Prev: Should I update Postfix?
Next: new cipher in OpenSSL, need to rebuild Postfix?
From: Victor Duchovni on 8 Apr 2010 10:08
On Thu, Apr 08, 2010 at 09:59:54PM +1000, James Lever wrote:

>
> On 25/03/2010, at 11:43 AM, James Lever wrote:
>
> > This still doesn?t solve the issue of local destination mail - mail sent via ?mail user? or ?mail user@$myhostname? from the local system still gets delivered to the mail spool. This is the key part that I?m still trying to solve.
>
>
> For anybody else that comes along, I discovered 2 methods to easily do what I wanted.
>
> Method 1:
>
> Enable envelope_sender masquerading (non-default behaviour).
>
> edit masquerade_classes to include envelope_recipient, for example:
>
> masquerade_classes = envelope_sender, envelope_recipient, header_sender, header_recipient
>
> along with
>
> masquerade_domains = $mydomain
> masquerade_exceptions = root, mailer-daemon, logwatch

Seems to me that $myorigin = $mydomain achieves the result more cleanly.
Mail for root can be handled via virtual(5) and generic(5).

> Method 2:
>
> This method can provide significantly greater flexibility, but bypasses all local delivery attempts including alias expansion, so any aliases need to be defined in /etc/postfix/virtual and the regexp needs to exclude it (from my minimal testing of this method)
>
> local_transport = virtual
> virtual_alias_maps = regexp:/etc/postfix/virtual
>
> in /etc/postfix/virtual have an entry similar to this
>
> /(.*)@/ $1(a)somedomain.com
>
>
> Hopefully that?s the right way to do the second one.

This looks fragile.

--
Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment. If you are interested, please drop me a note.

From: James Lever on 8 Apr 2010 17:05

On 09/04/2010, at 12:08 AM, Victor Duchovni wrote:

> Seems to me that $myorigin = $mydomain achieves the result more cleanly.
> Mail for root can be handled via virtual(5) and generic(5).

That’s a fair point, but this is a much simpler and cleaner (configuration management-wise) solution. I think $myorigin = $mydomain still doesn’t handle the case where you send mail to $local@$myhostname without the use of masquerading?

>> in /etc/postfix/virtual have an entry similar to this
>>
>> /(.*)@/ $1(a)somedomain.com
>>
>>
>> Hopefully that?s the right way to do the second one.
>
> This looks fragile.

Yeah, I went back to using masquerade_classes as it was a significantly tidier approach. If I did ever have need to go down the virtual approach, I’d probably have write some decent regexp to cover my behind.

cheers,
James
From: Victor Duchovni on 8 Apr 2010 18:05
On Fri, Apr 09, 2010 at 07:05:33AM +1000, James Lever wrote:

>
> On 09/04/2010, at 12:08 AM, Victor Duchovni wrote:
>
> > Seems to me that $myorigin = $mydomain achieves the result more cleanly.
> > Mail for root can be handled via virtual(5) and generic(5).
>
> That?s a fair point, but this is a much simpler and cleaner
> (configuration management-wise) solution. I think $myorigin = $mydomain
> still doesn?t handle the case where you send mail to $local@$myhostname
> without the use of masquerading?

Masquerading is "clean" on null-client systems only. On real MTAs,
masquerading is often a tricky business. Use other tools if possible.
Such brute-force rewriting is much more intrusive and risky than setting
myorigin correctly.

--
Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment. If you are interested, please drop me a note.

From: James Lever on 8 Apr 2010 19:21

On 09/04/2010, at 8:05 AM, Victor Duchovni wrote:

> Use other tools if possible. Such brute-force rewriting is much more intrusive and risky than setting myorigin correctly.

So are you suggesting that what I really need to do is something like this:

1. $myorigin = $mydomain
2. still use masquerading to catch $local@$myhostname and $local
3. use virtual(5) or generic(5) to rewrite excepted address to $local@$myhostname

With 3., how do you have it so that the headers are rewritten as $local@$myhostname, in the generic form, without having to edit the configuration file by hand for each host?

Also, how do you rewrite $local(a)localhost? (this still gets delivered to /var/mail/) and are there any other cases that would deliver to a local mailbox?

cheers,
James
From: Victor Duchovni on 9 Apr 2010 02:22
On Fri, Apr 09, 2010 at 09:21:12AM +1000, James Lever wrote:

> So are you suggesting that what I really need to do is something like this:
>
> 1. $myorigin = $mydomain

Instead of masquerading.

> 2. still use masquerading to catch $local@$myhostname and $local

Typically, disable all local delivery.

mydestination =
alias_database =
alias_maps = $alias_database
local_transport = error:5.1.2 Mailbox unavailable
local_recipient_maps =

> 3. use virtual(5) or generic(5) to rewrite excepted address to
> $local@$myhostname

Can't answer that without understand what you are really trying to
achieve. What are these "exception addresses" and why do you need them?
Who reads their email and what is the best way to make it available
to them?

> With 3., how do you have it so that the headers are rewritten as
> $local@$myhostname, in the generic form, without having to edit the
> configuration file by hand for each host?

Who said anything about per-host customization being done "by-hand"?
The simplest approach is to push template files, and use "make". More
sophisticated tooling can be integrated as appropriate.

> Also, how do you rewrite $local(a)localhost? (this still gets delivered
> to /var/mail/) and are there any other cases that would deliver to a
> local mailbox?

If you leave mydestination empty, and set "local_transport = error:..."
there is no local delivery. Mail addressed to would-be local addresses
should be rewritten to arrive somewhere sensible.

If you want something more subtle, you need to explain your goals
more clearly.

--
Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment. If you are interested, please drop me a note.

First  |  Prev  | 
Pages: 1 2 3
Prev: Should I update Postfix?
Next: new cipher in OpenSSL, need to rebuild Postfix?