Rejecting mail if LDAP lookup returns empty

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Rejecting mail if LDAP lookup returns empty

Cooper, Robert A

Howdy!

We are setting up Postfix to be an on-premise mail lookup and forward service for a cloud-based mail filter service (ProofPoint).  Our campus uses LDAP to route email from a public alias (@tamu.edu) to an internal mailbox (e.g., @exchange.tamu.edu) or external destination such as yahoo or gmail.

The issue we are seeing is that the lookups are working just fine, but if an email is sent to a bogus public alias or a valid alias without a defined routing address in LDAP, Postfix then attempts to pass on the @tamu.edu address to the next hop instead of failing the lookup and bouncing.  We are running postfix 2.10.1 (CentOS 7) and I can't seem to find a configuration that will fail messages back if there is no LDAP mailRoutingAddress. Right now, we are getting bounces but they are being generated from the on-prem ProofPoint appliance and not Postfix.  The on-prem appliances are going away (which is what prompted this change to begin with).

Is there something I'm missing in configuration that would fail if LDAP does not return a routing address?

Thanks,
RobertC


postconf -n

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_at_myorigin = yes
biff = no
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
defer_transports =
disable_dns_lookups = no
disable_mime_output_conversion = no
disable_vrfy_command = yes
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
lmtp_destination_concurrency_limit = 2
lmtp_host_lookup = native
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_command =
mailbox_size_limit = 0
mailbox_transport =
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains =
masquerade_exceptions = root
message_size_limit = 52428800
mydestination = $myhostname, localhost.$mydomain
mydomain = syse.tamu.edu
mynetworks = /etc/postfix/mynetworks.cidr
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
queue_run_delay = 300s
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
relayhost =
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_host_lookup = native
smtp_sasl_auth_enable = no
smtp_use_tls = no
smtpd_client_connection_count_limit = 1000
smtpd_client_restrictions =
smtpd_helo_required = no
smtpd_helo_restrictions =
smtpd_recipient_limit = 1000
smtpd_recipient_restrictions = permit_mynetworks,reject_unknown_recipient_domain,reject_unverified_recipient
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = no
smtpd_use_tls = no
strict_8bitmime = no
strict_rfc821_envelopes = no
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = ldap:/etc/postfix/tamu.ldap

postconf -M
smtp       inet  n       -       n       -       -       smtpd
pickup     unix  n       -       n       60      1       pickup
cleanup    unix  n       -       n       -       0       cleanup
qmgr       unix  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       n       1000?   1       tlsmgr
rewrite    unix  -       -       n       -       -       trivial-rewrite
bounce     unix  -       -       n       -       0       bounce
defer      unix  -       -       n       -       0       bounce
trace      unix  -       -       n       -       0       bounce
verify     unix  -       -       n       -       1       verify
flush      unix  n       -       n       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       n       -       -       smtp
relay      unix  -       -       n       -       -       smtp -o smtp_fallback_relay=
showq      unix  n       -       n       -       -       showq
error      unix  -       -       n       -       -       error
retry      unix  -       -       n       -       -       error
discard    unix  -       -       n       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       n       -       -       lmtp
anvil      unix  -       -       n       -       1       anvil
scache     unix  -       -       n       -       1       scache


Reply | Threaded
Open this post in threaded view
|

RE: Rejecting mail if LDAP lookup returns empty

angelo

Hi, what is the output when you test if testing is possible of say these commands ?

 

postmap -q [hidden email]  ldap:/etc/postfix/tamu.ldap

 

postmap -q [hidden email]  ldap:/etc/postfix/tamu.ldap

 

 

if I’m sending you down the wrong rabbit hole I am sure someone more savvy will help out.

 

 

 

-ANGELO FAZZINA

 

[hidden email]

University of Connecticut,  ITS, SSG, Server Systems

860-486-9075

 

From: [hidden email] <[hidden email]> On Behalf Of Cooper, Robert A
Sent: Friday, June 21, 2019 9:44 AM
To: [hidden email]
Subject: Rejecting mail if LDAP lookup returns empty

 

Howdy!

We are setting up Postfix to be an on-premise mail lookup and forward service for a cloud-based mail filter service (ProofPoint).  Our campus uses LDAP to route email from a public alias (@tamu.edu) to an internal mailbox (e.g., @exchange.tamu.edu) or external destination such as yahoo or gmail.

