use reject_unverified_recipient with lmtp

Author: jnorell

install/dist/lib/fedora.lib.php

@@ -105,6 +105,9 @@ function configure_postfix($options = '')
 		//* mysql-virtual_uids.cf
 		$this->process_postfix_config('mysql-virtual_uids.cf');
 
+		//* mysql-virtual_alias_domains.cf
+		$this->process_postfix_config('mysql-verify_recipients.cf');
+
 		//* postfix-dkim
 		$filename='tag_as_originating.re';
 		$full_file_name=$config_dir.'/'.$filename;

install/dist/lib/opensuse.lib.php

@@ -102,6 +102,9 @@ function configure_postfix($options = '')
 		//* mysql-virtual_uids.cf
 		$this->process_postfix_config('mysql-virtual_uids.cf');
 
+		//* mysql-virtual_alias_domains.cf
+		$this->process_postfix_config('mysql-verify_recipients.cf');
+
 		//* postfix-dkim
 		$filename='tag_as_originating.re';
 		$full_file_name=$config_dir.'/'.$filename;

install/lib/installer_base.lib.php

@@ -1002,6 +1002,9 @@ public function configure_postfix($options = '') {
 		//* mysql-virtual_uids.cf
 		$this->process_postfix_config('mysql-virtual_uids.cf');
 
+		//* mysql-virtual_alias_domains.cf
+		$this->process_postfix_config('mysql-verify_recipients.cf');
+
 		// test if lmtp if available
 		$configure_lmtp = $this->get_postfix_service('lmtp','unix');
 
@@ -1340,6 +1343,8 @@ public function configure_dovecot() {
 		}
 
 		$config_dir = $conf['postfix']['config_dir'];
+		$postfix_version = `postconf -d mail_version 2>/dev/null`;
+		$postfix_version = preg_replace( '/mail_version\s*=\s*(.*)\s*/', '$1', $postfix_version );
 
 		//* Configure master.cf and add a line for deliver
 		if(!$this->get_postfix_service('dovecot', 'unix')) {
@@ -1351,7 +1356,7 @@ public function configure_dovecot() {
 				chmod($config_dir.'/master.cf~2', 0400);
 			}
 			//* Configure master.cf and add a line for deliver
-			$content = rf($conf["postfix"]["config_dir"].'/master.cf');
+			$content = rf($config_dir.'/master.cf');
 			$deliver_content = 'dovecot   unix  -       n       n       -       -       pipe'."\n".'  flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop}'."\n";
 			af($config_dir.'/master.cf', $deliver_content);
 			unset($content);
@@ -1368,7 +1373,31 @@ public function configure_dovecot() {
 		);
 
 		// Make a backup copy of the main.cf file
-		copy($conf['postfix']['config_dir'].'/main.cf', $conf['postfix']['config_dir'].'/main.cf~3');
+		copy($config_dir.'/main.cf', $config_dir.'/main.cf~3');
+
+		$options = explode(",", exec("postconf -h smtpd_recipient_restrictions"));
+		$new_options = array();
+		foreach ($options as $value) {
+			if (($value = trim($value)) == '') continue;
+			if (preg_match("|check_recipient_access\s+proxy:mysql:${config_dir}/mysql-verify_recipients.cf|", $value)) {
+				continue;
+			}
+			$new_options[] = $value;
+		}
+		if ($configure_lmtp) {
+			for ($i = 0; isset($new_options[$i]); $i++) {
+				if ($new_options[$i] == 'reject_unlisted_recipient') {
+					array_splice($new_options, $i+1, 0, array("check_recipient_access proxy:mysql:${config_dir}/mysql-verify_recipients.cf"));
+					break;
+				}
+			}
+			# postfix < 3.3 needs this when using reject_unverified_recipient:
+			if(version_compare($postfix_version, 3.3, '<')) {
+				$postconf_commands[] = "enable_original_recipient = yes";
+			}
+		}
+		#exec("postconf -e 'smtpd_recipient_restrictions = ".implode(", ", $new_options)."'");
+		$postconf_commands[] = "smtpd_recipient_restrictions = ".implode(", ", $new_options);
 
 		// Executing the postconf commands
 		foreach($postconf_commands as $cmd) {
@@ -1608,12 +1637,15 @@ public function configure_rspamd() {
 
 			exec("postconf -e 'smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, permit_mynetworks, permit_sasl_authenticated'");
 
