RE: Virtual Alias Domains

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

RE: Virtual Alias Domains

Nicolas Breuer

 

Hello,

 

I’m running Postfix 3.

I try to add a mailbox without aliasing the domain.

The delivery is accepted, should not be because the domain is not in local domain file ?

 

virtual_alias_domains   =       /etc/postfix/local-host-names

virtual_alias_maps      =       hash:/etc/postfix/virtual

 

See  debug here.

 

 

 

Sep 28 11:12:35 ns2 postfix/smtpd[16268]: generic_checks: name=permit_mynetworks status=1

Sep 28 11:12:35 ns2 postfix/smtpd[16268]: >>> END Recipient address RESTRICTIONS <<<

Sep 28 11:12:35 ns2 postfix/smtpd[16268]: >>> CHECKING Recipient address VALIDATION MAPS <<<

Sep 28 11:12:35 ns2 postfix/smtpd[16268]: ctable_locate: leave existing entry key [hidden email]

Sep 28 11:12:35 ns2 postfix/smtpd[16268]: maps_find: recipient_canonical_maps: [hidden email]: not found

Sep 28 11:12:35 ns2 postfix/smtpd[16268]: match_string: mydestination: speed.be ~? localhost

Sep 28 11:12:35 ns2 postfix/smtpd[16268]: match_string: mydestination: speed.be ~? mail.belcenter.com

Sep 28 11:12:35 ns2 postfix/smtpd[16268]: match_list_match: speed.be: no match

Sep 28 11:12:35 ns2 postfix/smtpd[16268]: maps_find: recipient_canonical_maps: @speed.be: not found

Sep 28 11:12:35 ns2 postfix/smtpd[16268]: mail_addr_find: [hidden email] -> (not found)

Sep 28 11:12:35 ns2 postfix/smtpd[16268]: maps_find: canonical_maps: [hidden email]: not found

Sep 28 11:12:35 ns2 postfix/smtpd[16268]: match_string: mydestination: speed.be ~? localhost

Sep 28 11:12:35 ns2 postfix/smtpd[16268]: match_string: mydestination: speed.be ~? mail.belcenter.com

Sep 28 11:12:35 ns2 postfix/smtpd[16268]: match_list_match: speed.be: no match

Sep 28 11:12:35 ns2 postfix/smtpd[16268]: maps_find: canonical_maps: @speed.be: not found

Sep 28 11:12:35 ns2 postfix/smtpd[16268]: mail_addr_find: [hidden email] -> (not found)

Sep 28 11:12:35 ns2 postfix/smtpd[16268]: maps_find: virtual_alias_maps: hash:/etc/postfix/virtual(0,lock|fold_fix|utf8_request): [hidden email] = root

Sep 28 11:12:35 ns2 postfix/smtpd[16268]: mail_addr_find: [hidden email] -> root

Sep 28 11:12:35 ns2 postfix/smtpd[16268]: before input_transp_cleanup: cleanup flags = enable_header_body_filter enable_automatic_bcc enable_address_mapping enable_milters

Sep 28 11:12:35 ns2 postfix/smtpd[16268]: after input_transp_cleanup: cleanup flags = enable_header_body_filter enable_automatic_bcc enable_address_mapping

Sep 28 11:12:35 ns2 postfix/smtpd[16268]: name_mask: sendmail

Sep 28 11:12:35 ns2 postfix/smtpd[16268]: name_mask: verify

 

 

 

Reply | Threaded
Open this post in threaded view
|

Re: Virtual Alias Domains

Wietse Venema
Nicolas Breuer:
>
> Hello,
>
> I'm running Postfix 3.
> I try to add a mailbox without aliasing the domain.
> The delivery is accepted, should not be because the domain is not in local domain file ?
>

As documented, virtual aliases can be used to alias *ANY* email
address, remote or local.

The 'user unknown' check is enforced only for a domain that is
listed in virtual_alias_domains.

        Wietse
Reply | Threaded
Open this post in threaded view
|

RE: Virtual Alias Domains

Nicolas Breuer
See doc

    Virtual  alias  domains are not to be confused with the virtual mailbox
       domains that are implemented with the Postfix virtual(8) mail  delivery
       agent.  With  virtual  mailbox domains, each recipient address can have
       its own mailbox.

       With a virtual alias domain, the virtual domain has its own  user  name
       space.  Local (i.e. non-virtual) usernames are not visible in a virtual
       alias domain. In particular, local aliases(5) and local  mailing  lists
       are not visible as [hidden email].

       Support for a virtual alias domain looks like:

       /etc/postfix/main.cf:
           virtual_alias_maps = hash:/etc/postfix/virtual

       Note:  some  systems use dbm databases instead of hash.  See the output
       from "postconf -m" for available database types.

