We run a small postfix (and dovecot) mail server for a number of hosted domains, using virtual alias maps and with spamassassin configured.
Recently it's become apparent that we're generating some backscatter; spam emails are coming into non-existant email addresses and they are being bounced back to the forged sender. This is obviously a problem in terms of reputation for our mail server and also means we're spamming on behalf of the spammers.
What I want to do then is change the postfix behaviour so that, instead of generating a bounce email form MAILER-DAEMON the mail is rejected during the SMTP transaction.
I've tried adding local_recipient_maps (http://www.postfix.org/LOCAL_RECIPIENT_README.html), but this made no difference. I think this is because I'm using virtual_alias_maps (and other virtual mailbox solutions don't seem to apply here either).
postconf -n generates:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
html_directory = no
inet_interfaces = all
inet_protocols = all
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 0
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = verrotech.com
myhostname = mail.verrotech.com
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.domain.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.domain.com/privkey.pem
smtpd_tls_security_level = may
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual
Thank you.
After some research, your question made me realize that I had the same problem in my mail server, so first of all, thanx.
Second, you should note that, by default, postfix blocks this kind of traffic. In the manual smtpd_reject_unlisted_recipient:
So, why are you getting
250 OK
for unknown destination mails? Because of these lines:The
smtpd_reject_unlisted_recipient
checks destination mails but very specifically:As your
mydestination
does not include your$mydomain
(only the servername and localhost) and you do not have any*_domains
in place, there are no other checks for "known" destinations.You only need to add:
an reload postfix. (If I'm getting your config right and all your mail are in the form "[email protected]")
If that does not work, you might try this:
NOTE: it will check via
RCPT TO
command if the destination trully exists for both incoming and outgoing messages. Use with caution since it makes an extra connection for each new destination and will take some time to respond to every mail your server processes (It can take a few seconds to test each destination).This answer isn't exactly what you asked for, but this is how I solved that problem for my own use cases.
Discarding Bounces:
In /etc/postfix/main.cfg, I have:
In /etc/postfix/aliases, I have:
Then I run:
The end result is that bounces go to /dev/null. It may not catch all of them, so YMMV. Please let me know if this works for you.