"default_transport" not working in all cases

Hi

In a local machine i have the following setup to prevent sending outside
and catch some domain local, but why in the world is the second log-entry
relayed instead reject like the first one?

default_transport = error:5.1.2 mail to remote domains not permitted

Now i fixed this problem with "relayhost = 127.0.0.1" but this is a dirty workaround
This seems to happen everytime a subdomain is involved and maybe postfix 2.8.0 only
____________________

Feb 21 13:23:05 postfix/smtpd[13782]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 550 5.1.2
<[hidden email]>: Recipient address rejected: mail to remote domains not permitted; from=<[hidden email]>
to=<[hidden email]> proto=ESMTP helo=<[127.0.0.1]>

Feb 21 13:25:22 postfix/cleanup[13829]: 4088648A8: message-id=<[hidden email]>
Feb 21 13:25:22 postfix/qmgr[13436]: 4088648A8: from=<[hidden email]>, size=714, nrcpt=1 (queue active)
Feb 21 13:25:23 postfix/smtp[13835]: Host offered STARTTLS: [cluster8.us.messagelabs.com]
Feb 21 13:25:23 postfix/smtp[13835]: 4088648A8: to=<[hidden email]>,
relay=cluster8.us.messagelabs.com[216.82.254.195]:25, delay=1.2, delays=0.07/0.01/0.7/0.38, dsn=2.0.0, status=sent
(250 ok 1298291123 qp 22271 server-11.tower-200.messagelabs.com!1298291122!61653925!1)

Feb 21 13:41:52 postfix/qmgr[14369]: 2D60D3DF7: from=<[hidden email]>, size=729, nrcpt=1 (queue active)
Feb 21 13:41:52 postfix/smtp[14418]: warning: relayhost configuration problem
Feb 21 13:41:52 postfix/smtp[14418]: 2D60D3DF7: to=<[hidden email]>, relay=none, delay=0.05,
delays=0.03/0.01/0/0, dsn=4.3.5, status=deferred (mail for 127.0.0.1 loops back to myself)

On 2011-02-21 7:43 AM, Reindl Harald wrote:
> Feb 21 13:41:52 postfix/smtp[14418]: warning: relayhost configuration problem
> Feb 21 13:41:52 postfix/smtp[14418]: 2D60D3DF7: to=<[hidden email]>, relay=none, delay=0.05,
> delays=0.03/0.01/0/0, dsn=4.3.5, status=deferred (mail for 127.0.0.1 loops back to myself)

The above should be enough...

--

Best regards,

Charles

It seems you did not read my mail

Am 21.02.2011 13:51, schrieb Charles Marcus:
> On 2011-02-21 7:43 AM, Reindl Harald wrote:
>> Feb 21 13:41:52 postfix/smtp[14418]: warning: relayhost configuration problem
>> Feb 21 13:41:52 postfix/smtp[14418]: 2D60D3DF7: to=<[hidden email]>, relay=none, delay=0.05,
>> delays=0.03/0.01/0/0, dsn=4.3.5, status=deferred (mail for 127.0.0.1 loops back to myself)
>
> The above should be enough...

This is AFTER "relayhost = 127.0.0.1"

"default_transport = error:5.1.2 mail to remote domains not permitted"
should reject and does not if the target is a subdomain

The following is the expected result and you see that "relayhost = 127.0.0.1"
is not triggered because "default_transport" is working, but why not for
"[hidden email]"?

Feb 21 13:55:38 postfix/smtpd[14674]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 550 5.1.2
<[hidden email]>: Recipient address rejected: mail to remote domains not permitted; from=<[hidden email]>
to=<[hidden email]> proto=ESMTP helo=<[127.0.0.1]>

The same with postfix 1.8.1

The first one respects "default_transport = error:5.1.2 mail to remote domains not permitted" but the second one
must be catched with "relayhost = 127.0.0.1" to prevent relay to the internet which is also active while sending
the first testmail but "relayhost" should not be triggered as long postfix should reject the "rcpt to"

