sender_dependent_default_transport_maps

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

sender_dependent_default_transport_maps

Jesper Dybdal-2
I have a new IP address of unknown quality (188.183.101.186).

I am therefore for the time being using an external smarthost.  But I
would like to test direct mail to various places by using a specific
sender address with no disturbance of other users.

So I have tried the following:

> root@nuser:~# postconf -n | egrep "relay|transport" |grep -v restrictions
> relayhost = [smarthost.arrowmail.co.uk]:587
> sender_dependent_default_transport_maps =
> cdb:/etc/postfix/sender_default_transport
>
> root@nuser:~# cat /etc/postfix/sender_default_transport
> [hidden email]     smtp

Which I had hoped would cause direct to MX delivery of mail from
[hidden email].
But mails from that address is still delivered to the smarthost.

So what have I mosunderstood?  Is the syntax of
/etc/postfix/sender_default_transport not correct?

Log example:

> Sep 23 21:30:05 nuser postfix/qmgr[16383]: 46cZCd2SKMz4FSCx:
> from=<[hidden email]>, size=1869, nrcpt=1 (queue active)
> Sep 23 21:30:05 nuser amavis[14701]: (14701-09) Passed CLEAN
> {RelayedInternal}, ORIGINATING LOCAL [10.148.46.2]:50022
> <[hidden email]> -> <RECIPIENT>,
>  Message-ID: <[hidden email]>,
> mail_id: UIl63qJ0WKFg, Hits: -2.899, size: 646, queued_as:
> 46cZCd2SKMz4FSCx, dkim_new=dybdal-20171111:dyb
> dal.dk, 732 ms
> Sep 23 21:30:05 nuser postfix/587/smtpd[16385]: proxy-accept:
> END-OF-MESSAGE: 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0
> Ok: queued as 46cZCd2SKMz4FSCx; from
> =<[hidden email]> to=<RECIPIENT> proto=ESMTP helo=<[10.148.46.2]>
> Sep 23 21:30:05 nuser postfix/587/smtpd[16385]: disconnect from
> spir.h.dybdal.dk[10.148.46.2] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1
> data=1 quit=1 commands=8
> Sep 23 21:30:05 nuser postfix/smtp[16396]: Untrusted TLS connection
> established to smarthost.arrowmail.co.uk[78.129.199.227]:587: TLSv1.2
> with cipher ECDHE-RSA-AES256-S
> HA384 (256/256 bits)
> Sep 23 21:30:05 nuser dovecot: imap(jdimap): Connection closed (IDLE
> running for 0.001 + waiting input for 0.002 secs, 2 B in + 10+0 B out,
> state=wait-input) in=7758 ou
> t=58197
> Sep 23 21:30:05 nuser postfix/smtp[16396]: 46cZCd2SKMz4FSCx:
> to=<RECIPIENT>, relay=smarthost.arrowmail.co.uk[78.129.199.227]:587,
> delay=0.59, delays=0.06/0
> .01/0.37/0.15, dsn=2.6.0, status=sent (250 2.6.0 Ok, message saved
> <Message-ID: <[hidden email]>>)
> Sep 23 21:30:05 nuser postfix/qmgr[16383]: 46cZCd2SKMz4FSCx: removed

postconf -n:

> root@nuser:~# postconf -n
> alias_database = cdb:/etc/aliases
> alias_maps = cdb:/etc/aliases
> append_dot_mydomain = no
> authorized_submit_users = /etc/postfix/authorized_submit_users
> biff = no
> body_checks = regexp:/etc/postfix/regexp_bodychecks
> body_checks_size_limit = 150000
> bounce_queue_lifetime = 1d
> broken_sasl_auth_clients = yes
> compatibility_level = 2
> default_database_type = cdb
> delay_warning_time = 2h
> enable_long_queue_ids = yes
> fast_flush_domains =
> header_checks = regexp:/etc/postfix/regexp_headerchecks
> html_directory = /usr/share/doc/postfix/html
> inet_interfaces = all
> inet_protocols = ipv4
> local_header_rewrite_clients = permit_inet_interfaces,
> permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts
> mailbox_command = procmail -a "$RECIPIENT"
> mailbox_size_limit = 0
> message_size_limit = 52428800
> mime_header_checks = regexp:/etc/postfix/regexp_mimeheaderchecks
> mydestination = nuser.dybdal.dk, localhost.dybdal.dk,
> nuser.h.dybdal.dk, localhost.h.dybdal.dk, localhost
> myhostname = nuser.dybdal.dk
> mynetworks_style = host
> myorigin = /etc/mailname
> not_jd_access_check = check_recipient_access
> regexp:/etc/postfix/regexp_not_jd_access
> parent_domain_matches_subdomains =
> policy-spf_time_limit = 3600s
> rblaggressive = reject_rbl_client smtp.dnsbl.sorbs.net,
> reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org,
> reject_rbl_client dul.dnsbl.sorbs.net, check_client_access
> regexp:/etc/postfix/regexp_allow_dk, reject_rbl_client bl.spamcop.net,
> rblcountries = reject_rbl_client zen.spamhaus.org, reject_rbl_client
> cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net,
> check_client_access regexp:/etc/postfix/regexp_allow_dk,
> reject_rbl_client bl.spamcop.net, reject_rbl_client
> cn.countries.nerd.dk, reject_rbl_client kr.countries.nerd.dk,
> reject_rbl_client tw.countries.nerd.dk, reject_rbl_client
> ng.countries.nerd.dk
> rblmild = reject_rbl_client smtp.dnsbl.sorbs.net,
> rblnormal = reject_rbl_client smtp.dnsbl.sorbs.net,
> check_client_access regexp:/etc/postfix/regexp_allow_dk,
> reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org,
> reject_rbl_client dul.dnsbl.sorbs.net,
> readme_directory = /usr/share/doc/postfix
> recipient_access_check = check_recipient_access
> regexp:/etc/postfix/regexp_access,
> recipient_delimiter = +
> relayhost = [smarthost.arrowmail.co.uk]:587
> sasl_access_check = check_sasl_access
> regexp:/etc/postfix/regexp_sasl_access
> sender_bcc_maps = regexp:/etc/postfix/regexp_sender_bcc_maps
> sender_dependent_default_transport_maps =
> cdb:/etc/postfix/sender_default_transport
> smtp_sasl_auth_enable = yes
> smtp_sasl_password_maps = cdb:/etc/postfix/sasl_passwd
> smtp_sasl_security_options = noanonymous, noplaintext
> smtp_sasl_tls_security_options = noanonymous
> smtp_sender_dependent_authentication = yes
> smtp_tls_loglevel = 1
> smtp_tls_security_level = may
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
> smtpd_client_restrictions = recipient_access_check, permit_mynetworks,
> reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname,
> reject_non_fqdn_sender, check_sender_access
> regexp:/etc/postfix/regexp_sender, reject_unknown_sender_domain,
> reject_unknown_recipient_domain, reject_unlisted_recipient,
> reject_unauth_destination, permit
> smtpd_data_restrictions = reject_unauth_pipelining, permit
> smtpd_delay_reject = yes
> smtpd_discard_ehlo_keywords = silent-discard, etrn
> smtpd_etrn_restrictions = reject
> smtpd_helo_restrictions = not_jd_access_check, permit
> smtpd_recipient_restrictions = permit_mynetworks, check_client_access
> regexp:/etc/postfix/regexp_skip_spf_and_greylist_client,
> check_recipient_access
> regexp:/etc/postfix/regexp_skip_spf_and_greylist_recipient,
> check_policy_service unix:private/policy-spf, check_recipient_access
> regexp:/etc/postfix/regexp_greylist, check_client_access
> cidr:/etc/postfix/cidr_skip_greylist, permit_dnswl_client
> list.dnswl.org, check_policy_service inet:127.0.0.1:10023, permit
> smtpd_relay_restrictions = permit_mynetworks,
> reject_unauth_destination, permit
> smtpd_restriction_classes = rblmild, rblnormal, rblaggressive,
> rblcountries, recipient_access_check, sasl_access_check,
> not_jd_access_check, spamblock_senders
> smtpd_sasl_authenticated_header = yes
> smtpd_sasl_path = private/auth
> smtpd_sasl_type = dovecot
> smtpd_sender_login_maps = regexp:/etc/postfix/regexp_sender_login_maps
> smtpd_sender_restrictions = permit_mynetworks, check_client_access
> cdb:/etc/postfix/checkip, check_client_access
> regexp:/etc/postfix/regexp_checkip,
> check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre,
> permit_dnswl_client list.dnswl.org=127.0.[0..255].[2..3],
> permit_dnswl_client list.dnswl.org=127.0.[3;5].[0..255],
> check_recipient_access regexp:/etc/postfix/regexp_select_rbl, permit
> smtpd_tls_auth_only = yes
> smtpd_tls_cert_file = /etc/letsencrypt/live/nuser.dybdal.dk/fullchain.pem
> smtpd_tls_key_file = /etc/letsencrypt/live/nuser.dybdal.dk/privkey.pem
> smtpd_tls_loglevel = 1
> smtpd_tls_received_header = no
> smtpd_tls_security_level = may
> smtpd_tls_session_cache_database =
> smtputf8_enable = no
> spamblock_senders = check_sender_access
> regexp:/etc/postfix/regexp_spamblock_senders
> unknown_address_reject_code = 550
> virtual_alias_domains = regexp:/etc/postfix/virtual_regexp
> virtual_alias_maps = regexp:/etc/postfix/virtual_regexp
> root@nuser:~#
--