+
+			$options = explode(",", exec("postconf -h smtpd_recipient_restrictions"));
 			$new_options = array();
-			$options = preg_split("/,\s*/", exec("postconf -h smtpd_recipient_restrictions"));
 			foreach ($options as $value) {
-				if (!preg_match('/check_policy_service\s+inet:127.0.0.1:10023/', $value)) {
-					$new_options[] = $value;
+				if (($value = trim($value)) == '') continue;
+				if (preg_match('/check_policy_service\s+inet:127.0.0.1:10023/', $value)) {
+					continue;
 				}
+				$new_options[] = $value;
 			}
 			exec("postconf -e 'smtpd_recipient_restrictions = ".implode(", ", $new_options)."'");
 

install/tpl/debian_postfix.conf.master

@@ -15,7 +15,7 @@ broken_sasl_auth_clients = yes
 smtpd_sasl_authenticated_header = yes
 smtpd_restriction_classes = greylisting
 greylisting = check_policy_service inet:127.0.0.1:10023 
-smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:{config_dir}/mysql-virtual_recipient.cf{rbl_list}{greylisting}, check_policy_service unix:private/quota-status
+smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unlisted_recipient, check_recipient_access proxy:mysql:{config_dir}/mysql-verify_recipients.cf, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:{config_dir}/mysql-virtual_recipient.cf{rbl_list}{greylisting}, check_policy_service unix:private/quota-status
 smtpd_use_tls = yes
 smtpd_tls_security_level = may
 smtpd_tls_cert_file = {config_dir}/smtpd.cert
@@ -24,7 +24,7 @@ transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:{conf
 relay_domains = mysql:{config_dir}/mysql-virtual_relaydomains.cf
 relay_recipient_maps = mysql:{config_dir}/mysql-virtual_relayrecipientmaps.cf
 smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_maps.cf
-proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
+proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $smtpd_recipient_restrictions
 smtpd_helo_required = yes
 smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo
 smtpd_sender_restrictions = check_sender_access regexp:{config_dir}/tag_as_originating.re {reject_slm}, permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf, check_sender_access regexp:{config_dir}/tag_as_foreign.re
@@ -44,3 +44,5 @@ smtpd_tls_protocols = !SSLv2,!SSLv3
 smtp_tls_protocols = !SSLv2,!SSLv3
 smtpd_tls_exclude_ciphers = RC4, aNULL
 smtp_tls_exclude_ciphers = RC4, aNULL
+# needed for postfix < 3.3 when using reject_unverified_recipient (lmtp):
+enable_original_recipient = yes

install/tpl/fedora_postfix.conf.master

@@ -11,7 +11,7 @@ broken_sasl_auth_clients = yes
 smtpd_sasl_authenticated_header = yes
 smtpd_restriction_classes = greylisting
 greylisting = check_policy_service inet:127.0.0.1:10023
-smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:{config_dir}/mysql-virtual_recipient.cf{rbl_list}{greylisting}, check_policy_service unix:private/quota-status
+smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unlisted_recipient, check_recipient_access proxy:mysql:{config_dir}/mysql-verify_recipients.cf, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:{config_dir}/mysql-virtual_recipient.cf{rbl_list}{greylisting}, check_policy_service unix:private/quota-status
 smtpd_use_tls = yes
 smtpd_tls_security_level = may
 smtpd_tls_cert_file = {config_dir}/smtpd.cert
@@ -20,7 +20,7 @@ transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:{conf
 relay_domains = mysql:{config_dir}/mysql-virtual_relaydomains.cf
 relay_recipient_maps = mysql:{config_dir}/mysql-virtual_relayrecipientmaps.cf
 smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_maps.cf
-proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
+proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $smtpd_recipient_restrictions
 smtpd_helo_required = yes
 smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo
 smtpd_sender_restrictions = check_sender_access regexp:{config_dir}/tag_as_originating.re {reject_slm}, permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf, check_sender_access regexp:{config_dir}/tag_as_foreign.re
@@ -40,3 +40,5 @@ smtpd_tls_protocols = !SSLv2,!SSLv3
 smtp_tls_protocols = !SSLv2,!SSLv3
 smtpd_tls_exclude_ciphers = RC4, aNULL
 smtp_tls_exclude_ciphers = RC4, aNULL
+# needed for postfix < 3.3 when using reject_unverified_recipient (lmtp):
+enable_original_recipient = yes

