Rewriting sub domains as domains

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Rewriting sub domains as domains

Robert Fitzpatrick
Is there a way that I can rewrite any e-mail that comes in as a sub
domain to just the domain? For instance, I have several users on a
non-postfix destination mail server that are setup with a host name of
www.example.com and when that servers responds automatically to
messages, such as auto-reply, it sends as [hidden email]. I would
like to rewrite this as just [hidden email] when it comes in to our
Postfix gateway for delivery. This is because our mail filter (amavisd
spin off Maia Mailguard) on the gateway will setup an account
automatically for users when mail is received and we don't want two
accounts for one user.

The Postfix 2.4.6 gateway/filter now uses relay transports via LDAP
lookup. In LDAP, we store both the domain (example.com) and the sub
domain (www.example.com) for mapping. It would be super sweet if I could
tell Postfix only rewrite those domains found in LDAP. If it receives
mail for [hidden email] and finds www.example.com in the relay
transport lookup, rewrite to example.com prior to sending to the filter.

Thanks for any pointers!

--
Robert

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Rewriting sub domains as domains

Brian Evans - Postfix List
Robert Fitzpatrick wrote:

> Is there a way that I can rewrite any e-mail that comes in as a sub
> domain to just the domain? For instance, I have several users on a
> non-postfix destination mail server that are setup with a host name of
> www.example.com and when that servers responds automatically to
> messages, such as auto-reply, it sends as [hidden email]. I would
> like to rewrite this as just [hidden email] when it comes in to our
> Postfix gateway for delivery. This is because our mail filter (amavisd
> spin off Maia Mailguard) on the gateway will setup an account
> automatically for users when mail is received and we don't want two
> accounts for one user.
>  
I'll make an assumption here.  Please post `postconf -n` to receive
better assistance.
This answer depends on your setup.

myorigin = $mydomain    will give you  the desired effect on mail
originating from scripts and non-fqdn addresses

If this is not the case, please follow the documentation here:
http://www.postfix.org/DEBUG_README.html#mail

Brian

> The Postfix 2.4.6 gateway/filter now uses relay transports via LDAP
> lookup. In LDAP, we store both the domain (example.com) and the sub
> domain (www.example.com) for mapping. It would be super sweet if I could
> tell Postfix only rewrite those domains found in LDAP. If it receives
> mail for [hidden email] and finds www.example.com in the relay
> transport lookup, rewrite to example.com prior to sending to the filter.
>
> Thanks for any pointers!
>
>  
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Rewriting sub domains as domains

Robert Fitzpatrick
On Wed, 2008-05-21 at 09:37 -0400, Brian Evans wrote:

> Robert Fitzpatrick wrote:
> > Is there a way that I can rewrite any e-mail that comes in as a sub
> > domain to just the domain? For instance, I have several users on a
> > non-postfix destination mail server that are setup with a host name of
> > www.example.com and when that servers responds automatically to
> > messages, such as auto-reply, it sends as [hidden email]. I would
> > like to rewrite this as just [hidden email] when it comes in to our
> > Postfix gateway for delivery. This is because our mail filter (amavisd
> > spin off Maia Mailguard) on the gateway will setup an account
> > automatically for users when mail is received and we don't want two
> > accounts for one user.
> >  
> I'll make an assumption here.  Please post `postconf -n` to receive
> better assistance.
> This answer depends on your setup.
>

esmtp# postconf -n
address_verify_map = btree:/home/mta/verify
address_verify_poll_count = 1
bounce_queue_lifetime = 1d
broken_sasl_auth_clients = yes
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/local/libexec/postfix
delay_warning_time = 4h
disable_vrfy_command = yes
html_directory = no
mail_name = WebTent ESMTP Postfix Internet Mail Gateway
mail_owner = postfix
mailbox_size_limit = 102400000
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
maximal_backoff_time = 1000s
maximal_queue_lifetime = 3d
message_size_limit = 51200000
mynetworks = 127.0.0.0/8, 10.0.0.0/8
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = no
relay_domains = hash:/usr/local/etc/postfix/relay_transport.map, ldap:/usr/local/etc/postfix/ldap/transport.cf
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtp_send_xforward_command = yes
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name USE OF THIS SERVER INDICATES THAT YOU HAVE READ AND AGREED TO OUR AUP.  UCE IS NOT ALLOWED.
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_helo_restrictions = permit_mynetworks
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_client_access cidr:/usr/local/etc/postfix/relay_clients, check_client_access ldap:/usr/local/etc/postfix/ldap/relay_clients.cf, check_client_access hash:/usr/local/etc/postfix/client_checks, reject_unauth_destination, reject_non_fqdn_sender, reject_non_fqdn_recipient, check_helo_access hash:/usr/local/etc/postfix/helo_checks, check_recipient_access pcre:/usr/local/etc/postfix/recipient_checks.pcre, reject_rbl_client list.dsbl.org, reject_rbl_client zen.spamhaus.org, reject_unverified_recipient, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = check_sender_access hash:/usr/local/etc/postfix/sender_access permit_mynetworks reject_unknown_sender_domain
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /usr/local/etc/postfix/ssl/postfix_public_cert.pem
smtpd_tls_key_file = /usr/local/etc/postfix/ssl/postfix_private_key.pem
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:/home/mta/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/usr/local/etc/postfix/relay_transport.map, ldap:/usr/local/etc/postfix/ldap/transport.cf
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550

