[TriLUG] Postfix Configuration Question

Aaron S. Joyner aaron at joyner.ws
Tue Oct 19 17:00:52 EDT 2004 

Ken Mink wrote:

>Hi Folks,
>   I've been trying to figure this out, but I'm stumped. I've got two
>servers running postfix that handle email for our domain($WORK). One
>is in the dmz and has relay_domain set for our domainname. In the
>transport file, I have an entry for our domainname and the internal
>server to forward it to. This works fine, but I have an issue with it.
>Due to people who have left the comany, tons of spam comes in for
>addresses in our domain, but that no longer exist. The server in the
>dmz accepts the messages and forwards them on like it should. The
>internal machine then tries to bounce the message since the user is
>unknown. Since most spam uses a bogus from, the internal machine is
>getting clogged with messages it can't bounce. There half a dozen
>employees here, but a postqueue -p lists a couple thousand defferred
>messages. What I'd like is for the dmz server to immediately reject
>mail for unknown users. Apart from adding an account for everyone on
>that machine, I don't klnow how to go about doing that. I've tried
>explicitly putting each account in the transport file, but that just
>added the bouncing to the dmz's deferred queue rather than the
>internal server. Any ideas?
>
>Thanks,
>Ken
>  
>
Yes, use relay recipient maps.  If you don't, ugliness can happen.  I've 
seen queues cross into the 6 digits (100,000+ msgs) due to this problem 
alone, during dictionary attacks.  This of course presumes you're using 
at least Postfix v2.0 (I think).  See the postfix docs(1) for full 
details, but the basic gist of it is this:

# in main.cf
relay_recipient_maps = hash:/path/to/postfix/relay_recipients

# in relay_recipients
user1 at domain.com Ok
@otherdomain.com Ok

This will allow only mail to user1 at domain.com, user2 at domain.com would be 
rejected.  All recipients in otherdomain.com would be considered valid.

As an alternative, if you need to update this on a regular basis, you 
might consider a mysql solution.  This requires that you compile postfix 
with mysql support, and setup a bit more, but investigate the 
mysql:/path/to/postfix/mysql_maps way of doing it if your needs require 
very frequent and / or flexible updates to the users allowed to relay mail.

Enjoy!
Aaron S. Joyner

1. http://www.postfix.org/postconf.5.html#relay_recipient_maps

More information about the TriLUG mailing list