We have postfix setup as a gateway to filter and relay mail to our Exchange server. Without setting up LDAP, is there a way for me to define a list of valid addresses so postfix can reject everything that is to our domain, but not to a valid user or alias?
i.e., I want to specify a list of valid emails. If RCPT TO is to anything other than these emails, reject it. I plan on using fail2ban to firewall off these IPs for an hour as punishment for a directory harvest attack attempt.
This ended up being remarkably simple.
In a nutshell:
Specifically: In Exchange EMS, run this command:
If your email list is huge, then you might want to be a little less forgiving with this command and get yourself a CSV file. This worked for me because we only had around 50, and it was easy to pare this down using Sublime Text and regular expressions.
Using this list, I removed everything from the list except the SMTP addresses, leaving one per line.
Next, in Sublime, I added "OK" to each line after the addresss. Example:
Then, I copied this to the Postfix server as /etc/postfix/access-inbound
Then, I ran the following command:
This creates access-inbound.db in the directory it is run. (Note above! I did this in /etc/postfix).
Now, all that's left, is to tell Postfix to verify senders using this file. I did this in smtpd_recipient_restrictions. Note, the directive below has a lot of stuff in there. I left the other configs in there for context. First, this config compares the sender to a whiltelist, and then executes a deliver action for that whitelisted sender. Then, it does all the other checks.
Finally, at the bottom, you see:
This tells postfix: "If the recipient is in this list, accept the mail". (Actually, it says: "if the recipient is in this list, do what the list says. But, in this case, all our valid emails have an "OK" response, so the former is easier to think about for n00b searchers).
Finally, at the bottom, you see reject. This means: "If you have gotten to the bottom of all these checks, and NONE of the checks above gave you an "OK" to accept the mail, reject it.