Feb 23 12:52:59 localhost postfix/error[16747]: 0FAAADDD7: to=<[hidden email]>, relay=none, delay=0.09,
delays=0.05/0.04/0/0.01, dsn=5.1.2, status=bounced (mail to remote domains not permitted)

Feb 23 12:53:43 localhost postfix/smtp[16770]: 9E90BE051: to=<[hidden email]>, relay=none, delay=0.07,
delays=0.01/0.05/0/0, dsn=4.3.5, status=deferred (mail for 127.0.0.1 loops back to myself)

regards from austria

Am 21.02.2011 13:43, schrieb Reindl Harald:

Reindl Harald:
> The same with postfix 1.8.1
>
> The first one respects "default_transport = error:5.1.2 mail to remote dom
>-ains not permitted" but the second one
> must be catched with "relayhost = 127.0.0.1" to prevent relay to the inter
>-net which is also active while sending
> the first testmail but "relayhost" should not be triggered as long postfix
>- should reject the "rcpt to"

If you have a problem with Postfix, and you would like to see that
problem fixed, then you need to provide ONE SIMPLE EXAMPLE that
reproduces the problem.

Set up a secondary Postfix instance if you don't want to interfere
with real mail.

The SIMPLEr the example is, the more likely someone is to actually
spend the time to figure out the problem.

The biggest mistakes you can make are:

- Spoon feeding: spreading out the problem report over several
  submissions. No-one has responded after your second post in this
  thread.

- Distraction: presenting "solutions" that are obviously wrong such
  as "relayhost = 127.0.0.1". The only response in this thread was
  about the obviously wrong solution, which was a complete waste
  of everyone's resources.

        Wietse

Am 23.02.2011 14:44, schrieb Wietse Venema:

> If you have a problem with Postfix, and you would like to see that
> problem fixed, then you need to provide ONE SIMPLE EXAMPLE that
> reproduces the problem.

This is a example, i do not know how to make it simpler
because there is only one line in the main.cf about we speak

* main.cf: local_transport = error:5.1.2 local transport not permitted
* So no mail to external domains should be relayed
* send mail to "[hidden email]" -> reject as expected
* send mail to "[hidden email]" -> postfix try to relay

> Set up a secondary Postfix instance if you don't want to interfere
> with real mail.

We are speaking about a local testserver which never should relay anything

> - Distraction: presenting "solutions" that are obviously wrong such
>   as "relayhost = 127.0.0.1". The only response in this thread was
>   about the obviously wrong solution, which was a complete waste
>   of everyone's resources.

sorry but this is a workaround to prevent our clients getting testmails
from local machines (cronjobs and such things)

Reindl Harald:
This means, Postfix will not deliver mail to LOCAL DESTINATIONS.

> * So no mail to external domains should be relayed

No, local_transport is for LOCAL DESTINATIONS.

        Wietse

Wietse Venema:
I would also like to remind you that Postfix has more than
one address class for remote delivery:

- default_transport for everything else

- relay_transport for domains that match relay_domains

- local_transport for destinations that match mydestination/inet_interfaces

- virtual_transport for destinations that match virtual_mailbox_domains

- error transport for destinations that match virtual_alias_domains

        Wietse

Sorry that was the wrong line :-(

default_transport = error:5.1.2 mail to remote domains not permitted

in my understanding postfix should never relay any message outside
after this is set, but it happens on some target domains / subdomains

Am 23.02.2011 15:27, schrieb Wietse Venema: --

Mit besten Grüßen, Reindl Harald
the lounge interactive design GmbH
A-1060 Vienna, Hofmühlgasse 17
CTO / software-development / cms-solutions
p: +43 (1) 595 3999 33, m: +43 (676) 40 221 40
icq: 154546673, http://www.thelounge.net/

Reindl Harald:
> Sorry that was the wrong line :-(
>
> default_transport = error:5.1.2 mail to remote domains not permitted
>

See http://www.postfix.org/DEBUG_README.html#mail for how to submit
a proper error report.

You violated rule number 1: provide "postconf -n" output instead
of pasting lines from faulty memory.

Provide evidence that your destination is in the DEFAULT CLASS,
not in the RELAY CLASS, or some other class.

http://www.postfix.org/ADDRESS_CLASS_README.html

Again, "postconf -n" output is needed to ascertain that other
address classes are not coming into play.

