Testing postfix restrictions

The postfix mail delivery system allows one or more restrictions to be placed on incoming messages. These restrictions allow you to block messages when clients don’t use the SMTP handshake as outlined in RFC 821 during delivery, if the name supplied in the HELO is not fully qualified or fails to resolve, or if the connecting host resides on one or more blacklists. Several restrictions come enabled by default, but others need to be manually enabled by adding additional directives to the smtpd_helo_restrictions, smtpd_sender_restrictions and smtpd_recipient_restrictions variables. Since new restrictions can have unexpected results (e.g., lost E-mail), it is beneficial to test these rules prior to enforcing them.

The soft_bounce directive is one way to test out new rules. When soft_bounce is set in the main.cf, a message that would be blocked by a restriction is rejected with a soft reject error code (typically something in the 4XX range). The soft reject will force the sending host to queue the message, and attempt redelivery at a later date. Each time a soft bounce occurs, postfix will log a message to the logging facility. Since the server that sent the message will attempt to redeliver the message at a later date, you can tweak the configuration prior to the next delivery attempt if you want to accept mail from the host that matched the restriction. This method does have one major drawback. Numerous MTAs on the Internet use low TTLs on messages in their mail queues, so using soft bounces can result in messages getting returned to the sender if the restriction isn’t adjusted in a timely manner.

An alternative method to soft bounces is the warn_if_reject qualifier. Instead of soft bouncing the message if the sender matches a restriction, the warn_if_reject qualifier will cause postfix to deliver the message, and log a warning when a message matches a restriction. This ensures that mail is delivered if the restriction has an unknown side effect, and allows the mail admin to test restrictions in a non-intrusive way. Warn_if_reject can be applied to all of the postfix restrictions ( I have yet to find a restriction that warn_if_reject doesn’t apply to, but there may be some), and is set by prepending the string “warn_if_reject” to the restriction:

smtpd_helo_restrictions         = permit_mynetworks,
                                  warn_if_reject reject_invalid_hostname,
                                  warn_if_reject reject_unknown_hostname

To get a daily report with messages that matched the restriction, you can use the awesome pflogsum Perl script. Using warn_if_reject has saved me a fair amount of grief, and is a great way to make sure a restriction does what you want it to.

1 thought on “Testing postfix restrictions”

Leave a Reply

Your email address will not be published. Required fields are marked *