Prev: Spoofed freemail domains protection not working for postmaster
Next: Mail Delivery Using FILTER in access table
From: Chad Morland on 10 Jun 2010 11:20
I am trying to setup a server that will be only used for mail forwarding and
will not have any local mailboxes on it.

I am trying to have virtual_alias_maps as the sole lookup and any other mail
is rejected during the SMTP session after the RCPT TO command if the address
is not found in virtual_alias_maps.

I have the following in my configuration which works:

smtpd_reject_unlisted_recipient = yes
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_alias_domains = proxy:mysql:/etc/postfix/
mysql_virtual_domains_maps.cf

I'd like to do away with virtual_alias_domains but when I disable this I get
"relay denied".

Is there a way to configure postfix so that it is the final destination only
for addresses defined in virtual_alias_maps and not the entire domain as
implied by virtual_alias_domains?
From: Noel Jones on 10 Jun 2010 11:53
On 6/10/2010 10:20 AM, Chad Morland wrote:
> I am trying to setup a server that will be only used for mail forwarding
> and will not have any local mailboxes on it.
>
> I am trying to have virtual_alias_maps as the sole lookup and any other
> mail is rejected during the SMTP session after the RCPT TO command if
> the address is not found in virtual_alias_maps.
>
> I have the following in my configuration which works:
>
> smtpd_reject_unlisted_recipient = yes
> virtual_alias_maps =
> proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
> <http://mysql_virtual_alias_maps.cf>
> virtual_alias_domains =
> proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf
> <http://mysql_virtual_domains_maps.cf>
>
> I'd like to do away with virtual_alias_domains but when I disable this I
> get "relay denied".
>
> Is there a way to configure postfix so that it is the final destination
> only for addresses defined in virtual_alias_maps and not the entire
> domain as implied by virtual_alias_domains?
>

You can use the "old" method of defining virtual_alias_domains
by defining them directly in virtual_alias_maps.
key value
example.com anything


If your domain list doesn't change often, just list the
domains in main.cf. If there are more than a handful of
domains, use a static hash: table.
http://www.postfix.org/postconf.5.html#virtual_alias_domains

From: Chad Morland on 10 Jun 2010 13:06
On Thu, Jun 10, 2010 at 11:53 AM, Noel Jones <njones(a)megan.vbhcs.org> wrote:

> On 6/10/2010 10:20 AM, Chad Morland wrote:
>
>> I am trying to setup a server that will be only used for mail forwarding
>> and will not have any local mailboxes on it.
>>
>> I am trying to have virtual_alias_maps as the sole lookup and any other
>> mail is rejected during the SMTP session after the RCPT TO command if
>> the address is not found in virtual_alias_maps.
>>
>> I have the following in my configuration which works:
>>
>> smtpd_reject_unlisted_recipient = yes
>> virtual_alias_maps =
>> proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
>> <http://mysql_virtual_alias_maps.cf>
>>
>> virtual_alias_domains =
>> proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf
>> <http://mysql_virtual_domains_maps.cf>
>>
>>
>> I'd like to do away with virtual_alias_domains but when I disable this I
>> get "relay denied".
>>
>> Is there a way to configure postfix so that it is the final destination
>> only for addresses defined in virtual_alias_maps and not the entire
>> domain as implied by virtual_alias_domains?
>>
>>
> You can use the "old" method of defining virtual_alias_domains by defining
> them directly in virtual_alias_maps.
> key value
> example.com anything
>
>
> If your domain list doesn't change often, just list the domains in main.cf.
> If there are more than a handful of domains, use a static hash: table.
> http://www.postfix.org/postconf.5.html#virtual_alias_domains
>
>
Thanks for the idea but it doesn't address my issue. I don't want to accept
mail for the entire domain, just for specific addresses that are defined.

Also, this system has thousands of domains and aliases which are updated
frequently so I'm going to be sticking with the MySQL backend.

My application is a DNS management system and my current DB schema has a
table that lists all domains in the system (virtual_alias_domains)
regardless if they have mail forwarding setup and another table that lists
the alias info (virtual_alias_maps). I only want postfix to accept mail for
addresses defined in virtual_alias_maps.

My current setup (using virtual_alias_domains) will accept mail for the
entire domain and generate a bounce message if the user does not exist. I
want to stop that at the SMTP session level.

