Default transport for "*" not working

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Default transport for "*" not working

David Koski-2
In effort to relay by default, except for specific domains, I have
configured a mysql transport table as follows:

+--------------------+-------------------------------+
| tkey               | transport                     |
+--------------------+-------------------------------+
| *                  | relay:[barracuda.mydomai.com] |
| .hotmail.com       | smtp:hotmail.com              |
| @hotmail.com       | smtp:hotmail.com              |
| hotmail.com        | smtp:hotmail.com              |
+--------------------+-------------------------------+

This is my attempt to send hotmail.com mail directly but everything else
through barracuda.  However, nothing is relayed. I have enabled logging
and can see from the queries that the "*" is never consulted and neither
is the domain hotmail.com.  If I add [hidden email], the table is
consulted and the transport is activated.  Never do I see a query for
the domain name only.

alias_database = hash:/etc/aliases
alias_maps =
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
canonical_maps = proxy:mysql:/etc/postfix/mysql_canonical_maps.cf
compatibility_level = 2
content_filter = smtp-amavis:[127.0.0.1]:10024
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
inet_interfaces = all
inet_protocols = ipv4
local_recipient_maps =
mailbox_size_limit = 0
message_size_limit = 50000000
mydestination =
myhostname = vmail.mydomain.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 65.105.240.234
173.8.212.217 68.66.148.24 104.42.180.73
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relay_domains = proxy:mysql:/etc/postfix/mysql_relay_maps.cf
sender_dependent_relayhost_maps = hash:/etc/postfix/relaymap
smtp_tls_cert_file = /etc/ssl/certs/vmail_mydomain_com.crt
smtp_tls_key_file = /etc/ssl/private/vmail_mydomain_com.key
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_mynetworks
permit_sasl_authenticated reject_unauth_destination
reject_unknown_recipient_domain reject_unverified_recipient
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
reject_unauth_destination reject_unknown_recipient_domain
reject_unverified_recipient
smtpd_sasl_auth_enable = yes
smtpd_sasl_exceptions_networks = 104.42.180.73/32
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks permit_sasl_authenticated
reject_non_fqdn_sender reject_unknown_sender_domain reject_rbl_client
b.barracudacentral.org reject_rbl_client zen.spamhaus.org
reject_rbl_client cbl.abuseat.org reject_rbl_client bl.spamcop.net
smtpd_tls_cert_file = /etc/ssl/certs/vmail_mydomain_com.crt
smtpd_tls_key_file = /etc/ssl/private/vmail_mydomain_com.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
transport_maps = proxy:mysql:/etc/postfix/mysql_transport_maps.cf
virtual_alias_maps =
proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
proxy:mysql:/etc/postfix/mysql_virtual_user_singleton_maps.cf
virtual_gid_maps = static:5000
virtual_mailbox_domains =
proxy:mysql:/etc/postfix/mysql_virtual_mailbox_domains.cf
virtual_mailbox_maps =
proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_transport = dovecot
virtual_uid_maps = static:5000

Regards,
David Koski
[hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: Default transport for "*" not working

Viktor Dukhovni
On Tue, Nov 17, 2020 at 12:43:23PM -0800, David Koski wrote:

> In effort to relay by default, except for specific domains, I have
> configured a mysql transport table as follows:
>
> +--------------------+-------------------------------+
> | tkey               | transport                     |
> +--------------------+-------------------------------+
> | *                  | relay:[barracuda.mydomai.com] |
> | .hotmail.com       | smtp:hotmail.com              |
> | @hotmail.com       | smtp:hotmail.com              |
> | hotmail.com        | smtp:hotmail.com              |
> +--------------------+-------------------------------+

Since the issue is with transport lookups...  While posting
"postconf -n" output is appreciated, only its transport_maps
setting is relevant in this case:

> transport_maps = proxy:mysql:/etc/postfix/mysql_transport_maps.cf

But you've not posted (after eliding any password settings and if you
like also the server hostname) the content of the table definition,
i.e. /etc/postfix/mysql_transport_maps.cf.

