Relay mail from virtual domains and issue when the sender and recipient is on same server

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Relay mail from virtual domains and issue when the sender and recipient is on same server

Christos Chatzaras
What I want to do:

I want to disable local delivery for e-mails from virtual domains / mailboxes when sender / recipient is on same server. I want these e-mails to pass through a relay.

--------------

My setup :

I have postfix and dovecot on server1.example.com and smtp.example.com acts as relay for server1.example.com. MX for example.com points to server1.example.com so incoming e-mails go to this server. Outgoing e-mails for domains not hosted in server1.example.com go through the relay. Now I want the e-mails that sender and recipient is on the same server (server1.example.com) to go through the relay (smtp.example.com). For example, currently I send e-mail from [hidden email] to [hidden email] and it does local delivery (e-mail does not leave server1.example.com). I want the e-mail to pass through relay smtp.example.com

The problem is that if I remove domain example.com from virtual_mailbox_domains then e-mails goes from server1.example.com to smtp.example.com but when it comes to server1.example.com it says "Relay denied" which I believe is related to postfix don't consider that is the server that actually hosts this domain (final destination).

--------------

/var/log/mailog :

Apr 12 19:49:08 server1 postfix/smtpd[24278]: connect from unknown[62.103.227.xxx]
Apr 12 19:49:08 server1 postfix/smtpd[24278]: Anonymous TLS connection established from unknown[62.103.227.xxx]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Apr 12 19:49:08 server1 dovecot: auth: passwd-file([hidden email],62.103.227.xxx): unknown user
Apr 12 19:49:09 server1 postfix/smtpd[24278]: 24B2A2730A: client=unknown[62.103.227.xxx], sasl_method=PLAIN, sasl_username=[hidden email]
Apr 12 19:49:09 server1 postfix/cleanup[33817]: 24B2A2730A: message-id=<[hidden email]>
Apr 12 19:49:09 server1 postfix/qmgr[77128]: 24B2A2730A: from=<[hidden email]>, size=740, nrcpt=1 (queue active)
Apr 12 19:49:09 server1 dovecot: lmtp(40507): Connect from local
Apr 12 19:49:09 server1 dovecot: lmtp([hidden email])<40507><w+0rEgWOz1o7ngAAPz4RRA>: sieve: msgid=<[hidden email]>: stored mail into mailbox 'INBOX'
Apr 12 19:49:09 server1 dovecot: lmtp(40507): Disconnect from local: Client has quit the connection (state = READY)
Apr 12 19:49:09 server1 postfix/lmtp[34621]: 24B2A2730A: to=<[hidden email]>, relay=server1.example.com[private/dovecot-lmtp], delay=0.24, delays=0.22/0/0/0.01, dsn=2.0.0, status=sent (250 2.0.0 <[hidden email]> w+0rEgWOz1o7ngAAPz4RRA Saved)
Apr 12 19:49:09 server1 postfix/qmgr[77128]: 24B2A2730A: removed

postconf -Mf:

smtp       inet  n       -       n       -       -       smtpd
    -o content_filter=filter:
    -o receive_override_options=no_address_mappings
submission inet  n       -       n       -       -       smtpd
    -o smtpd_tls_security_level=may
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o milter_macro_daemon_name=ORIGINATING
smtps      inet  n       -       n       -       -       smtpd
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o milter_macro_daemon_name=ORIGINATING
pickup     fifo  n       -       n       60      1       pickup
cleanup    unix  n       -       n       -       0       cleanup
qmgr       fifo  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       n       1000?   1       tlsmgr
rewrite    unix  -       -       n       -       -       trivial-rewrite
bounce     unix  -       -       n       -       0       bounce
defer      unix  -       -       n       -       0       bounce
trace      unix  -       -       n       -       0       bounce
verify     unix  -       -       n       -       1       verify
flush      unix  n       -       n       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       n       -       -       smtp
relay      unix  -       -       n       -       -       smtp
    -o smtp_fallback_relay=
showq      unix  n       -       n       -       -       showq
error      unix  -       -       n       -       -       error
retry      unix  -       -       n       -       -       error
discard    unix  -       -       n       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       n       -       -       lmtp
anvil      unix  -       -       n       -       1       anvil
scache     unix  -       -       n       -       1       scache
filter     unix  -       n       n       -       -       pipe flags=Rq
    user=filter argv=/usr/local/etc/bogofilter/postfix-filter.sh -f ${sender}
    -- ${recipient}

