7

I need to block an external email address in postfix from sending me emails. This is an external email address of a third party domain name that I'm not controlling.

The reason why I need to block it is because they have something misconfigured and I'm getting a message saying "Warning, your message has not being delivered yet", every second or so. I already contacted their tech support, but they are taking a long time to fix it and in the meantime, my server and my users are suffering.

I tried doing this. In my mail.cf I added:

smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access, permit

and in /etc/postfix/sender_access I added:

[email protected] REJECT

I run 

postmap hash:sender_access

and restart postfix, but it seemed to have no effect.

I also tried:

smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/sender_access

in the main.cf, which fails with this error:

postfix/smtpd[2144]: fatal: parameter "smtpd_recipient_restrictions": specify at least one working instance of: check_relay_domains, reject_unauth_destination, reject, defer or defer_if_permit

Trying:

smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/sender_access, permit

gave me the same error.

Improve this question
7
  • you need to block the address you are trying to send to or receive from? Sorry, a little bit not clear.
    – Danila Ladner
    Commented Aug 27, 2013 at 15:39
  • @DanilaLadner it's an external email address, a sender that is not me.
    – Pablo Fernandez
    Commented Aug 27, 2013 at 15:42
  • Right, so that external email is sending you emails you want to block for your users?
    – Danila Ladner
    Commented Aug 27, 2013 at 15:51
  • 5
    In my experience the smtpd_sender_restrictions only affects mail based on return path, not MAIL FROM header as it says in the docs. Not sure if this is a bug or what. I tried spoofing an email to my server that should have been rejected by setting from in the header and it had no effect. When i added the -f flag to sendmail to specify return path it successfully rejected my email.
    – Eaten by a Grue
    Commented Mar 4, 2015 at 17:43
  • 1
    @billynoah how correct you are. took me several hours to figure this out. Put simply, smtpd_sender_restrictions will only block mail based on its Return-Path header NOT its From header. So if your smtpd_sender_restrictions hash:/etc/postfix/block contains [email protected] REJECT mail with From: [email protected] will NOT be rejected; rather, only mail with Return-Path: [email protected] will be blocked (!!) Arrrrgh.
    – user7835
    Commented May 5, 2016 at 18:32

2 Answers 2

Reset to default
4

As mentioned by Laurentio Roescu, the smtpd_sender_restrictions should work. Only I do not think that was what was intended. The sender is the person sending emails from your server. Not the sender from the other side.

So you indeed wanted to use the smtpd_recipient_restrictions = check_sender_access ..., but as mentioned in the documentation, this is overridden by smtpd_relay_restrictions if you use it.

http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions

Optional restrictions that the Postfix SMTP server applies in the context of a client RCPT TO command, after smtpd_relay_restrictions. See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access restriction lists" for a discussion of evaluation context and time.

With Postfix versions before 2.10, the rules for relay permission and spam blocking were combined under smtpd_recipient_restrictions, resulting in error-prone configuration. As of Postfix 2.10, relay permission rules are preferably implemented with smtpd_relay_restrictions, so that a permissive spam blocking policy under smtpd_recipient_restrictions will no longer result in a permissive mail relay policy.

For backwards compatibility, sites that migrate from Postfix versions before 2.10 can set smtpd_relay_restrictions to the empty value, and use smtpd_recipient_restrictions exactly as before.

So instead you would do:

smtpd_relay_restrictions = ...
    ...
    check_sender_access hash:/etc/postfix/sender_access
    ...

That way it should be taken in account as expected. (The ... represent other options, be sure to place this check at the right location in the list.)

Improve this answer
3
  • I have Postfix 3.3 running and wondered why this does not work...
    – busythomas
    Commented Aug 12, 2020 at 7:30
  • @busythomas On my end I also have check_recipient_access hash:/etc/postfix/bad_recipients and the bad_recipients file includes email addresses with REJECT. One place where I had problem was a website that would send emails and those were accepted... so I added a test in my website code to verify the email against those in bad_recipients because in that case it would not be received from those people!
    – Alexis Wilke
    Commented Aug 12, 2020 at 20:18
  • 1
    ooops, found it, I misread the "check_sender_access" part where I had "check_client_access", and after I added check_sender_access above the check_client_access, your suggestion worked for me. Thank you!
    – busythomas
    Commented Aug 13, 2020 at 1:46
3

check_sender_access should be after reject_unauth_destination or you could become an open relay.

smtpd_recipient_restrictions = reject_unauth_destination, check_sender_access hash:/etc/postfix/sender_access

See: http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions

IMPORTANT: Either the smtpd_relay_restrictions or the smtpd_recipient_restrictions parameter must specify at least one of the following restrictions. Otherwise Postfix will refuse to receive mail:

reject, reject_unauth_destination

defer, defer_if_permit, defer_unauth_destination

On the other hand using smtpd_sender_restrictions should work, so you probably have something else before it which accepts the email.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .