masquerade_domains not working

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

masquerade_domains not working

Richie Rich
My company, "myco.com", accepts mail for many other domains (doma.com, domb.com, etc.)
All of these domains are listed in $mydestination, and are routed via /etc/aliases, or /etc/postfix/virtual.

masquerade_domains = doma.com, domb.com, myco.com

If I send mail to a subdomain of myco.com, like [hidden email], the "To" address gets changed (masq'd) to [hidden email]. If I change masquerade_domains to include "!sdom1.myco.com", I avoid masq'ing that sub domain. This is expected based on the ADDRESS_REWRITING_README.

However, mail to [hidden email] is not masq'd despite the presence of doma.com in $masquerade_domains. My expectation is that [hidden email] would be changed to [hidden email].

I've read the ADDRESS_REWRITING_README, but I don't see where I've gone wrong.
Am I approaching this the right way?

Any help is appreciated.
Thanks!

richf

Sent from my iPad
Reply | Threaded
Open this post in threaded view
|

Re: masquerade_domains not working

Viktor Dukhovni

> On Jan 14, 2017, at 2:51 PM, Richie Rich <[hidden email]> wrote:
>
> However, mail to [hidden email] is not masq'd despite the presence of doma.com in $masquerade_domains. My expectation is that [hidden email] would be changed to [hidden email].

The masquerade_domains facility shortens sub-domains of a domain to *that*
parent domain, it does not rewrite domains to a different parent domain.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: masquerade_domains not working

Richie Rich
Thanks for the quick response. Can you point me in a direction to accomplish what I'm trying to do?
I'm totally new to postfix.

Again, thanks.


On Sat, Jan 14, 2017 at 2:54 PM, Viktor Dukhovni <[hidden email]> wrote:

> On Jan 14, 2017, at 2:51 PM, Richie Rich <[hidden email]> wrote:
>
> However, mail to [hidden email] is not masq'd despite the presence of doma.com in $masquerade_domains. My expectation is that [hidden email] would be changed to [hidden email].

The masquerade_domains facility shortens sub-domains of a domain to *that*
parent domain, it does not rewrite domains to a different parent domain.

--
        Viktor.


Reply | Threaded
Open this post in threaded view
|

Re: masquerade_domains not working

Jan Ceuleers
On 14/01/17 20:58, Richie Rich wrote:
> Thanks for the quick response. Can you point me in a direction to
> accomplish what I'm trying to do?
> I'm totally new to postfix.

I am by no means an expert, but I do hope that the following helps:

http://www.postfix.org/postconf.5.html#smtp_generic_maps for the
outgoing side and
http://www.postfix.org/postconf.5.html#virtual_alias_maps for the
incoming side.

Reply | Threaded
Open this post in threaded view
|

Fwd: masquerade_domains not working

Dominic Raferd


On 15 January 2017 at 08:51, Jan Ceuleers <[hidden email]> wrote:
On 14/01/17 20:58, Richie Rich wrote:
> Thanks for the quick response. Can you point me in a direction to
> accomplish what I'm trying to do?
> I'm totally new to postfix.

I am by no means an expert, but I do hope that the following helps:

http://www.postfix.org/postconf.5.html#smtp_generic_maps for the
outgoing side and
http://www.postfix.org/postconf.5.html#virtual_alias_maps for the
incoming side.


Yes I agree that for incoming mails, virtual_alias_maps is the way to go, I use 'virtual_alias_maps = pcre:/etc/postfix/virtual' and file 'virtual' looks a bit like this (data obfuscated):

if /@streamingbats\.co(m|\.uk)$/
/^(input|sarah[-0-9a-z]*)@/ [hidden email]
/^(admin|administrator|dominic|MAILER-DAEMON|paypal|payments|vps1|dl[12]|pbx|timedicer[12]?|hostmaster|postmaster|abuse)@/ [hidden email]
endif
/@streamingbats\.co(m|\.uk)$/ root@localhost

