wiki:PostfixRecipientVerification

I've just discovered that postfix has a wonderful feature called Address Verification which allows for a postfix process to hold the connection while it probes to see if a recipient is valid. It also keeps a cache of these results to speed up future queries.

This makes it extremely simple to add a dedicated Maia box in front of your own gateway mail server, for small setups. Use this to screen incoming mail, to reject dictionary attacks, and then use IMAP or POP3 to verify credentials to log into Maia. It's easy!

Larger installations, which need a lot of domains, or sites with changing domains may find this inadequate, and I would suggest setting up SQL or LDAP in that case.

Set up recipient verification for your local domain like this:

main.cf:

smtpd_recipient_restrictions =  check_recipient_access hash:/etc/postfix/verify_recipient,
                                permit_mynetworks,
                                reject_unauth_destination,

/etc/postfix/verify_recipient:

domain1.tld reject_unverified_recipient
domain2.tld reject_unverified_recipient

and then run

postmap /etc/postfix/verify_recipient

Also, set up your domains in relay_domains, and optionally the server to deliver to in transport. Be sure to firewall off you ald mail server so that spammers can't bypass Maia!

NOTE: This is recipient address verification, not to be confused with sender address verification (SAV), which is a far more controversial technique. Using SAV can get your host blacklisted, as it is considered by many to be a form of network abuse, and can make your site an unwitting participant in distributed denial-of-service attacks. Stay away from SAV!


Back to FAQ

Last modified 15 years ago Last modified on May 8, 2008, 1:41:35 PM