Anti-spam relay with local users too

> Hello all.
>
> It has been a while since my last touch with Postfix, so I need your help.
> I'm using this guide
> http://wanderingbarque.com/howtos/mailserver/mailserver.html to have
> Postfix + Dovecot + SASL + OpenLDAP + Jamm.
> The Dovecot part is ok, I can log in and send/recieve e-mail. Now I'm
> configuring Postfix to have some anti-spam features (anti-virus and so
> later).
> What I want to do with Postfix for now is:
> 1) When receiving e-mail
> 1.1) If it's not a local domain, and it's in transport_maps, relay to
> another server

> 2) When sending e-mail
> 2.1) If it's to a local domain, deliver it locally
> 2.2) If it's to a domain in transport_maps, send to another server
> 2.2) If it's not to local/transport_maps domain, send to the internet
>
> Please help with all this configuration, because I'm blind with all
> the changes that I made it in the main.cf <http://main.cf>.
> With my configuration now, when I send an e-mail to an user in the
> transport_map domain, the e-mail is rejected by "Recipient address
> rejected: User unknown in relay recipient table". Sending
> locally/Internet is ok.
>
> The SO is Debian Etch (updated), with all compiled packages from source.
>
> # postconf mail_version
> mail_version = 2.5.2
>
> # postconf -n
> alias_database =
> alias_maps = $alias_database
> bounce_queue_lifetime = 1d
> command_directory = /usr/sbin
> config_directory = /etc/postfix
> daemon_directory = /usr/libexec/postfix
> data_directory = /var/lib/postfix
> debug_peer_level = 2
> home_mailbox = Maildir/
> html_directory = /etc/postfix/html
> inet_interfaces = $myhostname, localhost
> local_recipient_maps = ldap:accounts, ldap:aliases
> mail_owner = postfix
> mailq_path = /usr/bin/mailq
> manpage_directory = /usr/local/man
> maximal_queue_lifetime = 1d

> relay_recipient_maps = hash:/etc/postfix/relay_recipients
> sample_directory = /etc/postfix
> sendmail_path = /usr/sbin/sendmail
> setgid_group = postdrop
> smtp_sasl_auth_enable = no
> smtpd_recipient_restrictions = permit_mynetworks,    
> permit_sasl_authenticated,    reject_non_fqdn_sender,    reject_non_fqdn
> _recipient,    reject_unknown_sender_domain,    
> reject_unknown_recipient_domain,    reject_unauth_pipelining,    
> reject_multi
> _recipient_bounce,    reject_unauth_destination,    permit

> smtpd_sasl_auth_enable = yes
> smtpd_sasl_local_domain =
> smtpd_sasl_security_options = noanonymous
> transport_maps = hash:/etc/postfix/transport_maps
> unknown_local_recipient_reject_code = 550
> virtual_alias_maps = ldap:aliases
> virtual_gid_maps = static:200
> virtual_mailbox_base = /home/vmail/domains
> virtual_mailbox_domains = ldap:domains
> virtual_mailbox_maps = ldap:accounts
> virtual_minimum_uid = 200
> virtual_transport = virtual
> virtual_uid_maps = static:200
>
>
> Regards,
> Rodrigo.
>
>
> --
> M. Rodrigo Monteiro
> [hidden email] <mailto:[hidden email]>
> "Free as in Freedom, not free as in free beer"
> Linux User # 403730

> M. Rodrigo Monteiro wrote:
>>
>> Hello all.
>>
>> It has been a while since my last touch with Postfix, so I need your help.
>> I'm using this guide
>> http://wanderingbarque.com/howtos/mailserver/mailserver.html to have Postfix
>> + Dovecot + SASL + OpenLDAP + Jamm.
>> The Dovecot part is ok, I can log in and send/recieve e-mail. Now I'm
>> configuring Postfix to have some anti-spam features (anti-virus and so
>> later).
>> What I want to do with Postfix for now is:
>> 1) When receiving e-mail
>> 1.1) If it's not a local domain, and it's in transport_maps, relay to
>> another server
>
> This is not the purpose of transport_maps feature.  transport_maps is a
> redirect using what you say instead of a DNS lookup for the MX (though it
> still may incur a DNS lookup)
> Are these a controlled list of domains and users?  Look into relay_domains
> AND relay_recipient_maps.  Never relay blindly.
>>
>> 1.2) If it's a local domain, check for a list of valid local users, and
>> reject if a user don't exist.
>> 1.3) If it's not local/transport_maps domain, reject.
>
> This is default behavior.
>>
>> 2) When sending e-mail
>> 2.1) If it's to a local domain, deliver it locally
>> 2.2) If it's to a domain in transport_maps, send to another server
>> 2.2) If it's not to local/transport_maps domain, send to the internet
>>
>> Please help with all this configuration, because I'm blind with all the
>> changes that I made it in the main.cf <http://main.cf>.
>> With my configuration now, when I send an e-mail to an user in the
>> transport_map domain, the e-mail is rejected by "Recipient address rejected:
>> User unknown in relay recipient table". Sending locally/Internet is ok.
>>
>> The SO is Debian Etch (updated), with all compiled packages from source.
>>
>> # postconf mail_version
>> mail_version = 2.5.2
>>
>> # postconf -n
>> alias_database =
>> alias_maps = $alias_database
>> bounce_queue_lifetime = 1d
>> command_directory = /usr/sbin
>> config_directory = /etc/postfix
>> daemon_directory = /usr/libexec/postfix
>> data_directory = /var/lib/postfix
>> debug_peer_level = 2
>> home_mailbox = Maildir/
>> html_directory = /etc/postfix/html
>> inet_interfaces = $myhostname, localhost
>> local_recipient_maps = ldap:accounts, ldap:aliases
>> mail_owner = postfix
>> mailq_path = /usr/bin/mailq
>> manpage_directory = /usr/local/man
>> maximal_queue_lifetime = 1d
>
> This is very short, DNS temp failures may take 48 hours to correct..
>>
>> message_size_limit = 10485760
>> mydestination =
>> mydomain = XXXXXX.ce.gov.br <http://XXXXXX.ce.gov.br>
>> myhostname = testemail.XXXXXX.ce.gov.br
>> <http://testemail.XXXXXX.ce.gov.br>
>> mynetworks = XXX.XXX.XXX.XXX/32, XXX.XXX.XXX.XXX/32, XXX.XXX.XXX.XXX/32
>> mynetworks_style = host
>> myorigin = [hidden email]
>> <mailto:[hidden email]>
>
> myorigin should be a machine not an address.  Use the default, $myhostname,
> if unsure.
>>
>> newaliases_path = /usr/bin/newaliases
>> queue_directory = /var/spool/postfix
>> readme_directory = /etc/postfix/readme
>> relay_domains = $transport_maps
>
> Um.. don't do this.
> It is much better to have a separate map file because transport_maps MAY
> list domains in any direction and may be for internal use in your future.
>>
>> relay_recipient_maps = hash:/etc/postfix/relay_recipients
>> sample_directory = /etc/postfix
>> sendmail_path = /usr/sbin/sendmail
>> setgid_group = postdrop
>> smtp_sasl_auth_enable = no
>> smtpd_recipient_restrictions = permit_mynetworks,
>>  permit_sasl_authenticated,    reject_non_fqdn_sender,    reject_non_fqdn
>> _recipient,    reject_unknown_sender_domain,
>>  reject_unknown_recipient_domain,    reject_unauth_pipelining,
>>  reject_multi
>> _recipient_bounce,    reject_unauth_destination,    permit
>
> Highly suggested to move reject_unauth_destination to just after
> permit_sasl_authenticated.
> This keeps you safe from open relay if you add rules in the future before
> it.
> Also, it's a very inexpensive check compared to some others you have listed.
> Consider using check_rbl_client zen.spamhaus.org in there near the end too
> or a policy service such as policyd-weight or postfwd to score hosts.
>>
>> smtpd_sasl_auth_enable = yes
>> smtpd_sasl_local_domain =
>> smtpd_sasl_security_options = noanonymous
>> transport_maps = hash:/etc/postfix/transport_maps
>> unknown_local_recipient_reject_code = 550
>> virtual_alias_maps = ldap:aliases
>> virtual_gid_maps = static:200
>> virtual_mailbox_base = /home/vmail/domains
>> virtual_mailbox_domains = ldap:domains
>> virtual_mailbox_maps = ldap:accounts
>> virtual_minimum_uid = 200
>> virtual_transport = virtual
>> virtual_uid_maps = static:200
>>
>>
>> Regards,
>> Rodrigo.
>>
>>
>> --
>> M. Rodrigo Monteiro
>> [hidden email] <mailto:[hidden email]>
>> "Free as in Freedom, not free as in free beer"
>> Linux User # 403730
>
>