I wrote a script to auto-configure postfix and intra alia this builds a file 'filtered_names' from my 'virtual' file​. In one of my restrictions lists I have line 'check_recipient_access pcre:/etc/postfix/filtered_names'. This blocks emails to anyone@mydomains that isn't one of the names explicitly remapped in my virtual file (except for authenticated senders) and looks a bit like this:

if /@streamingbats\.co(m|\.uk)$/
/^accounts@/ OK
/^adam@/ OK
/^(input|sarah[-0-9a-z]*)@/ OK
/^(admin|administrator|dominic|MAILER-DAEMON|paypal|payments|vps1|dl[12]|pbx|timedicer[12]?|hostmaster|postmaster|abuse)@/ OK
endif
/@streamingbats\.co(m|\.uk)$/ REJECT

For the outgoing mails, I originally used smtp_generic_maps but when I started using opendkim I needed to switch to canonical (http://www.postfix.org/canonical.5.html) - because the changes made by canonical happen before milters (including opendkim), otherwise opendkim's key line header is immediately broken by smtp_generic_maps' address rewriting. So I have a line 'canonical_maps = hash:/etc/postfix/canonical' and canonical file looks a bit like this:

​There may be simpler ways of achieving the same objectives (and I'd be interested to hear of them), but these work for me.​
Reply | Threaded
Open this post in threaded view
|

Re: masquerade_domains not working

Richie Rich
Thanks for the replies. I really appreciate the help.

I am already leveraging /etc/postfix/virtual to route traffic to my "hosted domains".

The problem I'm trying to solve, simply stated, is that I need to be able to selectively masquerade inbound email to my hosted domains.
So, [hidden email] will see his mail addressed to [hidden email], but [hidden email] might see his mail addressed to [hidden email], our canonical domain name.




Reply | Threaded
Open this post in threaded view
|

Re: masquerade_domains not working

Viktor Dukhovni
On Sun, Jan 15, 2017 at 01:02:37PM -0500, Richie Rich wrote:

> Thanks for the replies. I really appreciate the help.
>
> I am already leveraging /etc/postfix/virtual to route traffic to my "hosted
> domains".
>
> The problem I'm trying to solve, simply stated, is that I need to be able
> to selectively masquerade inbound email to my hosted domains.
> So, [hidden email] will see his mail addressed to [hidden email], but
> [hidden email] might see his mail addressed to [hidden email], our canonical
> domain name.

I recommend against masquerading, because it breaks recipient
validation.  Instead, construct a table of all the valid addresses
for each user, and use canonical_maps.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: masquerade_domains not working

Richie Rich
In reply to this post by Richie Rich
As a side note, we are migrating to Postfix. In our current Sendmail environment, we accomplish the requisite masquerading by adding each domain to /etc/mail/local-host-names.
This accomplishes the masquerading piece and allows for virtual hosting. Then for those domains we do not want to masquerade, we edit sendmail.cf and add a CN entry.

Easy peasy.


On Sun, Jan 15, 2017 at 1:02 PM, Richie Rich <[hidden email]> wrote:
Thanks for the replies. I really appreciate the help.

I am already leveraging /etc/postfix/virtual to route traffic to my "hosted domains".

The problem I'm trying to solve, simply stated, is that I need to be able to selectively masquerade inbound email to my hosted domains.
So, [hidden email] will see his mail addressed to [hidden email], but [hidden email] might see his mail addressed to [hidden email], our canonical domain name.





Reply | Threaded
Open this post in threaded view
|

Re: masquerade_domains not working

Richie Rich
In reply to this post by Viktor Dukhovni
Thank you. I understand, but this requirement is imposed by my business unit...

I haven't tried canonical_maps yet, but I was about to head down that road.
I'll give it a shot.


On Sun, Jan 15, 2017 at 1:12 PM, Viktor Dukhovni <[hidden email]> wrote:
On Sun, Jan 15, 2017 at 01:02:37PM -0500, Richie Rich wrote:
> Thanks for the replies. I really appreciate the help.
>
> I am already leveraging /etc/postfix/virtual to route traffic to my "hosted
> domains".
>
> The problem I'm trying to solve, simply stated, is that I need to be able
> to selectively masquerade inbound email to my hosted domains.
> So, [hidden email] will see his mail addressed to [hidden email], but
> [hidden email] might see his mail addressed to [hidden email], our canonical
> domain name.

I recommend against masquerading, because it breaks recipient
validation.  Instead, construct a table of all the valid addresses
for each user, and use canonical_maps.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: masquerade_domains not working

Viktor Dukhovni
In reply to this post by Viktor Dukhovni

> On Jan 15, 2017, at 1:12 PM, Viktor Dukhovni <[hidden email]> wrote:
>
> I recommend against masquerading, because it breaks recipient
> validation.  Instead, construct a table of all the valid addresses
> for each user, and use canonical_maps.

