Reject individual email address with address extension

email_block_with_extensionWith address extension configured in postfix, it is very easy to use new email addresses for every website you register on, but if some website leaks your email, you might receive lots of spam. If the address was an email address configured in the virtual_alias_maps, it could be simply removed, but the address extensions need to be blocked individually.

Based on the setup explained in Setup Postfix with SMTP-AUTH and TLS on CentOS and Configure address extension in Postfix the email addresses are managed using the virtual_alias_maps and the address extension is used as well. With this enabled, email addresses in the following format are allowed. Note that the “+” symbol is the recipient_delimiter you have configured.

user1+friends@example.com

If this email address is leaked to spammers, you cannot just remove the email address from the virtual_alias_maps as it does not actually exist there. Only the email address “user1@example.com” and this is mapped to the user. Removing this entry would not only reject the email with the address extension, but all mails to this email address!

To just reject this specific email address, a recipient_access list needs to be configured. This is done in the /etc/postfix/main.cf configuration file. Add “check_recipient_access” as the first part of the “smtpd_recipient_restrictions” setting like this.

smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/recipient_access,...

Additionally the configured recipient_access file needs to be created. Add the email addresses you want to block, and the error code and text that should be returned. Create the file /etc/postfix/recipient_access and add the list in the following format.

user1+friends@example.com     550 No such user here!

Returning error 550 will inform the sending mail server that the email address does not exist. With this response code, an email will be rejected immediately in the SMTP session when the RCPT TO is sent to the server.

To activate the changes in the configuration, the recipient_access list needs to be converted into a db. Additionally, postfix needs to be restarted as the main.cf configuration file was changed as well.

$ postmap /etc/postfix/recipient_access
$ /etc/init.d/postfix restart

Now the sending mail server will not be able to deliver the email. The result code is a final error which instructs the sending mailserver to not try again to deliver this email. The sending mailserver will immediately detect that the email delivery has failed and inform the sender about this error in a notification email similar to this.

Delivery to the following recipient failed permanently:
user1+friends@example.com
Technical details of permanent failure: 
Tried to deliver your message, but it was rejected by the server for the recipient domain example.com by mail.example.com. [123.123.123.123].
The error that the other server returned was:
550 5.7.1 <user1+friends@example.com>: Recipient address rejected: No such user here!

Read more of my posts on my blog at http://blog.tinned-software.net/.

This entry was posted in Mailserver and tagged , . Bookmark the permalink.