Blacklist email address at postscreen level for inbound mail

zx1100e1

I have several email addresses for my domain which are effectively burned. They get nothing but spam. These emails have already been defined in rspamd, but I’d like any mail to them to be blocked before it even reaches rspamd. That is, blocked at postscreen level.

ie
email1@domain.com
email2@domain.com
email3@domain.com

etc.

Any inbound email for these should just be out right rejected at smtp level. How do I implement this?

Thank you

esackbauer

Delete the mailbox, or the alias?

zx1100e1

esackbauer The mailbox doesn’t exist to begin with. Most email goes into the catchall.

esackbauer

Why catchall?

zx1100e1

Any entity requesting an email receives unique email address. ie; mailcow@domain.com, costco@domain.com, bankabc123@domain.com, etc.

Keeps things tidy and can easily tell when my email addr is being abused. I’ve used this strategy for years now. In the case of the above issue, it’s an email addr I provided a dealer when purchasing a car.

esackbauer

zx1100e1
I see a lot of “invented” mail addresses coming to my domains, which all are rejected during SMTP session.
I would go crazy with catchall.

zx1100e1 it’s an email addr I provided a dealer when purchasing a car

For these kind of things mailcow offers temporary mail addresses. That is a much smarter way…

zx1100e1

Not necessarily smarter. Temp addresses are just that, temp. I need these addresses to last indefinitely. This system (catchall) has been working well for years.

I’m fairly confident it’s possible to create a blacklist of addresses for postfix, just need to figure out where to implement it in the config section.

zx1100e1

Problem solved using a postscreen directive.

I loosely followed the instructions from this post - https://serverfault.com/questions/919458/postfix-reject-incoming-mail-for-certain-recipients

In ./data/conf/postfix create or edit extra.cf. I added the following directive which already exists in main.cf. It’s my understanding for a proper override, the entirety of the directive has to be added. The last line (check_recipient_access) is new.

smtpd_recipient_restrictions = check_recipient_mx_access proxy:mysql:/opt/postfix/conf/sql/mysql_mbr_access_maps.cf,
  permit_sasl_authenticated,
  permit_mynetworks,
  check_recipient_access proxy:mysql:/opt/postfix/conf/sql/mysql_tls_enforce_in_policy.cf,
  reject_invalid_helo_hostname,
  reject_unauth_destination,
  check_recipient_access hash:/opt/postfix/conf/recipient_access

In ./data/conf/postfix create text file recipient_access. Contents looks like this. These are the blacklisted email addresses I wanted rejected at smtp level.

blockedemail1@domain.com 550 The email account that you tried to reach does not exist.
blockedemail2@domain.com 550 The email account that you tried to reach does not exist.
blockedemail3@domain.com 550 The email account that you tried to reach does not exist.
.
.
email@domain.com 550 The email account that you tried to reach does not exist.

Log in to postfix - docker exec -it mailcowdockerized-postfix-mailcow-1 bash, change to the /opt/postfix/conf folder and run postmap ./recipient_access

Exit and restart postfix docker compose restart postfix-mailcow

The following postfix log entry appears for email received for the blacklisted addresses.

NOQUEUE: reject: RCPT from sonic303-1.consmr.mail.bf2.yahoo.com[74.6.131.40]: 550 5.7.1 <email@domain.com>: Recipient address rejected: The email account that you tried to reach does not exist.; from=<sender@aol.com> to=<email@domain.com> proto=ESMTP helo=<sonic303-1.consmr.mail.bf2.yahoo.com>