        Wietse

Sorry, here the output of "postconf -n" and some more information
"de.bp.com" does not exist anywhere and so why the sceond log entry?

Feb 21 13:23:05 postfix/smtpd[13782]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 550 5.1.2
<[hidden email]>: Recipient address rejected: mail to remote domains not permitted;
from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<[127.0.0.1]>

Feb 21 13:25:22 postfix/cleanup[13829]: 4088648A8: message-id=<[hidden email]>
Feb 21 13:25:22 postfix/qmgr[13436]: 4088648A8: from=<[hidden email]>, size=714, nrcpt=1 (queue active)
Feb 21 13:25:23 postfix/smtp[13835]: Host offered STARTTLS: [cluster8.us.messagelabs.com]
Feb 21 13:25:23 postfix/smtp[13835]: 4088648A8: to=<[hidden email]>,
relay=cluster8.us.messagelabs.com[216.82.254.195]:25, delay=1.2, delays=0.07/0.01/0.7/0.38, dsn=2.0.0,
status=sent (250 ok 1298291123 qp 22271 server-11.tower-200.messagelabs.com!1298291122!61653925!1)
_____________

mysql-transport.cf:
select transport from
 dbma_transports where mydestination like '%s'
 or mydestination like '%d'
 order by transport desc limit 1;

mysql> select * from dbma_transports where mydestination like '%bp%';
+---------------+--------------------------+
| mydestination | transport                |
+---------------+--------------------------+
| at.bp.com     | dbmail-lmtp:127.0.0.1:24 |
| bp.com        | dbmail-lmtp:127.0.0.1:24 |
| webpim.at     | dbmail-lmtp:127.0.0.1:24 |
+---------------+--------------------------+
3 rows in set (0.01 sec)
_____________

mysql-mydestination.cf:
select transport from dbma_mta where mydestination like '%s';

mysql> select * from dbma_mta where mydestination like '%bp%';
+---------------+--------------------------+
| mydestination | transport                |
+---------------+--------------------------+
| at.bp.com     | dbmail-lmtp:127.0.0.1:24 |
| bp.com        | dbmail-lmtp:127.0.0.1:24 |
| webpim.at     | dbmail-lmtp:127.0.0.1:24 |
+---------------+--------------------------+
3 rows in set (0.00 sec)
_____________