Example:
virtual_alias_maps = foo(a)abc.com -> foo(a)xyz.com

Accept mail for foo(a)abc.com but reject mail at the SMTP level for
bar(a)abc.com (550 relay denied).
From: Noel Jones on 10 Jun 2010 13:27
On 6/10/2010 12:06 PM, Chad Morland wrote:
>
>
> On Thu, Jun 10, 2010 at 11:53 AM, Noel Jones <njones(a)megan.vbhcs.org
> <mailto:njones(a)megan.vbhcs.org>> wrote:
>
> On 6/10/2010 10:20 AM, Chad Morland wrote:
>
> I am trying to setup a server that will be only used for mail
> forwarding
> and will not have any local mailboxes on it.
>
> I am trying to have virtual_alias_maps as the sole lookup and
> any other
> mail is rejected during the SMTP session after the RCPT TO
> command if
> the address is not found in virtual_alias_maps.
>
> I have the following in my configuration which works:
>
> smtpd_reject_unlisted_recipient = yes
> virtual_alias_maps =
> proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
> <http://mysql_virtual_alias_maps.cf>
> <http://mysql_virtual_alias_maps.cf>
>
> virtual_alias_domains =
> proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf
> <http://mysql_virtual_domains_maps.cf>
> <http://mysql_virtual_domains_maps.cf>
>
>
> I'd like to do away with virtual_alias_domains but when I
> disable this I
> get "relay denied".
>
> Is there a way to configure postfix so that it is the final
> destination
> only for addresses defined in virtual_alias_maps and not the entire
> domain as implied by virtual_alias_domains?
>
>
> You can use the "old" method of defining virtual_alias_domains by
> defining them directly in virtual_alias_maps.
> key value
> example.com <http://example.com> anything
>
>
> If your domain list doesn't change often, just list the domains in
> main.cf <http://main.cf>. If there are more than a handful of
> domains, use a static hash: table.
> http://www.postfix.org/postconf.5.html#virtual_alias_domains
>
>
> Thanks for the idea but it doesn't address my issue. I don't want to
> accept mail for the entire domain, just for specific addresses that are
> defined.
>
> Also, this system has thousands of domains and aliases which are updated
> frequently so I'm going to be sticking with the MySQL backend.
>
> My application is a DNS management system and my current DB schema has a
> table that lists all domains in the system (virtual_alias_domains)
> regardless if they have mail forwarding setup and another table that
> lists the alias info (virtual_alias_maps). I only want postfix to accept
> mail for addresses defined in virtual_alias_maps.
>
> My current setup (using virtual_alias_domains) will accept mail for the
> entire domain and generate a bounce message if the user does not exist.
> I want to stop that at the SMTP session level.
>
> Example:
> virtual_alias_maps = foo(a)abc.com <mailto:foo(a)abc.com> -> foo(a)xyz.com
> <mailto:foo(a)xyz.com>
>
> Accept mail for foo(a)abc.com <mailto:foo(a)abc.com> but reject mail at the
> SMTP level for bar(a)abc.com <mailto:bar(a)abc.com> (550 relay denied).
>
>

That is the default behavior; only mail for users listed in
virtual_alias_maps is accepted.

You can defeat address validation with "@domain1 @domain2"
wildcard rewriting in virtual or canonical maps, or by listing
a domain in additional address classes.

Now would be a good time to show your "postconf -n" and
logging demonstrating the problem.

-- Noel Jones

From: Jerrale Gayle on 10 Jun 2010 18:59
On 6/10/2010 1:06 PM, Chad Morland wrote:
>
>
> On Thu, Jun 10, 2010 at 11:53 AM, Noel Jones <njones(a)megan.vbhcs.org
> <mailto:njones(a)megan.vbhcs.org>> wrote:
>
> On 6/10/2010 10:20 AM, Chad Morland wrote:
>
> I am trying to setup a server that will be only used for mail
> forwarding
> and will not have any local mailboxes on it.
>
> I am trying to have virtual_alias_maps as the sole lookup and
> any other
> mail is rejected during the SMTP session after the RCPT TO
> command if
> the address is not found in virtual_alias_maps.
>
> I have the following in my configuration which works:
>
> smtpd_reject_unlisted_recipient = yes
> virtual_alias_maps =
> proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
> <http://mysql_virtual_alias_maps.cf>
> <http://mysql_virtual_alias_maps.cf>
>
> virtual_alias_domains =
> proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf
> <http://mysql_virtual_domains_maps.cf>
> <http://mysql_virtual_domains_maps.cf>
>
>
> I'd like to do away with virtual_alias_domains but when I
> disable this I
> get "relay denied".
>
> Is there a way to configure postfix so that it is the final
> destination
> only for addresses defined in virtual_alias_maps and not the
> entire
> domain as implied by virtual_alias_domains?
>
>
> You can use the "old" method of defining virtual_alias_domains by
> defining them directly in virtual_alias_maps.
> key value
> example.com <http://example.com> anything
>
>
> If your domain list doesn't change often, just list the domains in
> main.cf <http://main.cf>. If there are more than a handful of
> domains, use a static hash: table.
> http://www.postfix.org/postconf.5.html#virtual_alias_domains
>
>
> Thanks for the idea but it doesn't address my issue. I don't want to
> accept mail for the entire domain, just for specific addresses that
> are defined.
>
> Also, this system has thousands of domains and aliases which are
> updated frequently so I'm going to be sticking with the MySQL backend.
>
> My application is a DNS management system and my current DB schema has
> a table that lists all domains in the system (virtual_alias_domains)
> regardless if they have mail forwarding setup and another table that
> lists the alias info (virtual_alias_maps). I only want postfix to
> accept mail for addresses defined in virtual_alias_maps.
>
> My current setup (using virtual_alias_domains) will accept mail for
> the entire domain and generate a bounce message if the user does not
> exist. I want to stop that at the SMTP session level.
>
> Example:
> virtual_alias_maps = foo(a)abc.com <mailto:foo(a)abc.com> -> foo(a)xyz.com
> <mailto:foo(a)xyz.com>
>
> Accept mail for foo(a)abc.com <mailto:foo(a)abc.com> but reject mail at
> the SMTP level for bar(a)abc.com <mailto:bar(a)abc.com> (550 relay denied).
>
>
Well, the server doesn't have to reject anything except for those
connecting directly to it without using the MX. The mx record does not
allow partial domain matching; so, your regular postfix server would
have to accept all mail for the domain and then forward the specific
mail to the other server. I would actually suggest using ONE mail
server, or multiples with the same config as backups, for all your
mail, including your rewrites, to save headache because having mail
forwarded from one postfix server to another, and then forwarded again,
will cause the final destination address to not be what you expect. You
would need to have the main postfix server forward to a subdomain of the
domain, such as forward.domain.com handled by the second server, and
then the final recipient would think their e-mail address is
foo(a)forward.domain.com. *The only way to avoid this is by using
transports on the main postfix server to point to the second server as
the transport.* So, you need to look into transports!

 | 
Pages: 1
Prev: Spoofed freemail domains protection not working for postmaster
Next: Mail Delivery Using FILTER in access table