postfix reject incoming mail for certain recipients

Question

I administer an email server based on Postfix that has copies of past emails as well as current ones. Some of the users have left but their email history needs to be retained and accessible. In the present situation, any emails to those users that hav left are still received as normal. I want to block any new emails to those accounts. I can see a way of doing that using smtpd_restriction_classes. Would I have to include all users in the check_recipient_access hash table or can I just include those accounts I want to block?

smtpd_restriction_classes = restrictive, permissive
restrictive = DEFER
permissive = permit
check_recipient_access = hash:/etc/postfix/recipient_access

/etc/postfix/recipient_access:
    joe@example.com  restrictive
    mary@example.com restrictive

score 7 · Answer 1 · edited Oct 07 '21 at 07:34

It seems this blocking is intended to be permanent. If you use DEFER, Postfix will send temporary error code 450, causing the sending MTA to try again later. From RFC 5321, 4.2.1 & 4.2.2:

4yz Transient Negative Completion reply

The command was not accepted, and the requested action did not occur. However, the error condition is temporary, and the action may be requested again. The sender should return to the beginning of the command sequence (if any). It is difficult to assign a meaning to "transient" when two different sites (receiver- and sender-SMTP agents) must agree on the interpretation. Each reply in this category might have a different time value, but the SMTP client SHOULD try again.
450  Requested mail action not taken: mailbox unavailable (e.g.,
   mailbox busy or temporarily blocked for policy reasons)

550  Requested action not taken: mailbox unavailable (e.g., mailbox
   not found, no access, or command rejected for policy reasons)

I'd use error code 550, default for permanent REJECT being access_map_reject_code= 554.

Then, the check_recipient_access doesn't work alone, but within smtpd_recipient_restrictions.

smtpd_recipient_restrictions =
    permit_mynetworks,
    . . .
    check_recipient_access hash:/etc/postfix/recipient_access,
    . . .

In addition to the error code you can use a custom human readable, informational error message:

/etc/postfix/recipient_access:
    joe@example.com   550  Mailbox doesn't exist. See https://example.com/contact
    mary@example.com  550  Mary no longer works at Example Ltd. Contact Jason, instead.

As it's a hash: database, always remember to postmap /etc/postfix/recipient_access.

Thank you for your answer. This has achieved what I wanted to do. — user3017691, Jul 09 '18 at 10:32
I don't have a high enough score so I don't see an Accept box. — user3017691, Jul 10 '18 at 13:47
According to http://www.postfix.org/access.5.html you NEED to add a human readable error message for numeric 'actions' to work. This is also what I experienced. So please do not forget it. ;) @EsaJokinen Maybe you can update your answer accordingly :) — func0der, Dec 30 '19 at 20:36

postfix reject incoming mail for certain recipients

1 Answers1

Linked