install/tpl/gentoo_postfix.conf.master

@@ -10,7 +10,7 @@ broken_sasl_auth_clients = yes
 smtpd_sasl_authenticated_header = yes
 smtpd_restriction_classes = greylisting
 greylisting = check_policy_service inet:127.0.0.1:10023
-smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:{config_dir}/mysql-virtual_recipient.cf{rbl_list}{greylisting}, check_policy_service unix:private/quota-status
+smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unlisted_recipient, check_recipient_access proxy:mysql:{config_dir}/mysql-verify_recipients.cf, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:{config_dir}/mysql-virtual_recipient.cf{rbl_list}{greylisting}, check_policy_service unix:private/quota-status
 smtpd_use_tls = yes
 smtpd_tls_security_level = may
 smtpd_tls_cert_file = {config_dir}/smtpd.cert
@@ -19,7 +19,7 @@ transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:{conf
 relay_domains = mysql:{config_dir}/mysql-virtual_relaydomains.cf
 relay_recipient_maps = mysql:{config_dir}/mysql-virtual_relayrecipientmaps.cf
 smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_maps.cf
-proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
+proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $smtpd_recipient_restrictions
 smtpd_helo_required = yes
 smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo
 smtpd_sender_restrictions = check_sender_access regexp:{config_dir}/tag_as_originating.re {reject_slm}, permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf, check_sender_access regexp:{config_dir}/tag_as_foreign.re
@@ -39,3 +39,5 @@ smtpd_tls_protocols = !SSLv2,!SSLv3
 smtp_tls_protocols = !SSLv2,!SSLv3
 smtpd_tls_exclude_ciphers = RC4, aNULL
 smtp_tls_exclude_ciphers = RC4, aNULL
+# needed for postfix < 3.3 when using reject_unverified_recipient (lmtp):
+enable_original_recipient = yes

install/tpl/mysql-verify_recipients.cf.master

@@ -0,0 +1,5 @@
+user = {mysql_server_ispconfig_user}
+password = {mysql_server_ispconfig_password}
+dbname = {mysql_server_database}
+hosts = {mysql_server_ip}
+query = SELECT 'reject_unverified_recipient' FROM mail_domain WHERE domain = '%s' AND active = 'y' AND server_id = {server_id}

install/tpl/opensuse_postfix.conf.master

@@ -13,7 +13,7 @@ broken_sasl_auth_clients = yes
 smtpd_sasl_authenticated_header = yes
 smtpd_restriction_classes = greylisting
 greylisting = check_policy_service inet:127.0.0.1:10023
-smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:{config_dir}/mysql-virtual_recipient.cf{rbl_list}{greylisting}, check_policy_service unix:private/quota-status
+smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unlisted_recipient, check_recipient_access proxy:mysql:{config_dir}/mysql-verify_recipients.cf, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:{config_dir}/mysql-virtual_recipient.cf{rbl_list}{greylisting}, check_policy_service unix:private/quota-status
 smtpd_use_tls = yes
 smtpd_tls_security_level = may
 smtpd_tls_cert_file = {config_dir}/smtpd.cert
@@ -22,7 +22,7 @@ transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:{conf
 relay_domains = mysql:{config_dir}/mysql-virtual_relaydomains.cf
 relay_recipient_maps = mysql:{config_dir}/mysql-virtual_relayrecipientmaps.cf
 smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_maps.cf
-proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
+proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $smtpd_recipient_restrictions
 smtpd_helo_required = yes
 smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo
 smtpd_sender_restrictions = check_sender_access regexp:{config_dir}/tag_as_originating.re {reject_slm}, permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf, check_sender_access regexp:{config_dir}/tag_as_foreign.re
@@ -42,3 +42,5 @@ smtpd_tls_protocols = !SSLv2,!SSLv3
 smtp_tls_protocols = !SSLv2,!SSLv3
 smtpd_tls_exclude_ciphers = RC4, aNULL
 smtp_tls_exclude_ciphers = RC4, aNULL
+# needed for postfix < 3.3 when using reject_unverified_recipient (lmtp):
+enable_original_recipient = yes