--------------

postconf -n:

authorized_mailq_users =
authorized_submit_users = root, filter
body_checks = regexp:/usr/local/etc/postfix/body_checks
command_directory = /usr/local/sbin
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5
default_destination_concurrency_limit = 2
default_destination_rate_delay = 1s
default_extra_recipient_limit = 10
header_checks = pcre:/usr/local/etc/postfix/header_checks
html_directory = /usr/local/share/doc/postfix
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
message_size_limit = 25600000
myhostname = server1.example.com
mynetworks_style = host
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix
relayhost = [smtp.example.com]
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtp_bind_address = 138.201.248.xxx
smtp_destination_concurrency_limit = 2
smtp_destination_rate_delay = 1s
smtp_extra_recipient_limit = 10
smtp_tls_CAfile = /usr/local/share/certs/ca-root-nss.crt
smtp_tls_cert_file = /etc/ssl/certs/mail.pem
smtp_tls_key_file = /etc/ssl/private/mail.pem
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
smtpd_banner = $myhostname
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit
smtpd_recipient_restrictions = check_recipient_access hash:/usr/local/etc/postfix/recipient_access, check_policy_service { inet:127.0.0.1:10040, timeout=10s, default_action=dunno }, permit_sasl_authenticated, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_rbl_client zen.spamhaus.org, reject_rbl_client bad.psky.me, reject_rbl_client b.barracudacentral.org, reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org, reject_rbl_client truncate.gbudb.net, reject_rbl_client bl.blocklist.de, reject_rbl_client dnsbl.dronebl.org, check_policy_service inet:127.0.0.1:10023, permit
smtpd_relay_restrictions = permit_sasl_authenticated, defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = /var/run/dovecot/auth-client
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_unlisted_sender, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access hash:/usr/local/etc/postfix/sender_access, reject_unknown_sender_domain, permit
smtpd_tls_CAfile = /usr/local/share/certs/ca-root-nss.crt
smtpd_tls_ask_ccert = yes
smtpd_tls_cert_file = /etc/ssl/certs/mail.pem
smtpd_tls_key_file = /etc/ssl/private/mail.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:$data_directory/smtpd_tls_session_cache
tls_random_source = dev:/dev/urandom
transport_maps = hash:/usr/local/etc/postfix/recipient_transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/usr/local/etc/postfix/virtual
virtual_gid_maps = hash:/usr/local/etc/postfix/virtual_uids
virtual_mailbox_base = /home/mail
virtual_mailbox_domains = hash:/usr/local/etc/postfix/domains
virtual_mailbox_maps = hash:/usr/local/etc/postfix/vmailbox
virtual_minimum_uid = 100
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = hash:/usr/local/etc/postfix/virtual_uids
% postconf -nf
authorized_mailq_users =
authorized_submit_users = root, filter
body_checks = regexp:/usr/local/etc/postfix/body_checks
command_directory = /usr/local/sbin
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb
    $daemon_directory/$process_name $process_id & sleep 5
default_destination_concurrency_limit = 2
default_destination_rate_delay = 1s
default_extra_recipient_limit = 10
header_checks = pcre:/usr/local/etc/postfix/header_checks
html_directory = /usr/local/share/doc/postfix
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
message_size_limit = 25600000
myhostname = server1.example.com
mynetworks_style = host
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix
relayhost = [smtp.example.com]
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtp_bind_address = 138.201.248.xxx
smtp_destination_concurrency_limit = 2
smtp_destination_rate_delay = 1s
smtp_extra_recipient_limit = 10
smtp_tls_CAfile = /usr/local/share/certs/ca-root-nss.crt
smtp_tls_cert_file = /etc/ssl/certs/mail.pem
smtp_tls_key_file = /etc/ssl/private/mail.pem
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
smtpd_banner = $myhostname
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated,
    reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit
smtpd_recipient_restrictions = check_recipient_access
    hash:/usr/local/etc/postfix/recipient_access, check_policy_service {
    inet:127.0.0.1:10040, timeout=10s, default_action=dunno },
    permit_sasl_authenticated, reject_non_fqdn_sender,
    reject_non_fqdn_recipient, reject_unknown_recipient_domain,
    reject_unauth_destination, reject_unauth_pipelining,
    reject_invalid_helo_hostname, reject_rbl_client zen.spamhaus.org,
    reject_rbl_client bad.psky.me, reject_rbl_client b.barracudacentral.org,
    reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org,
    reject_rbl_client truncate.gbudb.net, reject_rbl_client bl.blocklist.de,
    reject_rbl_client dnsbl.dronebl.org, check_policy_service
    inet:127.0.0.1:10023, permit
smtpd_relay_restrictions = permit_sasl_authenticated, defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = /var/run/dovecot/auth-client
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_unlisted_sender, permit_sasl_authenticated,
    reject_non_fqdn_sender, check_sender_access
    hash:/usr/local/etc/postfix/sender_access, reject_unknown_sender_domain,
    permit
smtpd_tls_CAfile = /usr/local/share/certs/ca-root-nss.crt
smtpd_tls_ask_ccert = yes
smtpd_tls_cert_file = /etc/ssl/certs/mail.pem
smtpd_tls_key_file = /etc/ssl/private/mail.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:$data_directory/smtpd_tls_session_cache
tls_random_source = dev:/dev/urandom
transport_maps = hash:/usr/local/etc/postfix/recipient_transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/usr/local/etc/postfix/virtual
virtual_gid_maps = hash:/usr/local/etc/postfix/virtual_uids
virtual_mailbox_base = /home/mail
virtual_mailbox_domains = hash:/usr/local/etc/postfix/domains
virtual_mailbox_maps = hash:/usr/local/etc/postfix/vmailbox
virtual_minimum_uid = 100
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = hash:/usr/local/etc/postfix/virtual_uids
% postconf -nf
authorized_mailq_users =
authorized_submit_users = root, filter
body_checks = regexp:/usr/local/etc/postfix/body_checks
command_directory = /usr/local/sbin
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb
    $daemon_directory/$process_name $process_id & sleep 5
default_destination_concurrency_limit = 2
default_destination_rate_delay = 1s
default_extra_recipient_limit = 10
header_checks = pcre:/usr/local/etc/postfix/header_checks
html_directory = /usr/local/share/doc/postfix
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
message_size_limit = 25600000
myhostname = server1.example.com
mynetworks_style = host
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix
relayhost = [smtp.example.com]
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtp_bind_address = 138.201.248.xxx
smtp_destination_concurrency_limit = 2
smtp_destination_rate_delay = 1s
smtp_extra_recipient_limit = 10
smtp_tls_CAfile = /usr/local/share/certs/ca-root-nss.crt
smtp_tls_cert_file = /etc/ssl/certs/mail.pem
smtp_tls_key_file = /etc/ssl/private/mail.pem
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
smtpd_banner = $myhostname
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated,
    reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit
smtpd_recipient_restrictions = check_recipient_access
    hash:/usr/local/etc/postfix/recipient_access, check_policy_service {
    inet:127.0.0.1:10040, timeout=10s, default_action=dunno },
    permit_sasl_authenticated, reject_non_fqdn_sender,
    reject_non_fqdn_recipient, reject_unknown_recipient_domain,
    reject_unauth_destination, reject_unauth_pipelining,
    reject_invalid_helo_hostname, reject_rbl_client zen.spamhaus.org,
    reject_rbl_client bad.psky.me, reject_rbl_client b.barracudacentral.org,
    reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org,
    reject_rbl_client truncate.gbudb.net, reject_rbl_client bl.blocklist.de,
    reject_rbl_client dnsbl.dronebl.org, check_policy_service
    inet:127.0.0.1:10023, permit
smtpd_relay_restrictions = permit_sasl_authenticated, defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = /var/run/dovecot/auth-client
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_unlisted_sender, permit_sasl_authenticated,
    reject_non_fqdn_sender, check_sender_access
    hash:/usr/local/etc/postfix/sender_access, reject_unknown_sender_domain,
    permit
smtpd_tls_CAfile = /usr/local/share/certs/ca-root-nss.crt
smtpd_tls_ask_ccert = yes
smtpd_tls_cert_file = /etc/ssl/certs/mail.pem
smtpd_tls_key_file = /etc/ssl/private/mail.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:$data_directory/smtpd_tls_session_cache
tls_random_source = dev:/dev/urandom
transport_maps = hash:/usr/local/etc/postfix/recipient_transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/usr/local/etc/postfix/virtual
virtual_gid_maps = hash:/usr/local/etc/postfix/virtual_uids
virtual_mailbox_base = /home/mail
virtual_mailbox_domains = hash:/usr/local/etc/postfix/domains
virtual_mailbox_maps = hash:/usr/local/etc/postfix/vmailbox
virtual_minimum_uid = 100
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = hash:/usr/local/etc/postfix/virtual_uids
Reply | Threaded
Open this post in threaded view
|

