14

How could I block outgoing mail to a specific address using Postfix?

I've partially managed to block outgoing e-mail using header_checks. However, header_checks doesn’t cover BCC.

I also tested this solution: http://www.linuxmail.info/postfix-restrict-sender-recipient/ but it didn’t work.

Maikel
  • 313
  • 1
  • 2
  • 11

4 Answers4

13

To block anyone (local (mail/sendmail command) system users and SMTP users) from sending to an email address you cannot rely on smtpd_recipient_restrictions. You need to place the restriction into the qmgr phase. For this I've found that transport_maps works well.

main.cf:

transport_maps = pcre:/etc/postfix/transport_maps

transport_maps:

/^user(\+[^@]+)?@host\.com/ discard:
/.*/ :

Maybe there is a better solution but this one appears to work for all delivery types. FYI, that regex supports user@host.com and user+anything@host.com assuming a + delimiter. It prevents To, CC and BCC.

Also make sure your postfix has pcre support enabled. On Debian based (Ubuntu, etc) operating systems that is provided by the postfix-pcre package.

Matthew Lenz
  • 281
  • 2
  • 7
  • 1
    The `?` in `\+?` makes the `+` optional... The next stuff, `[^@]+` will match any non `@` characters... (optionally due to the final `?`). This means that useranything@host.com will also match... To avoid that, get rid of the `?` after the `\+` – Gert van den Berg Jun 27 '18 at 13:29
7

The simplest way to do this, with no regular expression support needed:

  1. Add this to main.cf if it is not already there:

    transport_maps = hash:/etc/postfix/transport

  2. Add lines to the file "/etc/postfix/transport" as needed

    # silently discard a single address
address_to_discard@example.com discard

# silently discard an entire domain
example.net discard

# return an error to the sending MTA
address_to_error@example.com error:Invalid user

  3. Run postmap

    postmap /etc/postfix/transport

  4. Reload the postfix service (or wait ~ 1 minute and Postfix will automatically update)

    service postfix reload
miken32
  • 942
  • 1
  • 13
  • 35
Niels2000
  • 171
  • 1
  • 4
5

As described in access(5), just add a check_recipient_access map to your smtpd_recipient_restrictions; if you wish to block these recipients for your own users too, make sure to place it before permit_mynetworks and/or permit_sasl_authenticated.

smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/bad_recipients, permit_mynetworks, reject_unauth_destination, permit

And in /etc/postfix/bad_recipients:

bad_user1@example.com REJECT We don't like this user
bad_user2@example.org REJECT Delivery to this user is prohibited
Valerio Bozzolan
  • 314
  • 2
  • 15
adaptr
  • 16,576
  • 23
  • 34
-1

We had a use-case for this scenario, where we needed to block some users receiving (opt-in) mailings from a list. Users that refused to press the "Unsubscribe" link in those user requested mailings (so, no, it wasn't spam). After a while we got abuse-mails from ISPs that got complaints from those weird lazy users, which was really time-consuming nonsense. So we decided to create a map for postfix. However, putting them in for a REJECT created new problems with the software sending them mail via postfix, so what we ended up doing was mapping this instead:

lazy_user@aol.com DISCARD Delivery to this user is ignored as a result of annoying abuse-responses from even lazier ISPs.
Julius
  • 153
  • 3