Jesper Dybdal
http://www.dybdal.dk


Reply | Threaded
Open this post in threaded view
|

Re: sender_dependent_default_transport_maps

Viktor Dukhovni
> On Sep 23, 2019, at 3:48 PM, Jesper Dybdal <[hidden email]> wrote:
>
> I have tried the following:
>
>> relayhost = [smarthost.arrowmail.co.uk]:587
>> sender_dependent_default_transport_maps = cdb:/etc/postfix/sender_default_transport
>>
>> # cat /etc/postfix/sender_default_transport
>> [hidden email]     smtp
>
> Which I had hoped would cause direct to MX delivery of mail from [hidden email].
> But mails from that address is still delivered to the smarthost.

As documented in transport(5), when a transport table entry does not
specify an explicit nexthop, it uses the extant (default) nexthop
for the recipient.  In your case that's specified via "relayhost".

The transport:nexthop pair is contructed in the qmgr(8) process,
with help from trivial-rewrite(8).

> So what have I mosunderstood?

You'll need to change your configuration to set "relayhost" empty
and instead configure:

        default_transport = smtp:[smarthost.arrowmail.co.uk]:587

The sender-dependent default transport will override the global
default transport.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: sender_dependent_default_transport_maps

Jesper Dybdal-2
On 2019-09-23 22:04, Viktor Dukhovni wrote:
> As documented in transport(5), when a transport table entry does not
> specify an explicit nexthop, it uses the extant (default) nexthop
> for the recipient.  In your case that's specified via "relayhost".

Of course!  Thank you very much!

--
Jesper Dybdal
http://www.dybdal.dk


Reply | Threaded
Open this post in threaded view
|

Re: sender_dependent_default_transport_maps

Viktor Dukhovni
On Mon, Sep 23, 2019 at 10:15:05PM +0200, Jesper Dybdal wrote:

> On 2019-09-23 22:04, Viktor Dukhovni wrote:
> > As documented in transport(5), when a transport table entry does not
> > specify an explicit nexthop, it uses the extant (default) nexthop
> > for the recipient.  In your case that's specified via "relayhost".
>
> Of course! Thank you very much!

You're welcome, but I must issue a substantial retraction of the
above.  In fact in transport(5) a transport with no nexthop does
reset the nexthop the recipient domain.  Your case is different
however because:

        default_transport
        sender_dependent_default_transport_maps
        relay_transport

are specifically intended to take "relayhost" into account,
allowing users to separately specify the transport and
nexthop:

        relayhost = ...
        default_transport = smtp

--
        Viktor.