address_verify_sender = [hidden email]
alias_maps = mysql:/etc/postfix/mysql-aliases.cf
anvil_rate_time_unit = 1800s
body_checks_size_limit = 65535
bounce_queue_lifetime = 3d
bounce_template_file = /etc/postfix/bounce.cf
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
default_destination_concurrency_failed_cohort_limit = 5
default_destination_concurrency_limit = 5
default_destination_rate_delay = 1
default_destination_recipient_limit = 15
default_transport = error:5.1.2 mail to remote domains not permitted
double_bounce_sender = [hidden email]
fast_flush_domains =
html_directory = no
in_flow_delay = ${stress?2}${stress:0}s
inet_interfaces = all
inet_protocols = ipv4
initial_destination_concurrency = 5
lmtp_connection_cache_time_limit = 30
local_recipient_maps = mysql:/etc/postfix/mysql-recipients.cf
local_transport = error:5.1.2 local transport not permitted
mail_owner = postfix
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
max_idle = 60
maximal_backoff_time = 5400
maximal_queue_lifetime = 3d
message_size_limit = 36700160
minimal_backoff_time = 900
mydestination = mysql:/etc/postfix/mysql-mydestination.cf
myhostname = rh.thelounge.net
mynetworks = 127.0.0.0/8, proxy:mysql:/etc/postfix/mysql-mynetworks.cf
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
queue_run_delay = 240
readme_directory = /usr/share/doc/postfix-2.8.1/README_FILES
recipient_canonical_maps = mysql:/etc/postfix/mysql-rewritedomains.cf
recipient_delimiter = +
sample_directory = /usr/share/doc/postfix-2.8.1/samples
sender_canonical_maps = mysql:/etc/postfix/mysql-rewritesenders.cf
sender_dependent_relayhost_maps = mysql:/etc/postfix/mysql-sender_relay_hosts.cf
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_connect_timeout = ${stress?15}${stress:45}s
smtp_destination_concurrency_limit = 5
smtp_helo_timeout = ${stress?45}${stress:180}s
smtp_mail_timeout = ${stress?45}${stress:180}s
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = mysql:/etc/postfix/mysql-sender_relay_hosts_auth.cf
smtp_sasl_security_options = noanonymous
smtp_sender_dependent_authentication = yes
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
smtpd_banner = $myhostname hardened ESMTP
smtpd_client_connection_rate_limit = 50
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining
smtpd_discard_ehlo_keywords = silent-discard, etrn, dsn
smtpd_error_sleep_time = ${stress?1}${stress:2}s
smtpd_hard_error_limit = ${stress?5}${stress:10}
smtpd_proxy_options = speed_adjust
smtpd_recipient_restrictions = permit_mynetworks, reject_authenticated_sender_login_mismatch,
permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_non_fqdn_recipient,
reject_unknown_recipient_domain, reject_unauth_destination, reject_invalid_hostname, reject_unauth_pipelining,
check_recipient_access mysql:/etc/postfix/mysql-spamfilter.cf
smtpd_reject_footer = as customer please use smtp-authentication, as admin make sure your server has a valid
reverse-lookup and HELO, time: $localtime, client: $client_address, server: $server_name
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = mysql:/etc/postfix/mysql-senderaccess.cf
smtpd_sender_restrictions = permit_mynetworks, reject_authenticated_sender_login_mismatch,
permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_non_fqdn_recipient,
reject_unknown_recipient_domain
smtpd_soft_error_limit = ${stress?2}${stress:5}
smtpd_tls_CAfile = /etc/postfix/certs/localhost.pem
smtpd_tls_cert_file = /etc/postfix/certs/localhost.pem
smtpd_tls_key_file = /etc/postfix/certs/localhost.pem
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
transport_maps = mysql:/etc/postfix/mysql-transport.cf
transport_retry_time = 30
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550


Am 23.02.2011 15:45, schrieb Wietse Venema:

On Wed, Feb 23, 2011 at 05:32:16PM +0100, Reindl Harald wrote:

> "de.bp.com" does not exist anywhere and so why the sceond log entry?

Subdomains of domains in mydestination are by default relay domains.
Set "relay_domains = " (empty) if you have no relay domains. For
relay_domains, Postfix uses "relay_transport".

> mysql-transport.cf:
> select transport from
>  dbma_transports where mydestination like '%s'
>  or mydestination like '%d'
>  order by transport desc limit 1;

This type of fuzzy "like" query is highly questionable in this context.
What's wrong with "="? Why match both "%s" and "%d"? I think you're
somewhat confused here, even if it does mostly work.

--
        Viktor.

Reindl Harald:
> Sorry, here the output of "postconf -n" and some more information
> "de.bp.com" does not exist anywhere and so why the sceond log entry?

Obviously, the address does not resolve to the default_transport.

To find out what the address DOES resolve to:

- Does the domain match $mydestination?
  http://www.postfix.org/postconf.5.html#mydestination

- Does the domain match $relay_domains including parent domains?
  http://www.postfix.org/postconf.5.html#relay_domains

- What about transport_maps? Other routing overrides?

Until you have this resolved, I recommend that you temporarily
replace your MySQL tables by their hash table equivalents. These
have more predictable semantics.

        Wietse

Am 23.02.2011 17:47, schrieb Victor Duchovni:
> On Wed, Feb 23, 2011 at 05:32:16PM +0100, Reindl Harald wrote:
>
>> "de.bp.com" does not exist anywhere and so why the sceond log entry?
>
> Subdomains of domains in mydestination are by default relay domains.
> Set "relay_domains = " (empty) if you have no relay domains. For
> relay_domains, Postfix uses "relay_transport".