       /etc/postfix/virtual:
           virtual-alias.domain    anything (right-hand content does not matter)
           [hidden email] postmaster
           [hidden email]      address1
           [hidden email]      address2, address3

       The virtual-alias.domain anything entry is required for a virtual alias
       domain.  Without  this  entry,  mail  is  rejected  with  "relay access
       denied", or bounces with "mail loops back to myself".

       Do not specify virtual alias domain names in the main.cf  mydestination
       or relay_domains configuration parameters.


   => Not happening here. Domain is not listed in virtual alias domain and accepted by postfix.

virtual_alias_domains (default: $virtual_alias_maps)

    Postfix is final destination for the specified list of virtual alias domains, that is, domains for which all addresses are aliased to addresses in other local or remote domains. The SMTP server validates recipient addresses with $virtual_alias_maps and rejects non-existent recipients. See also the virtual alias domain class in the ADDRESS_CLASS_README file

    This feature is available in Postfix 2.0 and later. The default value is backwards compatible with Postfix version 1.1.

    The default value is $virtual_alias_maps so that you can keep all information about virtual alias domains in one place. If you have many users, it is better to separate information that changes more frequently (virtual address -> local or remote address mapping) from information that changes less frequently (the list of virtual domain names).

    Specify a list of host or domain names, "/file/name" or "type:table" patterns, separated by commas and/or whitespace. A "/file/name" pattern is replaced by its contents; a "type:table" lookup table is matched when a table entry matches a lookup string (the lookup result is ignored). Continue long lines by starting the next line with whitespace. Specify "!pattern" to exclude a host or domain name from the list. The form "!/file/name" is supported only in Postfix version 2.4 and later.

-----Message d'origine-----
De : [hidden email] <[hidden email]> De la part de Wietse Venema
Envoyé : samedi 28 septembre 2019 15:47
À : Postfix users <[hidden email]>
Objet : Re: Virtual Alias Domains

Nicolas Breuer:
>
> Hello,
>
> I'm running Postfix 3.
> I try to add a mailbox without aliasing the domain.
> The delivery is accepted, should not be because the domain is not in local domain file ?
>

As documented, virtual aliases can be used to alias *ANY* email
address, remote or local.

The 'user unknown' check is enforced only for a domain that is
listed in virtual_alias_domains.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Virtual Alias Domains

Wietse Venema
Did you miss this?

        Wietse

VIRTUAL(5)                                                          VIRTUAL(5)

NAME
       virtual - Postfix virtual alias table format

SYNOPSIS
       postmap /etc/postfix/virtual

       postmap -q "string" /etc/postfix/virtual

       postmap -q - /etc/postfix/virtual <inputfile

DESCRIPTION
       The  optional  virtual(5)  alias table rewrites recipient addresses for
       ALL LOCAL, ALL VIRTUAL, AND ALL  REMOTE  MAIL  DESTINATIONS.   This  is
       unlike  the  aliases(5) table which is used only for local(8) delivery.
Reply | Threaded
Open this post in threaded view
|

RE: Virtual Alias Domains

Nicolas Breuer
No.
I'm not sure you understand the issue.
Normally both the email must be in virtual file & domain in virtual_domain file.

If the domain is not present in domain file, should be rejected with (MX loops back to me)
If the email is not in virtual, should be rejected with (user unknow)

I tried to put the email in virtual but I didn't put the domain in virtual_domain file.
Should be rejected but that's  not the case.

Am I understand correctly the expected behavior ?


-----Message d'origine-----
De : [hidden email] <[hidden email]> De la part de Wietse Venema
Envoyé : samedi 28 septembre 2019 17:10
À : Postfix users <[hidden email]>
Objet : Re: Virtual Alias Domains

Did you miss this?

        Wietse

VIRTUAL(5)                                                          VIRTUAL(5)

NAME
       virtual - Postfix virtual alias table format

SYNOPSIS
       postmap /etc/postfix/virtual

       postmap -q "string" /etc/postfix/virtual

       postmap -q - /etc/postfix/virtual <inputfile

DESCRIPTION
       The  optional  virtual(5)  alias table rewrites recipient addresses for
       ALL LOCAL, ALL VIRTUAL, AND ALL  REMOTE  MAIL  DESTINATIONS.   This  is
       unlike  the  aliases(5) table which is used only for local(8) delivery.
Reply | Threaded
Open this post in threaded view
|

Re: Virtual Alias Domains

Viktor Dukhovni
On Sat, Sep 28, 2019 at 03:55:04PM +0000, Nicolas Breuer wrote:

> I'm not sure you understand the issue.