>
> Ok.
> Now, when I don't have the relayhost = gateway, I can send e-mail to
> the internet.
> But when I set it, I get the "Relay access denied" message.
>
> relayhost = XXX.XXX.XXX.XXX
> relay_recipient_maps = hash:/etc/postfix/relay_recipients_maps
> relay_domains = hash:/etc/postfix/relay_domains
> transport_maps = hash:/etc/postfix/transport_maps
>
>
> relayhost = internal_server
>  

>
> relayhost = XXX.XXX.XXX.XXX
> relay_recipient_maps = hash:/etc/postfix/relay_recipients_maps
> relay_domains = hash:/etc/postfix/relay_domains
> transport_maps = hash:/etc/postfix/transport_maps
>
>
> relayhost = internal_server
>
> # cat relay_recipients_maps
> @internal.domain.not.local OK

> [hidden email] OK
>
> # cat relay_domains
> internal.domain.not.local OK
>
> # cat transport_maps
> internal.domain.not.local smtp:internal_server
>
> What's wrong?
>
>
> Thanks,
> Rodrigo
>

>
> relayhost is where to route ALL non-local mail that is *not* contained in
> transport_maps or other defined transports.
>
> You should not set it unless you need to relay through your ISP or other
> mail provider for non-local/internet mail.
> If you *do* need it, read, and post if you don't understand, the entire
> error message unmodified from the logs (obscure IPs and domains if you
> like).
>
> Brian
>

> Hi.
>
> 2008/7/22 Brian Evans - Postfix List <[hidden email]>:
>  
>> relayhost is where to route ALL non-local mail that is *not* contained in
>> transport_maps or other defined transports.
>>
>> You should not set it unless you need to relay through your ISP or other
>> mail provider for non-local/internet mail.
>> If you *do* need it, read, and post if you don't understand, the entire
>> error message unmodified from the logs (obscure IPs and domains if you
>> like).
>>
>> Brian
>>
>>    
>
>
> Let me explain better what I want.
>
> I wanna know how to configure this 2 situations:
>
> 1) Postfix with local domains (domain-local.com) and subdomains,
> receiving e-mail and checking a list for local users (rejecting if the
> users is unknown), and relaying (smarthost) to an qmail
> (domain-qmail.com)
> 2) Same as 1, but qmail won't be the smarthost, only relay the domains
> that is for domain-qmail.com
>
>
> Config 1:
> relayhost = [domain-qmail-IP]
> relay_recipient_maps = hash:/etc/postfix/relay_recipient_maps
>
> # cat relay_recipients_map
> [hidden email] OK
> [hidden email] OK
>
> What more should I need?
> With this, I get the "Relay access denied" whenever I send an e-mail
> to domain-qmail or to the internet.
>
>  

> Hi.
>
> 2008/7/22 mouss <[hidden email]>:
>> The relayhost is supposed to accept relayin _all_ mail from you.
>>
>> if it's not the case, do not use the host as a relay host. instead use
>> transport_maps so that only selected domains are passed to the relay.
>>
>
> Yes, it's the case.
> I have 4 domains (with more 5 subdomains) locally and I relay e-mail
> to another server (internal) with about 100 domains (and subdomains).
> This another server is my relayhost too.
>

>> this breaks recipient validation: all addresses *@internal.domain.not.local
>> will be accepted by postfix. make sure they are accepted by the final server
>> (otherwise, you'll generate bounces and become a backscatter source. google
>> for backscatter if you don't understand what this means).
>>
>
> Yes, they will be accpted in the other server.
> But what if an e-mail arrivers to an unknown user in the other server,
> the first server relay to the other, and bounces back to Postfix. What
> will it do? Send again to the other server, or bounce to the original
> client (from)?