Thank you for the information

Can anybody explain why this default exists because
it is not very clear for me and maybe others

>> mysql-transport.cf:
>> select transport from
>>  dbma_transports where mydestination like '%s'
>>  or mydestination like '%d'
>>  order by transport desc limit 1;
>
> This type of fuzzy "like" query is highly questionable in this context.
> What's wrong with "="? Why match both "%s" and "%d"? I think you're
> somewhat confused here, even if it does mostly work.

this is because "dbma_transports" is a view and "dbma_recipient_relay" is for
sender dependent relay hosts

[root@nb-rhsoft:/etc/postfix]$ cat mysql-sender_relay_hosts.cf
user          = dbmail
password      = ****
dbname        = dbmail
hosts         = unix:/var/lib/mysql/mysql.sock inet:127.0.0.1:3307
query         = select transport from dbma_sender_relay where email like '%s'

[root@nb-rhsoft:/etc/postfix]$ cat mysql-sender_relay_hosts_auth.cf
user          = dbmail
password      = ****
dbname        = dbmail
hosts         = unix:/var/lib/mysql/mysql.sock inet:127.0.0.1:3307
query         = select concat(username, ':', password) from dbma_sender_relay where email like '%s'

CREATE ALGORITHM=UNDEFINED DEFINER=`root`@`localhost` SQL SECURITY DEFINER VIEW `dbma_transports` AS select
`dbma_mta`.`mydestination` AS `mydestination`,`dbma_mta`.`transport` AS `transport` from `dbma_mta` union (select
`dbma_recipient_relay`.`mydestination` AS `mydestination`,`dbma_recipient_relay`.`transport` AS `transport` from
`dbma_recipient_relay`)

Am 23.02.2011 17:49, schrieb Wietse Venema:
> Reindl Harald:
>> Sorry, here the output of "postconf -n" and some more information
>> "de.bp.com" does not exist anywhere and so why the sceond log entry?
>
> Obviously, the address does not resolve to the default_transport.

this was not clear for me because i thought subdomains are working
exactly like "normal" domains

Now it works as expected, deliver any message to dbmail-lmtp if it
is configured or reject the message because this is only a local
testserver with exactly the same backend/config as our real one
with the excepzion it should never relay

default_transport = error:5.1.2 mail to remote domains not permitted
local_transport   = error:5.1.2 local transport not permitted
relay_transport   = error:5.1.2 relay transport not permitted

Feb 23 18:02:09 localhost postfix/smtpd[31293]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 550 5.1.2
<[hidden email]>: Recipient address rejected: relay transport not permitted; from=<[hidden email]>
to=<[hidden email]> proto=ESMTP helo=<[127.0.0.1]>
mysql is strongly needed because we are speaking about a dbmail/postfix
backend where never any configuration should be outside the database

thank you!

On Wed, Feb 23, 2011 at 05:56:35PM +0100, Reindl Harald wrote:

What's wrong with "mydestination = '%s'"? Why are you using "like '%s'"?
Surely the destination domain is not a wildcard pattern, but is rather
a literal string.

--
        Viktor.

Am 23.02.2011 18:16, schrieb Victor Duchovni: Example:

%s = [hidden email]
mydestination = [hidden email]

where mydestination='%s' will fail because it is case-sensitive
where mydestination like '%s' does the same an is case-in-sensitive

On Wed, Feb 23, 2011 at 06:25:56PM +0100, Reindl Harald wrote:

No, except with regexp tables, postfix always folds lookup keys to
lower case.

> where mydestination='%s' will fail because it is case-sensitive
> where mydestination like '%s' does the same an is case-in-sensitive

This is not correct.

--
        Viktor.

Am 23.02.2011 18:29, schrieb Victor Duchovni: cool - this means i do not need any like in any postfix-mysql-config
what is faster because keys are used, nice to know, i wanted to get
sure that there nothing fails while making this setup a year ago

> cool - this means i do not need any like in any postfix-mysql-config what is
> faster because keys are used, nice to know, i wanted to get sure that there
> nothing fails while making this setup a year ago

Depending on what character set you are using, it could be a problem but the fix is simple, UPPER(%s) or LOWER(%s) (based on how your data is stored). I agree to dumping LIKE for performance reasons.