Re: Relay mail from virtual domains and issue when the sender and recipient is on same server

Christos Chatzaras
More info to make it clearer:

The 'relay denied' I wrote in my previous is not in smtp.example.com logs.

E-mail from [hidden email] to [hidden email] :

------
client (1) --> server1.example.com (2) --> smtp.example.com (3) --> server1.example.com (4)
------

The 'relay denied' message is on server1.example.com logs at step (4).

I can solve the 'relay denied' by changing main.cf at server1.example.com from:

------
smtpd_relay_restrictions =
  permit_sasl_authenticated,
  defer_unauth_destination
------

to:

------
mynetworks = IP_address_for_smtp.example.com

smtpd_relay_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  defer_unauth_destination
------


But then I have an infinitive loop:

------
client --> server1.example.com --> smtp.example.com --> server1.example.com --> smtp.example.com -->  server1.example.com --> smtp.example.com --> ...
------


I think the only way to fix this is to have 2 postfix instances, right? One for incoming and one for outgoing.
Reply | Threaded
Open this post in threaded view
|

Re: Relay mail from virtual domains and issue when the sender and recipient is on same server

Viktor Dukhovni


> On Apr 14, 2018, at 12:23 AM, Christos Chatzaras <[hidden email]> wrote:
>
> I think the only way to fix this is to have 2 postfix instances, right? One for incoming and one for outgoing.

If you want to round-trip mail through an external SMTP server,
and then bring it back to the same host, then yes, there typically
need to be two queues (Postfix instances), one that sends all mail
out, and another that accepts and delivers.