>
> BTW, this is my logs:
>
> To gmail.com (Rejected)
> Jul 22 14:54:42 XXXXX postfix/smtpd[15371]: connect from unknown[XXX.XXX.XXX.55]
> Jul 22 14:54:42 XXXXX postfix/smtpd[15371]: NOQUEUE: reject: RCPT from
> unknown[XXX.XXX.XXX.55]: 554 5.7.1 <[hidden email]>: Relay access
> denied; from=<[hidden email]> to=<[hidden email]>
> proto=ESMTP helo=<[XXX.XXX.XXX.55]>
> Jul 22 14:54:44 XXXXX postfix/smtpd[15371]: disconnect from
> unknown[XXX.XXX.XXX.55]

> Hello all.
>
> It has been a while since my last touch with Postfix, so I need your help.
> I'm using this guide
> http://wanderingbarque.com/howtos/mailserver/mailserver.html to have
> Postfix + Dovecot + SASL + OpenLDAP + Jamm.
> The Dovecot part is ok, I can log in and send/recieve e-mail. Now I'm
> configuring Postfix to have some anti-spam features (anti-virus and so
> later).
> What I want to do with Postfix for now is:
> 1) When receiving e-mail
> 1.1) If it's not a local domain, and it's in transport_maps, relay to
> another server
> 1.2) If it's a local domain, check for a list of valid local users, and
> reject if a user don't exist.
> 1.3) If it's not local/transport_maps domain, reject.
> 2) When sending e-mail
> 2.1) If it's to a local domain, deliver it locally
> 2.2) If it's to a domain in transport_maps, send to another server
> 2.2) If it's not to local/transport_maps domain, send to the internet

> Please help with all this configuration, because I'm blind with all the
> changes that I made it in the main.cf <http://main.cf>.
> With my configuration now, when I send an e-mail to an user in the
> transport_map domain, the e-mail is rejected by "Recipient address
> rejected: User unknown in relay recipient table". Sending
> locally/Internet is ok.
>
> The SO is Debian Etch (updated), with all compiled packages from source.
>
> # postconf mail_version
> mail_version = 2.5.2
>
> # postconf -n
> alias_database =
> alias_maps = $alias_database
> bounce_queue_lifetime = 1d
> command_directory = /usr/sbin
> config_directory = /etc/postfix
> daemon_directory = /usr/libexec/postfix
> data_directory = /var/lib/postfix
> debug_peer_level = 2
> home_mailbox = Maildir/
> html_directory = /etc/postfix/html
> inet_interfaces = $myhostname, localhost
> local_recipient_maps = ldap:accounts, ldap:aliases

> relay_recipient_maps = hash:/etc/postfix/relay_recipients
> sample_directory = /etc/postfix
> sendmail_path = /usr/sbin/sendmail
> setgid_group = postdrop
> smtp_sasl_auth_enable = no
> smtpd_recipient_restrictions = permit_mynetworks,    
> permit_sasl_authenticated,    reject_non_fqdn_sender,    reject_non_fqdn
> _recipient,    reject_unknown_sender_domain,    
> reject_unknown_recipient_domain,    reject_unauth_pipelining,    
> reject_multi
> _recipient_bounce,    reject_unauth_destination,    permit
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_local_domain =
> smtpd_sasl_security_options = noanonymous
> transport_maps = hash:/etc/postfix/transport_maps
> unknown_local_recipient_reject_code = 550
> virtual_alias_maps = ldap:aliases
> virtual_gid_maps = static:200
> virtual_mailbox_base = /home/vmail/domains
> virtual_mailbox_domains = ldap:domains
> virtual_mailbox_maps = ldap:accounts
> virtual_minimum_uid = 200
> virtual_transport = virtual
> virtual_uid_maps = static:200