Virtual mailbox domains vs relay domains

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Virtual mailbox domains vs relay domains

Tom Marcoen
Hey all,

I've been reading the tutorial on workaround.org and it uses the
variable 'virtual_mailbox_domains' to list all the domains
Postfix/Dovecot needs to receive emails for. Of course this also means
you need to change the 'virtual_transport' setting to use
LMTP/dovecot-lda to deliver the email to Dovecot - instead of using
'virtual' to store the email on your local drive. I understand this
concept and it makes sense to me.

Last week however, I was reading a book on Dovecot written by Peer
Heinlein and he says that if you put a Postfix server in front of
Dovecot you should use 'relay_domains' for these domains, combined
with 'transport_maps'.

Is there any real difference in using one method or the other and,
perhaps more importantly, what is the recommended way of sending
emails from Postfix to Dovecot? The advantage of Peer's method is that
you can place the Postfix server in a DMZ and it does not need access
to your MySQL/... database for username information.

Best regards,
Tom
Reply | Threaded
Open this post in threaded view
|

Re: Virtual mailbox domains vs relay domains

Viktor Dukhovni


> On Nov 10, 2017, at 8:22 AM, Tom Marcoen <[hidden email]> wrote:
>
> Last week however, I was reading a book on Dovecot written by Peer
> Heinlein and he says that if you put a Postfix server in front of
> Dovecot you should use 'relay_domains' for these domains, combined
> with 'transport_maps'.

This is not necessary.  LMTP is not SMTP, and you're not relaying
the mail.  And even if you were, the destination is not a store-
and-forward MTA, but a mailstore.  So it is not unreasonable to
model the associated domain as a virtual mailbox domain.  You
can in that case put anything you want in the RHS of the virtual
mailbox table:

        [hidden email] VALID

the table is only used for recipient validation, not mailbox
location, which is determined by the mailstore.

> Is there any real difference in using one method or the other and,

That said, much the same works with relay_domains and
relay_recipient_maps.  Provided, with relay_domains, you
are careful with "parent_domain_matches_subdomains" and
avoid accidentally accepting mails for subdomains when
you only intend to receive email for the domain.

I'd be inclined to stick with virtual mailbox.

> perhaps more importantly, what is the recommended way of sending
> emails from Postfix to Dovecot? The advantage of Peer's method is that
> you can place the Postfix server in a DMZ and it does not need access
> to your MySQL/... database for username information.

Losing recipient validation is NOT an advantage.  Either way,
you need to have a table of valid recipients to avoid backscatter.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Virtual mailbox domains vs relay domains

Wietse Venema
Viktor Dukhovni:
> > perhaps more importantly, what is the recommended way of sending
> > emails from Postfix to Dovecot? The advantage of Peer's method is that
> > you can place the Postfix server in a DMZ and it does not need access
> > to your MySQL/... database for username information.
>
> Losing recipient validation is NOT an advantage.  Either way,
> you need to have a table of valid recipients to avoid backscatter.

An alternative to a static table is dynamic recipient verification.
This uses a cache with proactive refresh.
http://www.postfix.org/ADDRESS_VERIFICATION_README.html

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Virtual mailbox domains vs relay domains

Tom Marcoen
On 10 November 2017 at 22:59, Viktor Dukhovni
<[hidden email]> wrote:

>
>> On Nov 10, 2017, at 8:22 AM, Tom Marcoen <[hidden email]> wrote:
>>
>> Last week however, I was reading a book on Dovecot written by Peer
>> Heinlein and he says that if you put a Postfix server in front of
>> Dovecot you should use 'relay_domains' for these domains, combined
>> with 'transport_maps'.
>
> This is not necessary.  LMTP is not SMTP, and you're not relaying
> the mail.  And even if you were, the destination is not a store-
> and-forward MTA, but a mailstore.  So it is not unreasonable to
> model the associated domain as a virtual mailbox domain.

This makes sense. I'm not really relaying the email so perhaps a
virtual mailbox domain makes more sense than a relay domain. Peer
Heinlein also wrote a (very thick) book on Postfix but alas it's only
in German so I will have to translate it before I can read it.

On 11 November 2017 at 14:32, Wietse Venema <[hidden email]> wrote:

> Viktor Dukhovni:
>> > perhaps more importantly, what is the recommended way of sending
>> > emails from Postfix to Dovecot? The advantage of Peer's method is that
>> > you can place the Postfix server in a DMZ and it does not need access
>> > to your MySQL/... database for username information.
>>
>> Losing recipient validation is NOT an advantage.  Either way,
>> you need to have a table of valid recipients to avoid backscatter.
>
> An alternative to a static table is dynamic recipient verification.
> This uses a cache with proactive refresh.
> http://www.postfix.org/ADDRESS_VERIFICATION_README.html
>
>         Wietse

That is exactly what Peer Heinlein also uses in his book but what I
forgot to mention. I like this idea as it better isolates your DMZ
server than when you have your DMZ server access your MySQL database.


So am I correct that the general population would recommend/prefer
virtual mailbox domains over relay domains in this situation?
Reply | Threaded
Open this post in threaded view
|

Re: Virtual mailbox domains vs relay domains

Wietse Venema
Tom Marcoen:
> So am I correct that the general population would recommend/prefer
> virtual mailbox domains over relay domains in this situation?

Yes, virtual_mailbox_domains is for final destinations
including LMTP, relay_domains for forwarding to MTAs.

Peer may have written some of his text before Postfix
virtual_mailbox_domains support was widely available.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Virtual mailbox domains vs relay domains

Viktor Dukhovni
In reply to this post by Tom Marcoen


> On Nov 12, 2017, at 6:15 AM, Tom Marcoen <[hidden email]> wrote:
>
>>> Losing recipient validation is NOT an advantage.  Either way,
>>> you need to have a table of valid recipients to avoid backscatter.
>>
>> An alternative to a static table is dynamic recipient verification.
>> This uses a cache with proactive refresh.
>> http://www.postfix.org/ADDRESS_VERIFICATION_README.html
>>
>>        Wietse
>
> That is exactly what Peer Heinlein also uses in his book but what I
> forgot to mention. I like this idea as it better isolates your DMZ
> server than when you have your DMZ server access your MySQL database.
>
> So am I correct that the general population would recommend/prefer
> virtual mailbox domains over relay domains in this situation?

Real-time access to the full recipient table (be it via LDAP or SQL)
is more reliable/predictable than a partial cache.  Accessing and
caching the data via SMTP/LMTP is perhaps a lower attack surface
than the LDAP or MySQL protocols, but not by much.  My personal
preference in such a situation is to use LDAP or SQL.  With LDAP
you can spin-up a replica service that is colocated in the DMZ.

--
        Viktor.