One can play games with rewriting, so that mail originally rewrites
to a domain that goes off-box, possibly rewrites in the outbound
smtp delivery agent smtp_generic_maps, and then returns into an
smtpd(8)/cleanup(8) pair that does no or different rewriting.
That could make it possible to use a single queue, because the
destination domain would be different for returned mail than
for originally incoming mail.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Relay mail from virtual domains and issue when the sender and recipient is on same server

/dev/rob0
In reply to this post by Christos Chatzaras
On Sat, Apr 14, 2018 at 05:17:09AM +0300, Christos Chatzaras wrote:
> What I want to do:
>
> I want to disable local delivery for e-mails from virtual domains /
> mailboxes when sender / recipient is on same server. I want these
> e-mails to pass through a relay.
>
> --------------
>
> My setup :

[ is overly complicated IMO :) ]

> I have postfix and dovecot on server1.example.com and
> smtp.example.com acts as relay for server1.example.com. MX for
> example.com points to server1.example.com so incoming e-mails go to
> this server. Outgoing e-mails for domains not hosted in
> server1.example.com go through the relay. Now I want the e-mails
> that sender and recipient is on the same server
> (server1.example.com) to go through the relay (smtp.example.com).
> For example, currently I send e-mail from [hidden email] to
> [hidden email] and it does local delivery (e-mail does not leave
> server1.example.com). I want the e-mail to pass through relay
> smtp.example.com
>
> The problem is that if I remove domain example.com from
> virtual_mailbox_domains then e-mails goes from server1.example.com
> to smtp.example.com but when it comes to server1.example.com it
> says "Relay denied" which I believe is related to postfix don't
> consider that is the server that actually hosts this domain (final
> destination).

Yes, explicitly it means that the restriction
"reject_unauth_destination" was matched in smtpd_relay_restrictions.

> --------------
>
> /var/log/mailog :
>
> Apr 12 19:49:08 server1 postfix/smtpd[24278]: connect from unknown[62.103.227.xxx]
> Apr 12 19:49:08 server1 postfix/smtpd[24278]: Anonymous TLS connection established from unknown[62.103.227.xxx]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
> Apr 12 19:49:08 server1 dovecot: auth: passwd-file([hidden email],62.103.227.xxx): unknown user
> Apr 12 19:49:09 server1 postfix/smtpd[24278]: 24B2A2730A: client=unknown[62.103.227.xxx], sasl_method=PLAIN, sasl_username=[hidden email]
> Apr 12 19:49:09 server1 postfix/cleanup[33817]: 24B2A2730A: message-id=<[hidden email]>
> Apr 12 19:49:09 server1 postfix/qmgr[77128]: 24B2A2730A: from=<[hidden email]>, size=740, nrcpt=1 (queue active)
> Apr 12 19:49:09 server1 dovecot: lmtp(40507): Connect from local
> Apr 12 19:49:09 server1 dovecot: lmtp([hidden email])<40507><w+0rEgWOz1o7ngAAPz4RRA>: sieve: msgid=<[hidden email]>: stored mail into mailbox 'INBOX'
> Apr 12 19:49:09 server1 dovecot: lmtp(40507): Disconnect from local: Client has quit the connection (state = READY)
> Apr 12 19:49:09 server1 postfix/lmtp[34621]: 24B2A2730A: to=<[hidden email]>, relay=server1.example.com[private/dovecot-lmtp], delay=0.24, delays=0.22/0/0/0.01, dsn=2.0.0, status=sent (250 2.0.0 <[hidden email]> w+0rEgWOz1o7ngAAPz4RRA Saved)
> Apr 12 19:49:09 server1 postfix/qmgr[77128]: 24B2A2730A: removed
>
> postconf -Mf:
>
> smtp       inet  n       -       n       -       -       smtpd
>     -o content_filter=filter:
>     -o receive_override_options=no_address_mappings

Your content_filter only applies to MX mail on port 25.

> submission inet  n       -       n       -       -       smtpd
>     -o smtpd_tls_security_level=may
>     -o smtpd_sasl_auth_enable=yes
>     -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>     -o milter_macro_daemon_name=ORIGINATING
> smtps      inet  n       -       n       -       -       smtpd
>     -o smtpd_tls_wrappermode=yes
>     -o smtpd_sasl_auth_enable=yes
>     -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>     -o milter_macro_daemon_name=ORIGINATING

Perhaps what you want is for the other host to be the MSA (mail
submission agent), and do not accept submission here?

