Custom header_checks or check_recipient_access?


#1

Is it possible (or worth requesting) to get per-domain header_checks on incoming email?

For example, say I have acme.com and sub.acme.com hosted at dreamhost. Could I arrange that mail to

alice-@sub.acme.com: OK accept
bob-@sub.acme.com: OK accept
@sub.acme.com: REJECT at SMTP level?

I know this works by default with recipient delimiter ‘+’ instead of ‘-’; but many places (mistakenly) consider such addresses invalid. Also, clearly I could make sub.acme.com a catch-all and then emulate the above behavior in procmail… but I’d rather do the right thing and reject at SMTP level, rather than accept and silently discard.

So, do we have any hooks to implement this – perhaps using header_checks? or a check_recipient_access regexp map?

[Subsidiary question: if yes and I forward the accepted mail to alice@acme.com and bob@acme.com, can I still put it through spamassassin at that stage?]


#2

Anyone?

Just came across further arguments for this by a dreamhoster, and made
it a suggestion at panel.dreamhost.com, as follows. We’ll see…


Custom header_checks (www.postfix.org/header_checks.5.html)

All I really want is the ability to REJECT incoming SMTP based on recipient.

Rationale:
Once a recipient-delimited ("base+extension@domain.com") address starts
getting spam, rejecting at SMTP level is much nicer than procmail to /dev/
null. (E.g. senders get notified it’s no longer read.) This applies especially to
the spam-prone but necessary extension-free version ("base@domain.com"
in this case).

Also:
This would solve the problem of those who wish postfix would support
another recipient_delimiter (see previous Suggestion: Allow "semi-catch-all"
emails like “sales-*@domain.com”, 2005-05-16). Right now their only
option is to make domain.com a catch-all and then silently discard almost
everything in procmail.

“Semi-catch-all” aside, this would generally let us gracefully retire any
addresses that start getting spammed. See file /etc/postfix/header_checks
on a dreamhost machine – it’s just a bunch of lines like

/^From:.*@0451.com/ REJECT Message rejected due to site policy

so you could say something like

/^To:bob@acme.com/ REJECT Address retired, please use robert@acme.com

(Meanwhile, I’m still interested in advice on whether or not the procmail
workaround described in the parent post is a good way to go.)