The issue we are seeing is that the lookups are working just fine, but if an email is sent to a bogus public alias or a valid alias without a defined routing address in LDAP, Postfix then attempts to pass on the @tamu.edu address to the next hop instead of failing the lookup and bouncing.  We are running postfix 2.10.1 (CentOS 7) and I can't seem to find a configuration that will fail messages back if there is no LDAP mailRoutingAddress. Right now, we are getting bounces but they are being generated from the on-prem ProofPoint appliance and not Postfix.  The on-prem appliances are going away (which is what prompted this change to begin with).

Is there something I'm missing in configuration that would fail if LDAP does not return a routing address?

Thanks,
RobertC


postconf -n

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_at_myorigin = yes
biff = no
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
defer_transports =
disable_dns_lookups = no
disable_mime_output_conversion = no
disable_vrfy_command = yes
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
lmtp_destination_concurrency_limit = 2
lmtp_host_lookup = native
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_command =
mailbox_size_limit = 0
mailbox_transport =
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains =
masquerade_exceptions = root
message_size_limit = 52428800
mydestination = $myhostname, localhost.$mydomain
mydomain = syse.tamu.edu
mynetworks = /etc/postfix/mynetworks.cidr
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
queue_run_delay = 300s
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
relayhost =
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_host_lookup = native
smtp_sasl_auth_enable = no
smtp_use_tls = no
smtpd_client_connection_count_limit = 1000
smtpd_client_restrictions =
smtpd_helo_required = no
smtpd_helo_restrictions =
smtpd_recipient_limit = 1000
smtpd_recipient_restrictions = permit_mynetworks,reject_unknown_recipient_domain,reject_unverified_recipient
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = no
smtpd_use_tls = no
strict_8bitmime = no
strict_rfc821_envelopes = no
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = ldap:/etc/postfix/tamu.ldap

postconf -M
smtp       inet  n       -       n       -       -       smtpd
pickup     unix  n       -       n       60      1       pickup
cleanup    unix  n       -       n       -       0       cleanup
qmgr       unix  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       n       1000?   1       tlsmgr
rewrite    unix  -       -       n       -       -       trivial-rewrite
bounce     unix  -       -       n       -       0       bounce
defer      unix  -       -       n       -       0       bounce
trace      unix  -       -       n       -       0       bounce
verify     unix  -       -       n       -       1       verify
flush      unix  n       -       n       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       n       -       -       smtp
relay      unix  -       -       n       -       -       smtp -o smtp_fallback_relay=
showq      unix  n       -       n       -       -       showq
error      unix  -       -       n       -       -       error
retry      unix  -       -       n       -       -       error
discard    unix  -       -       n       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       n       -       -       lmtp
anvil      unix  -       -       n       -       1       anvil
scache     unix  -       -       n       -       1       scache

 