> pickup     fifo  n       -       n       60      1       pickup
> cleanup    unix  n       -       n       -       0       cleanup
> qmgr       fifo  n       -       n       300     1       qmgr
> tlsmgr     unix  -       -       n       1000?   1       tlsmgr
> rewrite    unix  -       -       n       -       -       trivial-rewrite
> bounce     unix  -       -       n       -       0       bounce
> defer      unix  -       -       n       -       0       bounce
> trace      unix  -       -       n       -       0       bounce
> verify     unix  -       -       n       -       1       verify
> flush      unix  n       -       n       1000?   0       flush
> proxymap   unix  -       -       n       -       -       proxymap
> proxywrite unix  -       -       n       -       1       proxymap
> smtp       unix  -       -       n       -       -       smtp
> relay      unix  -       -       n       -       -       smtp
>     -o smtp_fallback_relay=
> showq      unix  n       -       n       -       -       showq
> error      unix  -       -       n       -       -       error
> retry      unix  -       -       n       -       -       error
> discard    unix  -       -       n       -       -       discard
> local      unix  -       n       n       -       -       local
> virtual    unix  -       n       n       -       -       virtual
> lmtp       unix  -       -       n       -       -       lmtp
> anvil      unix  -       -       n       -       1       anvil
> scache     unix  -       -       n       -       1       scache
> filter     unix  -       n       n       -       -       pipe flags=Rq
>     user=filter argv=/usr/local/etc/bogofilter/postfix-filter.sh -f ${sender}
>     -- ${recipient}

This is your content_filter.  You're using a script, but better
practice would probably be to use smtp.  And of course SMTP doesn't
have to be local; your filter could be elsewhere.

Check out amavisd-new as a better means of content filtering.  This
also gives you a means of applying different filtering depending on
origin: the spam filtering needed for submission differs from that
which makes sense on your MX stream.

>
> --------------
>
> postconf -n:
snipped, duplicated below:

> % postconf -nf
> authorized_mailq_users =
> authorized_submit_users = root, filter
> body_checks = regexp:/usr/local/etc/postfix/body_checks
> command_directory = /usr/local/sbin
> daemon_directory = /usr/local/libexec/postfix
> data_directory = /var/db/postfix
> debug_peer_level = 2
> debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb
>     $daemon_directory/$process_name $process_id & sleep 5
> default_destination_concurrency_limit = 2
> default_destination_rate_delay = 1s
> default_extra_recipient_limit = 10
> header_checks = pcre:/usr/local/etc/postfix/header_checks
> html_directory = /usr/local/share/doc/postfix
> inet_protocols = ipv4
> mail_owner = postfix
> mailq_path = /usr/local/bin/mailq
> manpage_directory = /usr/local/man
> message_size_limit = 25600000
> myhostname = server1.example.com
> mynetworks_style = host
> newaliases_path = /usr/local/bin/newaliases
> queue_directory = /var/spool/postfix
> readme_directory = /usr/local/share/doc/postfix
> relayhost = [smtp.example.com]

So if users submitted directly there, it would come back for
addresses hosted here.  That's what you want, right?

You can do this by changing the server name your users use for their
submission server to point to this relayhost instead.  It could
possibly be a painless change for the users.

Note: I am supposing you have a large number of users, because this
level of complexity does not make sense for a small number.

