Note: I originally posted this question in Unix/Linux StackExchange, but after a week, there have been no responses. I see more postfix-related discussion here, and so I've voted to close the StackExchange version of my question, and I've moved my question here.
I'm running postfix version 2.93
under Debian 8
, and I'm trying to accomplish something unusual.
I have been using a home-grown milter for years which is working well. It runs various tests at each stage of the SMTP dialog: ehlo
, mail from
, rcpt to
, etc.
I have configured postfix
to do its standard checking for "User unknown in virtual mailbox table", and that is also working as it's supposed to.
However ...
In certain rare cases, I'd like to intercept the incoming message during the rcpt to
stage, before postfix
determines "User unknown in virtual mailbox table", and if these messages come from a small group of certain select senders and are addressed to a small group of specific unknown recipient names, I want to process them differently than normal via that milter step.
There is enough information available during the rcpt to
milter step in order to perform this special processing, but unfortunately, the "User unknown in virtual mailbox table" postfix
processing already rejects messages to unknown users before the rcpt to
milter step is invoked, and therefore that milter step never gets performed.
Is there a way to configure postfix
to only reject messages with "User unknown in virtual mailbox table" if the sender name does not not match certain special patterns?
If so, postfix
could continue to automatically reject messages to most unknown users, and it could then pass only those rare, special messages on to the milter for them to be handled during the rcpt to
step.
I know that I could completely disable the postfix
unknown recipient tests and then manage this myself during my rcpt to
milter step for all incoming messages. However, if possible, I'd like to avoid this and somehow tell postfix
to conditionally reject most messages to unknown users and to only pass a small subset of those incoming messages from special senders on to the milter processing.
I'm not optimistic about this even being possible under postfix
, but perhaps one or more of you know of a way that I could accomplish this unusual task.
Thank you very much for any thoughts and suggestions.
The right-hand side of a
check_sender_access
lookup in asmtpd_*_restrictions
list can in turn contain named conditional restrictions (documented in the RESTRICTION_CLASS_README file). This means if the criteria for rejecting messages to unknown recipients is solely‡ dependant on the rfc5321.MailFrom ("envelope sender"), then moving thereject_unverified_recipient
statement from a thesmtpd_*_restrictions
list itself, into a sender-dependant lookup should do the trick:For each listed sender (or any other single
check_*_access
condition), this skips the "Does this recipient exist?" check, and for all other senders, it will enforce that check.Now, this whole exercise pretty much only makes sense if you are later unconditionally reject any messages receiving this special treatment, because what is postfix going to do with messages it should have already checked earlier that it won't be able to deliver them. You should never emit non-delivery reports in cases where SMTP-stage rejections would have been possible. If your milter only needs the message headers (as your use case of investigating abuse suggests) you may be able to guarantee this by adding the unconditional restriction also in the
smtpd_end_of_data_restrictions
list (expect of minor performance implications in case this 2nd lookup races with the address verification process).‡ If not, you can implement the decision of whether the special case is applicable in a
check_policy_service
, which lets you more complex decisions then a simple (or regex) lookup on the sender, e.g. you could parse the rfc5322.From (headers indicating sender) there. The only difference is, that instead of writing two lines ofno-recipient-lookups.pcre
file, you have to write/adapt and run a policy daemon that returns thereject_unverified_recipient
result, analogous of how your Milter currently return SMTP status codes.