr  9 08:21:35 smg-lab01 postfix/postscreen[31763]: CONNECT from [134.73.134.134]:55390 to [95.217.215.74]:25
Apr  9 08:21:35 smg-lab01 postfix/dnsblog[31764]: addr 134.73.134.134 listed by domain ***.combined.mail.abusix.zone as 127.0.0.3
Apr  9 08:21:35 smg-lab01 postfix/dnsblog[31764]: addr 134.73.134.134 listed by domain ***.combined.mail.abusix.zone as 127.0.0.12
Apr  9 08:21:35 smg-lab01 postfix/dnsblog[31764]: addr 134.73.134.134 listed by domain ***.combined.mail.abusix.zone as 127.0.0.2
Apr  9 08:21:35 smg-lab01 postfix/dnsblog[31768]: addr 134.73.134.134 listed by domain ***.zen.dq.spamhaus.net as 127.0.0.3
Apr  9 08:21:41 smg-lab01 postfix/postscreen[31763]: DNSBL rank 2 for [134.73.134.134]:55390
Apr  9 08:21:42 smg-lab01 postfix/postscreen[31763]: NOQUEUE: reject: RCPT from [134.73.134.134]:55390: 550 5.7.1 Service unavailable; client [134.73.134.134] blocked using mail.abusix.zone; from=<cross@hardhike.cam>, to=<meir@mksoft.co.il>, proto=ESMTP, helo=<hardhike.cam>
Apr  9 08:21:42 smg-lab01 postfix/postscreen[31763]: DISCONNECT [134.73.134.134]:55390

Here Is the relevant line on main.cf

Code:
postscreen_access_list =
        permit_mynetworks,
        cidr:/etc/postfix/postscreen_access

smtpd_recipient_restrictions =
        permit_mynetworks
        reject_unauth_destination
        reject_non_fqdn_recipient
        check_recipient_access  regexp:/etc/postfix/rcptaccess
      
        check_recipient_access hash:/etc/postfix/rcpt_allow
       
        check_sender_access  regexp:/etc/postfix/senderaccess
        check_client_access  cidr:/etc/postfix/clientaccess check_policy_service inet:127.0.0.1:10022


postscreen_dnsbl_sites = ******
postscreen_dnsbl_threshold = 2

As you can see on my main.cf has a line which contain :

Code:
     check_recipient_access hash:/etc/postfix/rcpt_allow

which come before the blacklist check.
But on the mail arrived example , you can see that it does check the blacklist list even that the recipient (meir@mksoft.co.il)
does NOT exists on my server.

Please advise ,
Koby Peleg Hen
 
Here is the Log from arrived mail example :
this mail was rejected and did arrive:
Code:
 NOQUEUE: reject: RCPT from [134.73.134.134]:55390: 550 5.7.1 Service unavailable; client [134.73.134.134] blocked using mail.abusix.zone; from=<cross@hardhike.cam>, to=<meir@mksoft.co.il>, proto=ESMTP, helo=<hardhike.cam>
it was rejected during the smtp-dialogue (because 134.73.134.134 was listed on mail.abusix.zone) and there was no need to check the recipient
 
this mail was rejected and did arrive:
Code:
 NOQUEUE: reject: RCPT from [134.73.134.134]:55390: 550 5.7.1 Service unavailable; client [134.73.134.134] blocked using mail.abusix.zone; from=<cross@hardhike.cam>, to=<meir@mksoft.co.il>, proto=ESMTP, helo=<hardhike.cam>
it was rejected during the smtp-dialogue (because 134.73.134.134 was listed on mail.abusix.zone) and there was no need to check the recipient
 
Hello all ,
Does anyone have any idea how can I reject mail because of wrong address before
smtp-dialogue accors (before BackList check)

Best Regrads ,
Koby Peleg Hen
 
Hello all ,
Does anyone have any idea how can I reject mail because of wrong address before
smtp-dialogue accors (before BackList check)
Why would you want to reject a mail, before it gets rejected anyways?
(the RBL-checks in postscreen are rather early in PMG's configuration)

You can adapt the postfix config (e.g. `postscreen_access_list`)

I hope this helps!
 
Because I pay by the query.
Yesterday I had 220K !!! of junk and none of them is sending to any of my client right address.
This is why.

Best Regards ,
Koby Peleg Hen
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!