> sample_directory = /usr/local/etc/postfix
> sendmail_path = /usr/local/sbin/sendmail
> setgid_group = maildrop
> smtp_bind_address = 138.201.248.xxx
> smtp_destination_concurrency_limit = 2
> smtp_destination_rate_delay = 1s
> smtp_extra_recipient_limit = 10
> smtp_tls_CAfile = /usr/local/share/certs/ca-root-nss.crt
> smtp_tls_cert_file = /etc/ssl/certs/mail.pem
> smtp_tls_key_file = /etc/ssl/private/mail.pem
> smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
> smtp_tls_protocols = !SSLv2,!SSLv3
> smtp_tls_security_level = may
> smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
> smtpd_banner = $myhostname
> smtpd_delay_reject = yes
> smtpd_helo_required = yes
> smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated,
>     reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit
> smtpd_recipient_restrictions = check_recipient_access
>     hash:/usr/local/etc/postfix/recipient_access, check_policy_service {
>     inet:127.0.0.1:10040, timeout=10s, default_action=dunno },
>     permit_sasl_authenticated, reject_non_fqdn_sender,
>     reject_non_fqdn_recipient, reject_unknown_recipient_domain,
>     reject_unauth_destination, reject_unauth_pipelining,
>     reject_invalid_helo_hostname, reject_rbl_client zen.spamhaus.org,
>     reject_rbl_client bad.psky.me, reject_rbl_client b.barracudacentral.org,
>     reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org,

I don't consider spamcop safe for outright rejection, at least not
without DNSWL whitelisting.  Also, CBL is part of Zen, so this is a
wasted lookup.  And postscreen has been around for many years now,
you should look at it:

http://www.postfix.org/POSTSCREEN_README.html
http://rob0.nodns4.us/postscreen.html

>     reject_rbl_client truncate.gbudb.net, reject_rbl_client bl.blocklist.de,
>     reject_rbl_client dnsbl.dronebl.org, check_policy_service
>     inet:127.0.0.1:10023, permit
> smtpd_relay_restrictions = permit_sasl_authenticated, defer_unauth_destination

You should force all submission through submission/submissions
services, or as mentioned above, through a separate MSA.  You don't
want to accept submission on port 25.

smtpd_relay_restrictions = reject_unauth_destination

> smtpd_sasl_auth_enable = yes

This, also, is not appropriate for port 25.

> smtpd_sasl_authenticated_header = yes
> smtpd_sasl_local_domain = $myhostname
> smtpd_sasl_path = /var/run/dovecot/auth-client

You could have your auth socket on TCP, and thus your remote MSA
could use it to authenticate your users.  (You would of course want
to protect access to this socket via firewall or more.  Perhaps a VPN
connection between the two hosts, and only listen on the VPN
address.)

> smtpd_sasl_type = dovecot
> smtpd_sender_restrictions = reject_unlisted_sender, permit_sasl_authenticated,
>     reject_non_fqdn_sender, check_sender_access
>     hash:/usr/local/etc/postfix/sender_access, reject_unknown_sender_domain,
>     permit
> smtpd_tls_CAfile = /usr/local/share/certs/ca-root-nss.crt
> smtpd_tls_ask_ccert = yes

why?

> smtpd_tls_cert_file = /etc/ssl/certs/mail.pem
> smtpd_tls_key_file = /etc/ssl/private/mail.pem
> smtpd_tls_loglevel = 1
> smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
> smtpd_tls_protocols = !SSLv2,!SSLv3
> smtpd_tls_received_header = yes
> smtpd_tls_security_level = may
> smtpd_tls_session_cache_database = btree:$data_directory/smtpd_tls_session_cache
> tls_random_source = dev:/dev/urandom
> transport_maps = hash:/usr/local/etc/postfix/recipient_transport
> unknown_local_recipient_reject_code = 550
> virtual_alias_maps = hash:/usr/local/etc/postfix/virtual
> virtual_gid_maps = hash:/usr/local/etc/postfix/virtual_uids
> virtual_mailbox_base = /home/mail
> virtual_mailbox_domains = hash:/usr/local/etc/postfix/domains
> virtual_mailbox_maps = hash:/usr/local/etc/postfix/vmailbox
> virtual_minimum_uid = 100
> virtual_transport = lmtp:unix:private/dovecot-lmtp
> virtual_uid_maps = hash:/usr/local/etc/postfix/virtual_uids
> % postconf -nf
[ once was fine, thanks ]
--
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Reply | Threaded
Open this post in threaded view
|