Here you probably have a "domain" or similar setting that limits the
keys actually used for lookups.

You can check with:

    postmap -q "*" mysql:/etc/postfix/mysql_transport_maps.cf

to see which keys are returning answers.  With "-v" you'll
see which queries are being sent (or not).

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Default transport for "*" not working

David Koski-2


On 11/17/20 12:57 PM, Viktor Dukhovni wrote:

> On Tue, Nov 17, 2020 at 12:43:23PM -0800, David Koski wrote:
>
>> In effort to relay by default, except for specific domains, I have
>> configured a mysql transport table as follows:
>>
>> +--------------------+-------------------------------+
>> | tkey               | transport                     |
>> +--------------------+-------------------------------+
>> | *                  | relay:[https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fbarracuda.mydomai.com&c=E,1,0l2E8scUBXRsSEOkKZaB7SO-NteYRXb7ws1Tgqg4Du9zM1NuUNWpr07b2O_Lo7YbknkjTrufaG1BQbdUCXZiYlPCg2fabHwzZ3l-ONug&typo=1] |
>> | .hotmail.com       | smtp:hotmail.com              |
>> | @hotmail.com       | smtp:hotmail.com              |
>> | hotmail.com        | smtp:hotmail.com              |
>> +--------------------+-------------------------------+
> Since the issue is with transport lookups...  While posting
> "postconf -n" output is appreciated, only its transport_maps
> setting is relevant in this case:
>
>> transport_maps = proxy:mysql:/etc/postfix/https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fmysql_transport_maps.cf&c=E,1,Xss3AF26YcN3GWWupQPrc3p9sUy-IXwZLo2EXOg4IN7igFQiH1CDFQo1mGXYzq-jZEY5k4YoGKvW3yIhxUDoRLIGPIpRTgADUq_vtL0MFoZd51_Jd4U5AaAa7Osv&typo=1
> But you've not posted (after eliding any password settings and if you
> like also the server hostname) the content of the table definition,
> i.e. /etc/postfix/mysql_transport_maps.cf.
>
> Here you probably have a "domain" or similar setting that limits the
> keys actually used for lookups.
>
> You can check with:
>
>      postmap -q "*" mysql:/etc/postfix/https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fmysql_transport_maps.cf&c=E,1,E-5fbnQWo41fSScPm6oDDInTKnmzQGgV7n-4Rg3OewGnO9sgcZrZAk7vS6j1Eer19iLWWhIqZc47GZmVJuZukbAMyI7NTaA_J_R4K_shDfKIEnI,&typo=1

# postmap -q "*" mysql:/etc/postfix/mysql_transport_maps.cf
(does not return a text value)

Additional information:

+--------------------+-------------------------------+
| tkey               | transport                     |
+--------------------+-------------------------------+
| *                  | relay:[barracuda.mydomai.com] |
| .hotmail.com       | error:                        |
| @hotmail.com       | error:                        |
| hotmail.com        | error:                        |
| [hidden email]  | error:                        |
+--------------------+-------------------------------+


# postmap -q [hidden email] mysql:/etc/postfix/mysql_transport_maps.cf
error:

# postmap -q hotmail.com mysql:/etc/postfix/mysql_transport_maps.cf
(does not return a text value)

Contents of mysql_transport_maps.cf:

   1 user = vmail
   2 password = secret
   3 hosts = 127.0.0.1
   4 dbname = vmail
   5
   6
   7
   8 query =
   9     SELECT transport FROM (
  10         SELECT
  11             /* Transport table is highest rank */
  12             1 as rank,
  13             REPLACE( transport, 'smtp:[68.66.148.91]', 'dovecot:')
AS transport
  14         FROM
  15             view_transport
  16         WHERE
  17             tkey='%s'
  18     UNION ALL
  19         SELECT
  20             /* If not in transport table, check psudo transport
table */
  21             2 as rank,
  22             REPLACE( transport, 'smtp:[68.66.148.91]', 'dovecot:')
AS transport
  23         FROM
  24             view_user_transport
  25         WHERE
  26             tkey='%s' AND relay_domain<'2'
  27     UNION ALL
  28         SELECT
  29             /* If nothing else, check if relay domain */
  30             3 as rank,
  31             'relay:' AS transport
  32         FROM
  33             virtual_domains
  34         WHERE
  35             name='%d' AND relay<>'0'
  36         ) t ORDER BY rank
  37     LIMIT 1
  38

This I got from the mysql log when sending to
[hidden email], then formatted it for multi line to read
the substitutions:

   1 SELECT transport FROM (
   2     SELECT
   3         /* Transport table is highest rank */
   4         1 as rank,
   5         REPLACE( transport, 'smtp:[68.66.148.91]', 'dovecot:') AS
transport
   6     FROM
   7         view_transport
   8     WHERE
   9         tkey='[hidden email]'
  10 UNION ALL
  11     SELECT
  12         /* If not in transport table, check psudo transport table */
  13         2 as rank,
  14         REPLACE( transport, 'smtp:[68.66.148.91]', 'dovecot:') AS
transport
  15     FROM
  16         view_user_transport
  17     WHERE
  18         tkey='[hidden email]' AND relay_domain<'2'
  19 UNION ALL
  20     SELECT
  21         /* If nothing else, check if relay domain */
  22         3 as rank,
  23         'relay:' AS transport
  24     FROM
  25         virtual_domains
  26     WHERE
  27         name='hotmail.com' AND relay<>'0'
  28     ) t ORDER BY rank
  29 LIMIT 1
  30
:
It appears the transport maps only work for specific email addresses,
not for domains or the wild card "*".  The query is executed only with
the entire email address.  Note the substitution is working.  The
complexity is due to support for split domains with a central database. 
The same config works on multiple hosts with only the IP address changed
for the individual hosts so that local delivery to dovecot works.

Regards,
David Koski
[hidden email]

>
> to see which keys are returning answers.  With "-v" you'll
> see which queries are being sent (or not).
>

Reply | Threaded
Open this post in threaded view
|

Re: Default transport for "*" not working

Viktor Dukhovni
On Tue, Nov 17, 2020 at 02:33:38PM -0800, David Koski wrote:

> query =
>     SELECT transport FROM (
>         SELECT
>             /* Transport table is highest rank */
>             1 as rank,
>             REPLACE( transport, 'smtp:[68.66.148.91]', 'dovecot:') AS transport
>         FROM
>             view_transport
>         WHERE
>             tkey='%s'
>     UNION ALL
>         SELECT
>             /* If not in transport table, check psudo transport table */
>             2 as rank,
>             REPLACE( transport, 'smtp:[68.66.148.91]', 'dovecot:') AS transport
>         FROM
>             view_user_transport
>         WHERE
>             tkey='%s' AND relay_domain<'2'
>     UNION ALL
>         SELECT
>             /* If nothing else, check if relay domain */
>             3 as rank,
>             'relay:' AS transport
>         FROM
>             virtual_domains
>         WHERE
>             name='%d' AND relay<>'0'
              ---------
>         ) t ORDER BY rank
>     LIMIT 1

As documented:

    http://www.postfix.org/mysql_table.5.html

      %d     When the input key is an address of the form user@domain,
             %d is replaced by the  SQL  quoted  domain  part  of  the
             address.   Otherwise, the query is suppressed and returns
             no results.

when your query template uses '%d' the input key is required to be of
the form: '[hidden email]', or else the query is skipped.  Since
Postfix will issue queries for the bare domain, I don't see why you need
a '%d' there.  Also, why 'UNION ALL' rather than 'UNION'?  If there were
duplicate outputs, it would be best to return just one result.

--
    Viktor.