Sadly, you've got the wrong end of the stick.  Your logs start with:

    Sep 28 11:12:35 ns2 postfix/smtpd[16268]: generic_checks: name=permit_mynetworks status=1
    Sep 28 11:12:35 ns2 postfix/smtpd[16268]: >>> END Recipient address RESTRICTIONS <<<

The client is trusted, and so allowed to send to *any* (potentially
remote) address.  THe logs then continue with:

    Sep 28 11:12:35 ns2 postfix/smtpd[16268]: >>> CHECKING Recipient address VALIDATION MAPS <<<

but since the recipient is NOT listed in any relay or final domain,
recipient validation does not apply.

> If the domain is not present in domain file, should be rejected with (MX loops back to me)

No.

> If the email is not in virtual, should be rejected with (user unknown)

No, that only happens when the recipient domain is in
virtual_alias_domains, which was not the case, and the address is
not found in virtual_alias_maps (also not the case).

    Sep 28 11:12:35 ns2 postfix/smtpd[16268]: maps_find: virtual_alias_maps: ... = root

To reproduce recipient rejection try either:

    - Send from a client *not* listed in mynetworks, and
      the recipient domain not in virtual_alias_domains,
      relay_domains, ...

OR

    - Add the recipient domain to virtual_alias_domains,
      and make sure the recipient address is not listed
      in virtual_alias_maps, canonical_maps, ...

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

RE: Virtual Alias Domains

Nicolas Breuer
Hello Viktor,

First, thanks for all your explanations.
Indeed if i remove the IP address from "mynetworks", I got a "relay access denied"

The behavior is strange because :
- the MX of the domain is not this server itself.
- the domain is * not * in virtual_alias_domain
- the email is * still * in virtual file.

If I understand you correctly, if the IP address is in my network, Postfix didn't
check the MX of the domain if an email related  to this domain is in virtual file.


-----Message d'origine-----
De : [hidden email] <[hidden email]> De la part de Viktor Dukhovni
Envoyé : samedi 28 septembre 2019 18:18
À : [hidden email]
Objet : Re: Virtual Alias Domains

On Sat, Sep 28, 2019 at 03:55:04PM +0000, Nicolas Breuer wrote:

> I'm not sure you understand the issue.

Sadly, you've got the wrong end of the stick.  Your logs start with:

    Sep 28 11:12:35 ns2 postfix/smtpd[16268]: generic_checks: name=permit_mynetworks status=1
    Sep 28 11:12:35 ns2 postfix/smtpd[16268]: >>> END Recipient address RESTRICTIONS <<<

The client is trusted, and so allowed to send to *any* (potentially
remote) address.  THe logs then continue with:

    Sep 28 11:12:35 ns2 postfix/smtpd[16268]: >>> CHECKING Recipient address VALIDATION MAPS <<<

but since the recipient is NOT listed in any relay or final domain,
recipient validation does not apply.

> If the domain is not present in domain file, should be rejected with (MX loops back to me)

No.

> If the email is not in virtual, should be rejected with (user unknown)

No, that only happens when the recipient domain is in
virtual_alias_domains, which was not the case, and the address is
not found in virtual_alias_maps (also not the case).

    Sep 28 11:12:35 ns2 postfix/smtpd[16268]: maps_find: virtual_alias_maps: ... = root

To reproduce recipient rejection try either:

    - Send from a client *not* listed in mynetworks, and
      the recipient domain not in virtual_alias_domains,
      relay_domains, ...

OR

    - Add the recipient domain to virtual_alias_domains,
      and make sure the recipient address is not listed
      in virtual_alias_maps, canonical_maps, ...

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Virtual Alias Domains

Viktor Dukhovni
On Mon, Sep 30, 2019 at 01:00:18PM +0000, Nicolas Breuer wrote:

> Indeed if i remove the IP address from "mynetworks", I got a "relay access denied"

Good, this is the expected behaviour.

> The behavior is strange because :
> - the MX of the domain is not this server itself.

That's not relevant.  An MTA can be (and many often are) configured
to accept mail for a domain, without being a designated MX host for
the domain.  MX records are for the benefit of sending systems,
receiving systems decide what to accept based on local information.

[ Postfix can be configured to accept email for additional domains
  based on the MX RRs of those domains, but this is not a good idea
  in most cases:

    http://www.postfix.org/postconf.5.html#permit_mx_backup
    http://www.postfix.org/postconf.5.html#permit_mx_backup_networks ]

> - the domain is * not * in virtual_alias_domain
> - the email is * still * in virtual file.
>
> If I understand you correctly, if the IP address is in my network, Postfix didn't
> check the MX of the domain if an email related  to this domain is in virtual file.

Inbound access control is not based on MX records by default and
is never *restricted* on the basis on "missing" MX records.

--
        Viktor.