To be more precise, it is not that masquerading directly breaks
recipient validation, but rather that accepting mail for
an arbitrary sub-domain of a domain, as well as the domain itself,
means requires recipient validation to take place after rewriting,
but the Postfix smtpd(8) server performs validation on the original
input address prior to rewriting (which happens in cleanup(8)).

If the goal is just to map [hidden email] to [hidden email] without
also accepting mail for [hidden email], then masquerading is
entirely the wrong tool for the job (it is perhaps unfortunate
that Postfix and Sendmail use the same name for noticeably different
mechanisms).

Mapping of secondary domains to primary domains is best accomplished
with canonical_maps, and wildcards need to be avoided in order to
retain recipient validation and not become a backscatter source.

Therefore, build tables of explicit [hidden email] -> [hidden email]
canonical mappings.  In Microsoft Exchange environments this is
accomplished by using LDAP to resolve "proxyAddresses = smtp:%s"
(each secondary address) to "mail" (the primary address).

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: masquerade_domains not working

Richie Rich
I'm sorry Viktor, but it seems I didn't make my goal clear. Here it is again restated.

Our canonical domain is example.com
Two of our hosted domains are domainA.com, and domainB.com. These are not subdomains of example.com, but rather separate domains entirely that are delivered locally.

The goal is that users in domainA.com will see their mail as being addressed to [hidden email], but
users in domainB.com will see their mail as being addressed to [hidden email]

I have tested using canonical_maps where:
[hidden email]    [hidden email]

This seems to do what I need it to do, though once I spend some time with it I may need to check out regexp_table.
Thankfully I'm no stranger to regexes :)

Thanks to all that responded!





On Sun, Jan 15, 2017 at 1:31 PM, Viktor Dukhovni <[hidden email]> wrote:

> On Jan 15, 2017, at 1:12 PM, Viktor Dukhovni <[hidden email]> wrote:
>
> I recommend against masquerading, because it breaks recipient
> validation.  Instead, construct a table of all the valid addresses
> for each user, and use canonical_maps.

To be more precise, it is not that masquerading directly breaks
recipient validation, but rather that accepting mail for
an arbitrary sub-domain of a domain, as well as the domain itself,
means requires recipient validation to take place after rewriting,
but the Postfix smtpd(8) server performs validation on the original
input address prior to rewriting (which happens in cleanup(8)).

If the goal is just to map [hidden email] to [hidden email] without
also accepting mail for [hidden email], then masquerading is
entirely the wrong tool for the job (it is perhaps unfortunate
that Postfix and Sendmail use the same name for noticeably different
mechanisms).

Mapping of secondary domains to primary domains is best accomplished
with canonical_maps, and wildcards need to be avoided in order to
retain recipient validation and not become a backscatter source.

Therefore, build tables of explicit [hidden email] -> [hidden email]
canonical mappings.  In Microsoft Exchange environments this is
accomplished by using LDAP to resolve "proxyAddresses = smtp:%s"
(each secondary address) to "mail" (the primary address).

--
        Viktor.


Reply | Threaded
Open this post in threaded view
|

Re: masquerade_domains not working

Viktor Dukhovni

> On Jan 15, 2017, at 2:23 PM, Richie Rich <[hidden email]> wrote:
>
> I'm sorry Viktor, but it seems I didn't make my goal clear. Here it is again restated.

No need, I understood what you wanted the first time.

> I have tested using canonical_maps where:
> [hidden email]    [hidden email]

This is the correct approach

> This seems to do what I need it to do, though once I spend
> some time with it I may need to check out regexp_table.
> Thankfully I'm no stranger to regexes :)

Save yourself the time and DO NOT go there.  Regular expression
mappings break recipient validation when used in canonical_maps
(on input).  If used on gateway relay, they can safely be used
on output in smtp_generic_maps, but then your recipient validation
still has to deal with all the variant addresses on input in some
manner.  So it is best to do the work just once in canonical_maps,
without any regex wildcards.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: masquerade_domains not working

Richie Rich
A word to the wise. Message received.

Again, thanks!