> myorigin = $mydomain    will give you  the desired effect on mail
> originating from scripts and non-fqdn addresses

Originating from scripts? I guess I wasn't clear enough about how our
system works. We receive mail on our Postfix gateway for relay to their
final destination (off server or network) via the transport_maps setting
in main.cf, see above. If we receive mail for the recipient
[hidden email] and www.example.com is found when performing the
relay or transport LDAP lookup, then we would like Postfix to rewrite
the address to [hidden email] *before* sending to amavisd. Do you mean
I should need to create a script for this purpose that relies somehow on
myorigin to rewrite the address? These will be many different fqdn's
that I want to rewrite to their corresponding domain, all sub domains
will be fully resolvable.

--
Robert

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Rewriting sub domains as domains

mouss-2
In reply to this post by Robert Fitzpatrick
Robert Fitzpatrick wrote:

> Is there a way that I can rewrite any e-mail that comes in as a sub
> domain to just the domain? For instance, I have several users on a
> non-postfix destination mail server that are setup with a host name of
> www.example.com and when that servers responds automatically to
> messages, such as auto-reply, it sends as [hidden email]. I would
> like to rewrite this as just [hidden email] when it comes in to our
> Postfix gateway for delivery. This is because our mail filter (amavisd
> spin off Maia Mailguard) on the gateway will setup an account
> automatically for users when mail is received and we don't want two
> accounts for one user.
>  

you should fix your auto-responder things. if they get addresses wrong,
we suspect that they could get other things wrong, and thus result in
backscatter.

The idea is that problems should be fixed as near the source as
possible. so the program that generates the wrong addresses should be
fixed.


if you think your auto-responders are ok (please check this again and
again), then take a ride over
    http://www.postfix.org/ADDRESS_REWRITING_README.html
there are various rewerite mechanisms:
- myorigin
- masquerade_domains
- smtp_generic_maps
- ...



> The Postfix 2.4.6 gateway/filter now uses relay transports via LDAP
> lookup. In LDAP, we store both the domain (example.com) and the sub
> domain (www.example.com) for mapping. It would be super sweet if I could
> tell Postfix only rewrite those domains found in LDAP. If it receives
> mail for [hidden email] and finds www.example.com in the relay
> transport lookup, rewrite to example.com prior to sending to the filter.
>
> Thanks for any pointers!
>
>  

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Rewriting sub domains as domains

Robert Fitzpatrick
On Wed, 2008-05-21 at 16:18 +0200, mouss wrote:
>
> if you think your auto-responders are ok (please check this again and
> again), then take a ride over
>     http://www.postfix.org/ADDRESS_REWRITING_README.html
> there are various rewerite mechanisms:
> - myorigin
> - masquerade_domains
> - smtp_generic_maps
> - ...

Our auto-responders are by design and correct as the server appliances
that host the domains require a host name and an alias of the domain to
accept for the entire domain. I could hack the majordomo on those server
appliances to possibly get it to use the domain instead, but the actual
user on the server would be [hidden email] while the virtusertable
rewrites @example.com as %[hidden email] in sendmail. I'd rather not
hack the server appliance software, hoping I could handle in the Postfix
gateway easier.

Thanks for the response, the masquerade might work. Right now, our LDAP
lookups for transport is like this...

esmtp# cat ldap/transport.cf
bind = no
server_host = ldap://127.0.0.1/
version = 3
search_base = ou=Servers,dc=example,dc=com
query_filter = (&(associatedDomain=%s)(objectClass=domainRelatedObject))
result_attribute = ipHostNumber
result_format = smtp:[%s]

This finds a domain and returns its IP from ipHostNumber to route the
mail to appropriate destination mail server. All domains are listed
under the multivalued attribute of associatedDomain, so if I tell
masquerading to lookup the domain in the same way, is it possible to get
a result of the key only once? Or what type of return is expected from
the lookup? I tried using %S as the result_attribute, but it returns the
key for each entry found....

In main.cf I now have...

masquerade_domains = ldap:/usr/local/etc/postfix/ldap/masquerade.cf
masquerade_classes = envelope_recipient, header_recipient

Here is the lookup parameters and the result I am getting...

esmtp# cat ldap/masquerade.cf
bind = no
server_host = ldap://127.0.0.1/
version = 3
search_base = ou=Servers,dc=example,dc=com
query_filter = (&(associatedDomain=%s)(objectClass=domainRelatedObject))
result_attribute = associatedDomain
result_format = %S
esmtp# postmap -q example.com ldap:/usr/local/etc/postfix/ldap/masquerade.cf
example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com,example.com

Again, even if I need to setup separate entries for masquerading, I am
not sure what the lookup is expecting as a result. Can it be setup to
only verify the existence of the domain and then masquerade when found
for that domain? Right now, with the above setup, the rewrite is not
happening.

