#StackBounty: #postfix How to allow postfix to parse recipient address with percent signs in them?

Bounty: 50

I am having a mail delivered to a postfix mail server.

  • That mail got the following address: else%2something@domain.com (It is basically a url encoded version of else+something@domain.com, which should be valid by RFC.)
  • The sender’s mail server is being told to go way with this message: NOQUEUE: reject: RCPT from randostring.outbound.protection.outlook.com[...]: 454 4.7.1 <else%2something@domain.com>: Relay access denied; from=<john.doe@live.com> to=<aelse%2something@domain.com> proto=ESMTP helo=<morerando.outbound.protection.outlook.com>
  • The log tells me: generic_checks: name=defer_unauth_destination status=2, which I assume is the problem here.
  • I have a mysql lookup for the $virtual_alias_domains, which does not get queried during the time the log message above is created. I think it might be cached for some time, but I could be totally wrong here.

What I have tried:

  • Disable/Enable allow_percent_hack to see if that is the reason, I get rejected. Nothing changes for either setting.
  • Tried to change the recipient_delimiter to ‘%’, which did not change anything.

My question: How can I force postfix to deliver this email?
I really do not need a permanent solutions, as I consider this to be an edge case.

Bonus points, if you can explain to me, why this email is not received in the first place, because I really want to know why this is happening. 🙂


Edit #1:

I found a difference in the flags for a working and a non-working message.

  • Delivered message: Flag: 1024
  • Not Delivered message: Flag: 1026

By looking at different places in the source code (Flag definition: https://github.com/vdukhovni/postfix/blob/bfff4380a3b6fac2513c73531ee3a79212c08660/postfix/src/global/resolve_clnt.h#L36-L37 and Flag usage: https://github.com/vdukhovni/postfix/blob/ed3f86da7c3e15cf1ec57241c1f6036d82b790da/postfix/src/trivial-rewrite/resolve.c#L467-L468), I found out, that as soon as there is another @, !, or % in the email address, it sets a routed flag, which is then handled later on.

What I have not found out yet is, how can I

a) prevent that from happening

or

b) Hack a little something together to actually route him “back” to my server.


Get this bounty!!!

#StackBounty: #postfix #spam #spf #whitelist #rbl Postfix: ACCEPT if RBL and SPF checks pass, DUNNO/greylist otherwise. How to do it?

Bounty: 100

I would like to accept all clients that pass RBL and SPF checks (and possibly some checks, but these are minimum requirements for me), and greylist those who don’t. When a client passes the SPF check (SPF record exists, no fail, no soft-fail), we can be pretty sure that it’s not a botnet zombie, but an MTA that will retry delivery, so there’s little point in greylisting such clients.

So far I have been using Whitelister, which can implement this rule, but it hasn’t been maintained for the last 10 years or so, and is not available in modern distributions, so I’m looking for alternatives. As far as I understand, Postfix can only reject clients that are in RBLs, but cannot use RBLs as parts of more complex conditions, so I can’t see any way to use reject_rbl_client here. Is there a policy daemon that can do such checks?

My recipient restrictions in main.cf are as follows. I don’t know what I can put in place of ???:

smtpd_recipient_restrictions =
        check_sender_access regexp:/etc/postfix/sender_access_regexp,
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unknown_sender_domain,
        reject_unauth_destination,
        ???,
        check_policy_service unix:postgrey/postgrey.sock


Get this bounty!!!