Use blackhole subdomain for sender addresses of verify probes.

These addresses need to be accepted on the MX:es, as recipients sometimes phone back during the SMTP session to check whether the sender exists. Since a time-dependent suffix is added to the local part (cf. http://www.postfix.org/postconf.5.html#address_verify_sender_ttl) it's not enough to drop incoming mails to ‘double-bounce@fripost.org’, and it's impractical to do the same for /^double-bounce.*@fripost\.org$/.
author: Guilhem Moulin <guilhem@fripost.org> 2017-05-15 23:31:13 +0200
committer: Guilhem Moulin <guilhem@fripost.org> 2017-05-16 01:29:28 +0200
commit: 45743fcc30ad310da0ef306d6319face3604ac4d (patch)
tree: 3df16d635b1f4e553fb31647e5cac80341c51b16 /roles
parent: fcc12720a977c754b1e7ef79d67410b445caf065 (diff)
3 files changed, 3 insertions, 4 deletions
diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2
index cbd5264..f5f0834 100644
--- a/roles/MSA/templates/etc/postfix/main.cf.j2
+++ b/roles/MSA/templates/etc/postfix/main.cf.j2
@@ -63,41 +63,41 @@ smtpd_tls_key_file              = $config_directory/ssl/smtp.fripost.org.key
 smtpd_tls_dh1024_param_file     = /etc/ssl/dhparams.pem
 smtpd_tls_session_cache_database=
 smtpd_tls_received_header       = yes
 
 # SASL
 smtpd_sasl_auth_enable          = yes
 smtpd_sasl_authenticated_header = no
 smtpd_sasl_local_domain         =
 smtpd_sasl_exceptions_networks  = $mynetworks
 smtpd_sasl_security_options     = noanonymous, noplaintext
 smtpd_sasl_tls_security_options = noanonymous
 broken_sasl_auth_clients        = yes
 smtpd_sasl_type                 = dovecot
 smtpd_sasl_path                 = unix:private/dovecot-auth
 
 
 strict_rfc821_envelopes = yes
 smtpd_delay_reject      = yes
 disable_vrfy_command    = yes
 
-address_verify_sender            = $double_bounce_sender@$mydomain
+address_verify_sender            = $double_bounce_sender@noreply.$mydomain
 address_verify_sender_ttl        = 24h
 unverified_recipient_defer_code  = 250
 unverified_recipient_reject_code = 550
 
 smtpd_client_restrictions =
     permit_sasl_authenticated
     reject
 
 smtpd_helo_required     = yes
 smtpd_helo_restrictions =
     reject_invalid_helo_hostname
 
 smtpd_sender_restrictions =
     reject_non_fqdn_sender
     reject_unknown_sender_domain
     check_sender_access cdb:$config_directory/check_sender_access
 
 smtpd_relay_restrictions =
     reject_non_fqdn_recipient
     reject_unknown_recipient_domain
diff --git a/roles/MX/files/etc/postfix/virtual/reserved_alias.pcre b/roles/MX/files/etc/postfix/virtual/reserved_alias.pcre
index 9fe60c8..eb17d65 100644
--- a/roles/MX/files/etc/postfix/virtual/reserved_alias.pcre
+++ b/roles/MX/files/etc/postfix/virtual/reserved_alias.pcre
@@ -1,6 +1,5 @@
 /^(?:postmaster|abuse)(?:\+.*)?@fripost\.org$/  admin@fripost.org
 # For other domains, RFC 822 section 6.3 and RFC 2142 section 4
 # mandatory aliases are forwarded to OUR admin team and to the domain
 # owner or postmaster, if there are any.
-/^(postmaster|abuse)(?:\+.*)?@(.*)/             $2/$1@reserved.fripost.org
-/^(double-bounce)(?:\+.*)?@(.*)/                $2/$1@discard.fripost.org
+/^(postmaster|abuse)(?:\+.*)?@(.*)/     $2/$1@reserved.fripost.org
diff --git a/roles/out/templates/etc/postfix/main.cf.j2 b/roles/out/templates/etc/postfix/main.cf.j2
index 235b866..2ba0a34 100644
--- a/roles/out/templates/etc/postfix/main.cf.j2
+++ b/roles/out/templates/etc/postfix/main.cf.j2
@@ -40,41 +40,41 @@ recipient_delimiter = +
 
 relay_domains       =
 relay_transport     = error:5.3.2 Relay Transport unavailable
 
 # All header rewriting happens upstream
 local_header_rewrite_clients =
 
 
 smtp_tls_security_level         = may
 smtp_tls_ciphers                = medium
 smtp_tls_protocols              = !SSLv2, !SSLv3
 smtp_tls_note_starttls_offer    = yes
 smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
 
 smtpd_tls_security_level        = none
 
 strict_rfc821_envelopes = yes
 smtpd_delay_reject      = yes
 disable_vrfy_command    = yes
 
-address_verify_sender            = $double_bounce_sender@$mydomain
+address_verify_sender            = $double_bounce_sender@noreply.$mydomain
 address_verify_sender_ttl        = 24h
 unverified_recipient_defer_code  = 250
 unverified_recipient_reject_code = 550
 
 smtpd_client_restrictions =
     permit_mynetworks
     # We are the only ones using this proxy, but if things go wrong we
     # want to know why
     defer
 
 smtpd_helo_required     = yes
 smtpd_helo_restrictions =
     reject_invalid_helo_hostname
 
 smtpd_sender_restrictions =
     reject_non_fqdn_sender
 
 smtpd_relay_restrictions =
     reject_non_fqdn_recipient
     reject_unknown_recipient_domain
author	Guilhem Moulin <guilhem@fripost.org>	2017-05-15 23:31:13 +0200
committer	Guilhem Moulin <guilhem@fripost.org>	2017-05-16 01:29:28 +0200
commit	45743fcc30ad310da0ef306d6319face3604ac4d (patch)
tree	3df16d635b1f4e553fb31647e5cac80341c51b16 /roles
parent	fcc12720a977c754b1e7ef79d67410b445caf065 (diff)