--
Robert

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Rewriting sub domains as domains

mouss-2
Robert Fitzpatrick wrote:

> On Wed, 2008-05-21 at 16:18 +0200, mouss wrote:
>  
>> if you think your auto-responders are ok (please check this again and
>> again), then take a ride over
>>     http://www.postfix.org/ADDRESS_REWRITING_README.html
>> there are various rewerite mechanisms:
>> - myorigin
>> - masquerade_domains
>> - smtp_generic_maps
>> - ...
>>    
>
> Our auto-responders are by design and correct

come on:) all auto-responders are "by design and correct", except when
they send us backscatter...

>  as the server appliances
> that host the domains require a host name and an alias of the domain to
> accept for the entire domain.

I really don't care for the hostname and whatever alias you mean. I just
don't want auto-responders sending me outscatter...

>  I could hack the majordomo on those server
>  

but if it's a majordomo, then auto-resp should be ok.
> appliances to possibly get it to use the domain instead, but the actual
> user on the server would be [hidden email] while the virtusertable
> rewrites @example.com as %[hidden email] in sendmail. I'd rather not
> hack the server appliance software, hoping I could handle in the Postfix
> gateway easier.
>  

do however take the time to check if you cannot configure the "default
domain". if you can fix the problem at the source, then it's better. but
if you can't, don't hack. use postfix to "fix" it.
> [snip]
> Again, even if I need to setup separate entries for masquerading, I am
> not sure what the lookup is expecting as a result. Can it be setup to
> only verify the existence of the domain and then masquerade when found
> for that domain?


sorry, I don't understand this. if you want per address rewrite, then
use smtp_generic_maps. masquerade_domains is for very simple situations.


> Right now, with the above setup, the rewrite is not
> happening.
>  

you may have the syntax wrong. it's a bit surprising because it differs
from general postfix maps (it's a sendmail feature). reread the doc with
this in mind => it's not a map. if you forget about maps, you'll see how
to use it.



Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Rewriting sub domains as domains

Robert Fitzpatrick
On Wed, 2008-05-21 at 21:02 +0200, mouss wrote:
> you may have the syntax wrong. it's a bit surprising because it
> differs
> from general postfix maps (it's a sendmail feature). reread the doc
> with
> this in mind => it's not a map. if you forget about maps, you'll see
> how
> to use it.

Ah yes, I see what you mean, thanks for the insight. So my question is,
what is Postfix asking LDAP when looking up domains to masquerade? My
current LDAP file for Postfix, when queried as follows, returns all the
domains I want to masquerade separated by commas...

esmtp# cat ldap/masquerade.cf
bind = no
server_host = ldap://10.0.0.6/
version = 3
search_base = ou=Servers,dc=webtent,dc=net
query_filter = (&(associatedDomain=%s)(objectClass=domainRelatedObject))
result_attribute = associatedDomain
result_format = %s
postmap -q example.com ldap:/usr/local/etc/postfix/ldap/masquerade.cf

But still no rewriting :(

esmtp# grep masquerade_ main.cf
masquerade_domains = ldap:/usr/local/etc/postfix/ldap/masquerade.cf
masquerade_classes = envelope_recipient, header_recipient

--
Robert

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Rewriting sub domains as domains

mouss-2
Robert Fitzpatrick wrote:
> Ah yes, I see what you mean, thanks for the insight. So my question is,
> what is Postfix asking LDAP when looking up domains to masquerade?

prove it.

> [snip]
>
> But still no rewriting :(
>
> esmtp# grep masquerade_ main.cf
> masquerade_domains = ldap:/usr/local/etc/postfix/ldap/masquerade.cf
> masquerade_classes = envelope_recipient, header_recipient
>
>  

where did you find that masquerade_domains is a MAP?
 
    http://www.postfix.org/ADDRESS_REWRITING_README.html#masquerade
    http://www.postfix.org/postconf.5.html#masquerade_domains



Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Rewriting sub domains as domains

Charles Marcus
In reply to this post by Robert Fitzpatrick
On 5/21/2008, Robert Fitzpatrick ([hidden email]) wrote:
> smtpd_recipient_restrictions = permit_sasl_authenticated,
> permit_mynetworks, check_client_access
> cidr:/usr/local/etc/postfix/relay_clients, check_client_access
> ldap:/usr/local/etc/postfix/ldap/relay_clients.cf,
> check_client_access hash:/usr/local/etc/postfix/client_checks,
> reject_unauth_destination,

You might consider moving reject_unauth_destination to above the client
checks - this will avoid your accidentally becoming an open relay if
something goes wrong (ever typo'd something?) with the client checks...

;)

--

Best regards,

Charles
Loading...