Reply | Threaded
Open this post in threaded view
|

Re: Rejecting mail if LDAP lookup returns empty

Dusan Obradovic-2
In reply to this post by Cooper, Robert A


> On Jun 21, 2019, at 3:44 PM, Cooper, Robert A <[hidden email]> wrote:
>
> Howdy!
>
> We are setting up Postfix to be an on-premise mail lookup and forward service for a cloud-based mail filter service (ProofPoint).  Our campus uses LDAP to route email from a public alias (@tamu.edu) to an internal mailbox (e.g., @exchange.tamu.edu) or external destination such as yahoo or gmail.
>
> The issue we are seeing is that the lookups are working just fine, but if an email is sent to a bogus public alias or a valid alias without a defined routing address in LDAP, Postfix then attempts to pass on the @tamu.edu address to the next hop instead of failing the lookup and bouncing.  We are running postfix 2.10.1 (CentOS 7) and I can't seem to find a configuration that will fail messages back if there is no LDAP mailRoutingAddress. Right now, we are getting bounces but they are being generated from the on-prem ProofPoint appliance and not Postfix.  The on-prem appliances are going away (which is what prompted this change to begin with).
>
> Is there something I'm missing in configuration that would fail if LDAP does not return a routing address?
>
> Thanks,
> RobertC
>
>
> postconf -n
>
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases
> append_at_myorigin = yes
> biff = no
> command_directory = /usr/sbin
> config_directory = /etc/postfix
> daemon_directory = /usr/libexec/postfix
> data_directory = /var/lib/postfix
> debug_peer_level = 2
> debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
> defer_transports =
> disable_dns_lookups = no
> disable_mime_output_conversion = no
> disable_vrfy_command = yes
> html_directory = no
> inet_interfaces = all
> inet_protocols = ipv4
> lmtp_destination_concurrency_limit = 2
> lmtp_host_lookup = native
> mail_owner = postfix
> mail_spool_directory = /var/mail
> mailbox_command =
> mailbox_size_limit = 0
> mailbox_transport =
> mailq_path = /usr/bin/mailq.postfix
> manpage_directory = /usr/share/man
> masquerade_classes = envelope_sender, header_sender, header_recipient
> masquerade_domains =
> masquerade_exceptions = root
> message_size_limit = 52428800
> mydestination = $myhostname, localhost.$mydomain
> mydomain = syse.tamu.edu
> mynetworks = /etc/postfix/mynetworks.cidr
> myorigin = $myhostname
> newaliases_path = /usr/bin/newaliases.postfix
> queue_directory = /var/spool/postfix
> queue_run_delay = 300s
> readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
> relayhost =
> sample_directory = /usr/share/doc/postfix-2.10.1/samples
> sendmail_path = /usr/sbin/sendmail.postfix
> setgid_group = postdrop
> smtp_host_lookup = native
> smtp_sasl_auth_enable = no
> smtp_use_tls = no
> smtpd_client_connection_count_limit = 1000
> smtpd_client_restrictions =
> smtpd_helo_required = no
> smtpd_helo_restrictions =
> smtpd_recipient_limit = 1000
> smtpd_recipient_restrictions = permit_mynetworks,reject_unknown_recipient_domain,reject_unverified_recipient
> smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
> smtpd_sasl_auth_enable = no
> smtpd_use_tls = no
> strict_8bitmime = no
> strict_rfc821_envelopes = no
> transport_maps = hash:/etc/postfix/transport
> unknown_local_recipient_reject_code = 550
> virtual_alias_maps = ldap:/etc/postfix/tamu.ldap
>
> postconf -M
> smtp       inet  n       -       n       -       -       smtpd
> pickup     unix  n       -       n       60      1       pickup
> cleanup    unix  n       -       n       -       0       cleanup
> qmgr       unix  n       -       n       300     1       qmgr
> tlsmgr     unix  -       -       n       1000?   1       tlsmgr
> rewrite    unix  -       -       n       -       -       trivial-rewrite
> bounce     unix  -       -       n       -       0       bounce
> defer      unix  -       -       n       -       0       bounce
> trace      unix  -       -       n       -       0       bounce
> verify     unix  -       -       n       -       1       verify
> flush      unix  n       -       n       1000?   0       flush
> proxymap   unix  -       -       n       -       -       proxymap
> proxywrite unix  -       -       n       -       1       proxymap
> smtp       unix  -       -       n       -       -       smtp
> relay      unix  -       -       n       -       -       smtp -o smtp_fallback_relay=
> showq      unix  n       -       n       -       -       showq
> error      unix  -       -       n       -       -       error
> retry      unix  -       -       n       -       -       error
> discard    unix  -       -       n       -       -       discard
> local      unix  -       n       n       -       -       local
> virtual    unix  -       n       n       -       -       virtual
> lmtp       unix  -       -       n       -       -       lmtp
> anvil      unix  -       -       n       -       1       anvil
> scache     unix  -       -       n       -       1       scache

See Mail forwarding configuration example at http://www.postfix.org/VIRTUAL_README.html#forwarding

Your Postfix may still accept mail to any address when the client IP address matches any network or network address listed in $mynetworks, according to:
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination



Reply | Threaded
Open this post in threaded view
|

Re: Rejecting mail if LDAP lookup returns empty

Cooper, Robert A
In reply to this post by angelo

The first one returns a mailRoutingAddress ([hidden email], specifically). The second returns nothing from LDAP.


RobertC




From: Fazzina, Angelo <[hidden email]>
Sent: Friday, June 21, 2019 09:02
To: Cooper, Robert A; [hidden email]
Subject: RE: Rejecting mail if LDAP lookup returns empty
 

Hi, what is the output when you test if testing is possible of say these commands ?

 

postmap -q [hidden email]  ldap:/etc/postfix/tamu.ldap

 

postmap -q [hidden email]  ldap:/etc/postfix/tamu.ldap

 

 

if I’m sending you down the wrong rabbit hole I am sure someone more savvy will help out.

 

 

 

-ANGELO FAZZINA

 

[hidden email]

University of Connecticut,  ITS, SSG, Server Systems

860-486-9075

 

From: [hidden email] <[hidden email]> On Behalf Of Cooper, Robert A
Sent: Friday, June 21, 2019 9:44 AM
To: [hidden email]
Subject: Rejecting mail if LDAP lookup returns empty

 

Howdy!

