Expanding aliases before forwarding mail to milter

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Expanding aliases before forwarding mail to milter

Niklaas Baudet von Gersdorff-2
I use aliases extensively, for administrative accounts (such as
abuse@, postmaster@, or webmaster@) or for expanding
givenname.surname@ to givenname@. I do so with ldap and, most
importantly, regexp databases because the latter enables me to
limit entering similar information multiple times.

For mailbox delivery, I use Dovecot. And Dovecot deals with
everything mailbox related such as quotas. For quotas it offers
a service that can be used as a milter by Postfix [1]. This works
great as long as mails are sent to real mailboxes and not to
aliases because Dovecot only knows about the real mailboxes and
not the aliases. In case a mail is sent to an alias, Dovecot
considers the mail being sent to a non-existent user, thus the
quota milter answers with a reject command.

One solution is to let Dovecot know about these aliases [2]. This
is quite easy for the ldap database, but it's not possible to
achieve for the regexp database because Dovecot doesn't support
this database type. Indeed, what I could do is transforming the
regexp database to ldap, but that would make administration more
difficult.

I know, it seems the issue arises because of a limitation on
Dovecot's side, but I have been wondering whether I can do
something on Postfix's side to solve it, namely:

  Is it possible to expand aliases before contacting a milter?

If it was possible, I could solve the issue by only transmitting
"real" accounts to Dovecot. I haven't found any configuration
setting related to this. What I thought of was to write my own
milter that expands regexp tables and afterwards contacs
Dovecot's quota service, but this seems quite a tedious task.

I appreciate any ideas or hints.

    Niklaas


1: http://wiki2.dovecot.org/Quota

2: http://marc.info/?l=dovecot&m=137536800105973&w=2
Reply | Threaded
Open this post in threaded view
|

Re: Expanding aliases before forwarding mail to milter

Thomas Leuxner
* Niklaas Baudet von Gersdorff <[hidden email]> 2016.11.24 12:28:

> I appreciate any ideas or hints.

You should be able to workaround this with a restriction class. Although the example is not LDAP specific it should provide general direction:

# We will query for quotas on real mailboxes only via smtpd_recipient_restrictions
smtpd_restriction_classes =
 quota_users
quota_users =
 check_policy_service { unix:private/quota-status, timeout=10s, default_action=DUNNO }

smtpd_recipient_restrictions =
 [...]
 check_recipient_access lmdb:$config_directory/quota_users

The real accounts are listed here:

$ cat /etc/postfix/quota_users
[hidden email]         quota_users
Reply | Threaded
Open this post in threaded view
|

Re: Expanding aliases before forwarding mail to milter

Niklaas Baudet von Gersdorff-2
Thomas Leuxner [2016-11-24 15:56 +0100] :

> * Niklaas Baudet von Gersdorff <[hidden email]> 2016.11.24 12:28:
>
> > I appreciate any ideas or hints.
>
> You should be able to workaround this with a restriction class.
> Although the example is not LDAP specific it should provide
> general direction:

Thomas, thank you for your reply and the example.

So, do I understand correctly that Postfix is forced to expand
aliases to real mailboxes when using
smtpd_recipient_restrictions? Or is this "only" a workaround to
prevent evaluation against dovecot's quota service with aliases?

Anyway, even if it's "only" a workaround, it's a great start to
evaluate against the service for some cases at least.

> # We will query for quotas on real mailboxes only via smtpd_recipient_restrictions
> smtpd_restriction_classes =
>  quota_users
> quota_users =
>  check_policy_service { unix:private/quota-status, timeout=10s, default_action=DUNNO }
>
> smtpd_recipient_restrictions =
>  [...]
>  check_recipient_access lmdb:$config_directory/quota_users
>
> The real accounts are listed here:
>
> $ cat /etc/postfix/quota_users
> [hidden email]         quota_users

BTW, of course, you're right, it's a policy service and not
a milter.

    Niklaas