Postfix Recipient Verification

Don’t Talk About Exchange

I am going to avoid all the nightmarish stuff going on right now, so backdoor’d mail servers and burning data centres and all manner of infosec calamity will not be discussed. Going to move forward with something simple, wholesome and joyful.

Postfix

And specifically, how to do a little work with recipient verification.

Architecture

In this use case, I am talking about using a Postfix relay in front of your MTA. Perhaps running as a milter to deal with spam and malware, or just a simple relay. Either way, as emails come into Postfix it will query the MTA for that recipient and build a verify cache from the results.

On to the juicy bits…

First locate main.cf, in my case;

#cd /usr/local/etc/postfix

and edit the config (please refer to Postfix documentation)

address_verify_map = btree:/var/db/postfix/verify_cache

smtpd_recipient_restrictions = 
		permit_mynetworks,
		reject_unverified_recipient

The verify cache will automatically get built as a Berkeley DB and suffixed with a .db, residing in /var/db/postfix

The is all well and good, let it run a while and the cache gets built and your Postfix relay becomes your bouncer rejecting interlopers and ne’er-do-wells and letting your MTA concentrate on bigger issues.

Feeling Rejected

What can happen however, is that an email address can get cached as invalid– and maybe it was at the time– but later becomes a valid address, but Postfix continues to reject it.

Two fixes for this;

Option One: The Nuclear Option

Shut down Postfix, delete or rename the cache, restart Postfix and let it build anew. This method works, is quick to implement and doesn’t really break anything. Only disadvantage is the cache has to rebuild, so every inbound email triggers that verify process against the MTA.

Option Two: The Surgical Strike

//stop postfix
service postfix stop

//lookup the rejected user in the cache db
postmap -s btree:verify_cache|grep nosuchuser@company.xyz
nosuchuser@company.xyz	0:0:[timestamp]:[code] 4.1.1 Recipient Rejected

//delete the entry
postmap -d nosuchuser@company.xyz btree:verify_cache

//start postfix 
service postfix start

This option might require some extra time up front, but saves the rebuild process and is my preference for these issues.

Let’s wrap this up with a shout-out to all the sysadmins, network defenders, incident responders, threat hunters and sundry blueteamers fighting the good fight. 2021 has been a challenge, hang in there, I’m pulling for you!

patch your exchange