We are setting up Postfix to be an on-premise mail lookup and forward service for a cloud-based mail filter service (ProofPoint).  Our campus uses LDAP to route email from a public alias (@tamu.edu) to an internal mailbox (e.g., @exchange.tamu.edu) or external destination such as yahoo or gmail.

The issue we are seeing is that the lookups are working just fine, but if an email is sent to a bogus public alias or a valid alias without a defined routing address in LDAP, Postfix then attempts to pass on the @tamu.edu address to the next hop instead of failing the lookup and bouncing.  We are running postfix 2.10.1 (CentOS 7) and I can't seem to find a configuration that will fail messages back if there is no LDAP mailRoutingAddress. Right now, we are getting bounces but they are being generated from the on-prem ProofPoint appliance and not Postfix.  The on-prem appliances are going away (which is what prompted this change to begin with).

Is there something I'm missing in configuration that would fail if LDAP does not return a routing address?

Thanks,
RobertC


postconf -n

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_at_myorigin = yes
biff = no
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
defer_transports =
disable_dns_lookups = no
disable_mime_output_conversion = no
disable_vrfy_command = yes
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
lmtp_destination_concurrency_limit = 2
lmtp_host_lookup = native
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_command =
mailbox_size_limit = 0
mailbox_transport =
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains =
masquerade_exceptions = root
message_size_limit = 52428800
mydestination = $myhostname, localhost.$mydomain
mydomain = syse.tamu.edu
mynetworks = /etc/postfix/mynetworks.cidr
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
queue_run_delay = 300s
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
relayhost =
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_host_lookup = native
smtp_sasl_auth_enable = no
smtp_use_tls = no
smtpd_client_connection_count_limit = 1000
smtpd_client_restrictions =
smtpd_helo_required = no
smtpd_helo_restrictions =
smtpd_recipient_limit = 1000
smtpd_recipient_restrictions = permit_mynetworks,reject_unknown_recipient_domain,reject_unverified_recipient
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = no
smtpd_use_tls = no
strict_8bitmime = no
strict_rfc821_envelopes = no
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = ldap:/etc/postfix/tamu.ldap

postconf -M
smtp       inet  n       -       n       -       -       smtpd
pickup     unix  n       -       n       60      1       pickup
cleanup    unix  n       -       n       -       0       cleanup
qmgr       unix  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       n       1000?   1       tlsmgr
rewrite    unix  -       -       n       -       -       trivial-rewrite
bounce     unix  -       -       n       -       0       bounce
defer      unix  -       -       n       -       0       bounce
trace      unix  -       -       n       -       0       bounce
verify     unix  -       -       n       -       1       verify
flush      unix  n       -       n       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       n       -       -       smtp
relay      unix  -       -       n       -       -       smtp -o smtp_fallback_relay=
showq      unix  n       -       n       -       -       showq
error      unix  -       -       n       -       -       error
retry      unix  -       -       n       -       -       error
discard    unix  -       -       n       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       n       -       -       lmtp
anvil      unix  -       -       n       -       1       anvil
scache     unix  -       -       n       -       1       scache

 

Reply | Threaded
Open this post in threaded view
|

Re: Rejecting mail if LDAP lookup returns empty

Wietse Venema
In reply to this post by Cooper, Robert A
Cooper, Robert A:
> virtual_alias_maps = ldap:/etc/postfix/tamu.ldap

As documented, 'not found' means 'do not replace the address by its alias expansion'.

If you must REJECT a name that has no LDAP, then you MUST also specify

    virtual_alias_domains = tamu.edu

For more on virtual_alias_maps and virtual_alias_domains see
http://www.postfix.org/ADDRESS_CLASS_README.html
 
        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Rejecting mail if LDAP lookup returns empty

Cooper, Robert A

Thanks for your help! That was what I was missing!


RobertC




From: [hidden email] <[hidden email]> on behalf of Wietse Venema <[hidden email]>
Sent: Friday, June 21, 2019 10:35
To: Postfix users
Subject: Re: Rejecting mail if LDAP lookup returns empty
 
Cooper, Robert A:
> virtual_alias_maps = ldap:/etc/postfix/tamu.ldap

As documented, 'not found' means 'do not replace the address by its alias expansion'.

If you must REJECT a name that has no LDAP, then you MUST also specify

    virtual_alias_domains = tamu.edu

For more on virtual_alias_maps and virtual_alias_domains see
http://www.postfix.org/ADDRESS_CLASS_README.html
 
        Wietse