Postfix SMTP recipient filter not filtering

blacklistpostfixsmtp

I have setup Postfix with a list of blacklisted recipients, so that the Postfix server should not relay mail to them (smtpd_recipient_access parameter in main.cf).

The addresses are properly listed in a file with a REJECT at the end of each line. I did the standard step to create the database hash (postmap hash:/etc/postfix/recipient_access).

I can test that the mails get rejected by using for example:

postmap -q blacklisted_addr@example.com hash:/etc/postfix/recipient_access

And I get the reply: REJECT as expected.

All addresses in the blacklist file are non-local, i.e. they aren't covered by the "mydestinations" variable.

However, using Thunderbird to send the mail via that Postfix SMTP server simply sends the mail to blacklisted addresses with no reject. I would guess some other relay config I have might get this mail relayed despite my blacklist match, but cannot find the problem.

Config parameters which I believe would be relevant are:

mydestination = $myhostname, localhost, localhost.localdomain, localhost.$myhostname
relay_domains = $mydestination, proxy:ldap:/etc/postfix/ldap/relay_domains.cf
relayhost =
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,permit_sasl_authenticated, check_helo_access pcre:/etc/postfix/helo_access.pcre
smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, check_recipient_access hash:/etc/postfix/recipient_access, check_policy_service inet:127.0.0.1:7777, check_policy_service inet:127.0.0.1:10031, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no

If other parameters could be relevant, I can post the entire config

Best Answer

Restrictions specified in restriction lists such as smtpd_helo_restrictions, smtpd_recipient_restrictions etc. are applied in the order as specified; the first restriction that matches wins.

Since your smtp_recipient_restrictions has permit_sasl_authenticated as first condition and check_recipient_access somewhere down the road, any authenticated client is allowed and not checked agains the later.

You may also want to read http://www.postfix.org/SMTPD_ACCESS_README.html

Related Topic