Re: Relay mail from virtual domains and issue when the sender and recipient is on same server

Christos Chatzaras

Thank you for your reply and tips :-)

>
> Your content_filter only applies to MX mail on port 25.
>

Yes I want to use bogofilter only for incoming mails from other mail servers. It's configured with a global sieve rule to move spam e-mails to Spam folder for each mailbox. Dovecot is configured so when user moves e-mail from Inbox to Spam or the opposite to train bogofilter with new ham or spam keywords. Also ham/spam messages are forwarded from all the servers to [hidden email] (using a script that forwards the original messages as attachments) and using another script I train a global bogofilter database which every fews days I copy to all the servers. This way I get good results and only few false positives.

>
> Perhaps what you want is for the other host to be the MSA (mail
> submission agent), and do not accept submission here?
>

I want to accept submission on server1.example.com as it's easier for end users to use the same hostname for SMTP, POP3 and IMAP.

>
> This is your content_filter.  You're using a script, but better
> practice would probably be to use smtp.  And of course SMTP doesn't
> have to be local; your filter could be elsewhere.

Do you have a link with instructions for doing it with SMTP instead of script? Maybe I can setup another server for incoming filtering (bogofilter) which is used by all the servers so I avoid to copy the bogofilter database every few days to all the servers.

>
> Check out amavisd-new as a better means of content filtering.  This
> also gives you a means of applying different filtering depending on
> origin: the spam filtering needed for submission differs from that
> which makes sense on your MX stream.
>

Maybe I can use MailScanner (hosted in other server) for incoming messages to. It filters spam, virus, bad attachment extensions and some more things.

>
> You can do this by changing the server name your users use for their
> submission server to point to this relayhost instead.  It could
> possibly be a painless change for the users.
>

The same hostname is used for other things too, for example FTP. So changing the server1.example.com hostname and point it to smtp.example.com IP is not possible without causing frustration to users.


> Note: I am supposing you have a large number of users, because this
> level of complexity does not make sense for a small number.
>

Yes there are more than 60.000 mail accounts split in 55 servers. These servers do shared hosting (www, ftp, dns, mail, mysql, php).

>
> I don't consider spamcop safe for outright rejection, at least not
> without DNSWL whitelisting.  Also, CBL is part of Zen, so this is a
> wasted lookup.  And postscreen has been around for many years now,
> you should look at it:
>

I removed CBL from checks.

To add DNSWL whitelisting I have to add under smtpd_recipient_restrictions and before the RBL checks:

permit_dnswl_client list.dnswl.org

Is this rignt?

> http://www.postfix.org/POSTSCREEN_README.html
> http://rob0.nodns4.us/postscreen.html

I will check this too. I didn't mention it but I also use postgrey (greylisting). If I can get good results with postscreen maybe I can remove postgrey.

> You should force all submission through submission/submissions
> services, or as mentioned above, through a separate MSA.  You don't
> want to accept submission on port 25.

I know this but some old clients are configured to submission on port 25. Also some sites use port 25 for contact forms and transactional e-mails. Maybe it's time to send them a mass e-mail and notify them to change their submission port to 587 and after some time to remove submission on port 25.


>> smtpd_sasl_type = dovecot
>> smtpd_sender_restrictions = reject_unlisted_sender, permit_sasl_authenticated,
>>    reject_non_fqdn_sender, check_sender_access
>>    hash:/usr/local/etc/postfix/sender_access, reject_unknown_sender_domain,
>>    permit
>> smtpd_tls_CAfile = /usr/local/share/certs/ca-root-nss.crt
>> smtpd_tls_ask_ccert = yes
>
> why?

Few years ago I was using postfix for sasl authentication. After upgrading postfix to new version the quota patch was not working (the developer abandon it) so I changed it to dovecot authentication because dovecot has plugin for mailbox quota. So these settings are not required any more, right?