Prev: sasl with postfix
Next: some addresses failing : Recipient address rejected: unverified address: unknown user:
From: Phil Howard on 25 May 2010 16:21
On Tue, May 25, 2010 at 15:59, Wietse Venema <wietse(a)porcupine.org> wrote:

> You need one table entry per user somewhere, otherwise you can't
> reject mail for users that don't exist.

Absolutely, of course. But having one entry for every pairing of user
AND hostname isn't possible (because an infinite number of hostparts
could be used). One entry for every pairing of user and
domain-part-of-hostname could be done.

The wildcarding for example.com (so anyhostpart.example.com acts as
example.com) would be separate from wildcarding of other domains such
as example.net (where someotherhostpart.example.net acts as
example.net). The username space for example.com is independent of
the username space for example.net (and hence the complexity).

I'm thinking I need to do a tcp:table that talks to my own daemon to
sort this out. That daemon would get user(a)hostpart.domain.tld, split
it to 3 parts: user, hostpart, and domain.tld, verify that user is
valid for domain.tld, reject (500?) if not valid, and answer with
user(a)domain.tld (200) if it is valid (and if the domain is one of
those for which wildcarding is enabled) ... with variations for the
other cases (e.g. no hostpart, domains not wildcarded, or whatever
else).

The tcp:table protocol looks very simple. A small multplexing daemon
should be sufficient. It should be secure enough if bound to
localhost on a low port number ... tcp:127.0.0.1:789

From: Wietse Venema on 25 May 2010 17:10
Phil Howard:
> On Tue, May 25, 2010 at 15:59, Wietse Venema <wietse(a)porcupine.org> wrote:
>
> > You need one table entry per user somewhere, otherwise you can't
> > reject mail for users that don't exist.
>
> Absolutely, of course. But having one entry for every pairing of user
> AND hostname isn't possible (because an infinite number of hostparts

My examples DO NOT require one user entry per DOMAIN.

Wietse

From: Phil Howard on 25 May 2010 17:21
On Tue, May 25, 2010 at 17:10, Wietse Venema <wietse(a)porcupine.org> wrote:
> Phil Howard:
>> On Tue, May 25, 2010 at 15:59, Wietse Venema <wietse(a)porcupine.org> wrote:
>>
>> > You need one table entry per user somewhere, otherwise you can't
>> > reject mail for users that don't exist.
>>
>> Absolutely, of course.  But having one entry for every pairing of user
>> AND hostname isn't possible (because an infinite number of hostparts
>
> My examples DO NOT require one user entry per DOMAIN.

Then I apparently didn't understand what was being configured. I'll look again.

From: Phil Howard on 26 May 2010 15:31
On Tue, May 25, 2010 at 15:59, Wietse Venema <wietse(a)porcupine.org> wrote:
> Phil Howard:
>> On Tue, May 25, 2010 at 12:37, Wietse Venema <wietse(a)porcupine.org> wrote:
>> > Phil Howard:
>> >> On Tue, May 25, 2010 at 10:36, Wietse Venema <wietse(a)porcupine.org> wrote:
>> >>
>> >> > Postfix supports wildcards via regexp/pcre tables.
>> >> >
>> >> > ?1) You can use them for all the tables that define Postfix address
>> >> > ? ?classes: mydestination + aliases, virtual_alias_domains +
>> >> > ? ?virtual_alias_maps, virtual_mailbox_domains + virtual_mailbox_maps,
>> >> > ? ?relay_domains + relay_recipient_maps.
>> >> >
>> >> > ? ?Simply replacing one domain name by another does not produce the
>> >> > ? ?expected result.
>> >>
>> >> That's what I'm afraid of ... particularly if it can result in
>> >> backscatter or open relay. ?I need to get the test of the valid user
>> >> done at RCPT time, obviously. ?But the addressed domain could be
>> >> foobar.example.com or xyzzy.example.com or anything else in front of
>> >> the domain, without me knowing what these could be in advance. ?So I
>> >> can't just have a table of all possible valid user(a)hostpart.domain. ?I
>> >> can have all valid user(a)domain even though RCPT can name
>> >> user(a)hostpart.domain.
>> >
>> > Postfix supports wildcards via regexp/pcre tables:
>> > /^user@.*\.example\.com$/ will match the user in any subdomain of
>> > example.com.
>>
>> But this is still going to be a big table with individual entries
>> for all users?
>
> You need one table entry per user somewhere, otherwise you can't
> reject mail for users that don't exist.

I'm still trying to figure out your example. You gave this:

/^user@.*\.example\.com$/

But that includes actually coding the username, right? If so, that
means I have to have such an entry in this file for each and every
user. What if there are 131072 users ... 131072 entries?

So I think what I need is a generic regexp that covers all users, and
a DB for a list of legitimate users (indexed as user(a)example.com, the
domain the regexp maps to) ... e.g. two separate tables ... somewhere
(but I don't know where in main.cf).

My thinking is:

/^(.*)@.*\.example\.com$/ ${1}@example.com

then the result of that would be looked up in the user(a)domain table
(and if not successful, reject the RCPT).

First  |  Prev  | 
Pages: 1 2 3
Prev: sasl with postfix
Next: some addresses failing : Recipient address rejected: unverified address: unknown user: