smtp auth/local delivery question

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

smtp auth/local delivery question

Matthias Leopold-2
hi,

i need help with the following problem:

i have a (mostly) ldap based setup (relevant main.cf lines see below).

virtual_mailbox_maps = ldap:/etc/postfix/ldapmaps/virtual_mailbox.cf
virtual_mailbox_domains = hash:/etc/postfix/virtual_mailbox_domains

virtual_alias_maps = hash:/etc/postfix/virtual_alias

smtpd_recipient_restrictions = reject_unauth_destination
permit_sasl_authenticated

a lookup for "[hidden email]" in virtual_mailbox_maps yields a result
/etc/postfix/virtual_mailbox_domains does not contain "domain.tld"
/etc/postfix/virtual_alias only contains "[hidden email]" as a remote
destination

when i try to relay mail to "[hidden email]" via my server i get
"relaying denied". this is what i expect. when i try to relay mail to
"[hidden email]" after successful smtp authentication postfix tries to
deliver locally. this is contrary to what i thought. is there a way to
make this work other than deleting "[hidden email]" from
virtual_mailbox_maps?

thx

matthias
Reply | Threaded
Open this post in threaded view
|

Re: smtp auth/local delivery question

Brian Evans - Postfix List
Matthias Leopold wrote:

> hi,
>
> i need help with the following problem:
>
> i have a (mostly) ldap based setup (relevant main.cf lines see below).
>
> virtual_mailbox_maps = ldap:/etc/postfix/ldapmaps/virtual_mailbox.cf
> virtual_mailbox_domains = hash:/etc/postfix/virtual_mailbox_domains
>
> virtual_alias_maps = hash:/etc/postfix/virtual_alias
>
> smtpd_recipient_restrictions = reject_unauth_destination
> permit_sasl_authenticated
>
> a lookup for "[hidden email]" in virtual_mailbox_maps yields a result
> /etc/postfix/virtual_mailbox_domains does not contain "domain.tld"
> /etc/postfix/virtual_alias only contains "[hidden email]" as a remote
> destination
>
> when i try to relay mail to "[hidden email]" via my server i get
> "relaying denied". this is what i expect. when i try to relay mail to
> "[hidden email]" after successful smtp authentication postfix tries
> to deliver locally. this is contrary to what i thought. is there a way
> to make this work other than deleting "[hidden email]" from
> virtual_mailbox_maps?
My "guess" would be you have your domain in mydestination.

No one here can help further without posting `postconf -n`.
Substitute example.(com|net|org) instead of your own domain if you so
desire.

Brian
Reply | Threaded
Open this post in threaded view
|

Re: smtp auth/local delivery question

Matthias Leopold-2
Brian Evans schrieb:

> Matthias Leopold wrote:
>> hi,
>>
>> i need help with the following problem:
>>
>> i have a (mostly) ldap based setup (relevant main.cf lines see below).
>>
>> virtual_mailbox_maps = ldap:/etc/postfix/ldapmaps/virtual_mailbox.cf
>> virtual_mailbox_domains = hash:/etc/postfix/virtual_mailbox_domains
>>
>> virtual_alias_maps = hash:/etc/postfix/virtual_alias
>>
>> smtpd_recipient_restrictions = reject_unauth_destination
>> permit_sasl_authenticated
>>
>> a lookup for "[hidden email]" in virtual_mailbox_maps yields a result
>> /etc/postfix/virtual_mailbox_domains does not contain "domain.tld"
>> /etc/postfix/virtual_alias only contains "[hidden email]" as a remote
>> destination
>>
>> when i try to relay mail to "[hidden email]" via my server i get
>> "relaying denied". this is what i expect. when i try to relay mail to
>> "[hidden email]" after successful smtp authentication postfix tries
>> to deliver locally. this is contrary to what i thought. is there a way
>> to make this work other than deleting "[hidden email]" from
>> virtual_mailbox_maps?
> My "guess" would be you have your domain in mydestination.
>
> No one here can help further without posting `postconf -n`.
> Substitute example.(com|net|org) instead of your own domain if you so
> desire.
>
> Brian
>
the domain in question is definitely not in $mydestination, since the
problem arises for all virtual domains

the output of postconf -n is below

i "beautified" the main.cf lines in the original post a little, but (i
think) the basic layout described is the same

matthias

# postconf -n
alias_maps = hash:/home2/var/virtual_alias
biff = no
bounce_size_limit = 50000
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
default_destination_concurrency_limit = 25
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks
header_size_limit = 1024
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
local_destination_concurrency_limit = 10
mail_owner = postfix
mailbox_size_limit = 150000000
mailq_path = /usr/bin/mailq
manpage_directory = /usr/local/man
message_size_limit = 10240000
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = example.com
myhostname = host.example.com
mynetworks_style = host
newaliases_path = /usr/bin/newaliases
queue_directory = /localdisk/var/spool/node2
readme_directory = no
relay_domains = $mydestination
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP
smtpd_client_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_rbl_client relays.mail-abuse.org,         reject_rbl_client
list.dsbl.org,                         reject_rbl_client
sbl.spamhaus.org,                             reject_rbl_client
cbl.abuseat.org,                       reject_rbl_client dul.dnsbl.sorbs.net
smtpd_hard_error_limit = 3
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_sasl_authenticated,
             permit_mynetworks,
reject_invalid_hostname,
reject_unauth_pipelining,
check_helo_access hash:/etc/postfix/helo_access
smtpd_recipient_restrictions = permit_mynetworks,
          permit_sasl_authenticated,
reject_unknown_recipient_domain,      reject_invalid_hostname,
                reject_non_fqdn_hostname,
reject_non_fqdn_sender
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_destination,
reject_unauth_pipelining,
reject_rbl_client list.dsbl.org,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client dul.dnsbl.sorbs.net,
reject_rhsbl_sender rhsbl.sorbs.net
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = permit_mynetworks,
       permit_sasl_authenticated,
reject_unknown_sender_domain,
reject_non_fqdn_sender,
reject_unauth_pipelining,
reject_sender_login_mismatch,
check_sender_access hash:/etc/postfix/sender_access
transport_maps = ldap:/etc/postfix/ldapmaps/virtual_transport.cf
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/home2/var/virtual_alias
virtual_gid_maps = ldap:/etc/postfix/ldapmaps/virtual_mailbox_gid.cf
virtual_mailbox_base = /
virtual_mailbox_domains = hash:/home2/var/virtual_relay_domains
virtual_mailbox_limit = 150000000
virtual_mailbox_maps = ldap:/etc/postfix/ldapmaps/virtual_mailbox.cf
virtual_uid_maps = ldap:/etc/postfix/ldapmaps/virtual_mailbox_uid.cf


Reply | Threaded
Open this post in threaded view
|

Re: smtp auth/local delivery question

Brian Evans - Postfix List
Matthias Leopold wrote:

> Brian Evans schrieb:
>> Matthias Leopold wrote:
>>> hi,
>>>
>>> i need help with the following problem:
>>>
>>> i have a (mostly) ldap based setup (relevant main.cf lines see below).
>>>
>>> virtual_mailbox_maps = ldap:/etc/postfix/ldapmaps/virtual_mailbox.cf
>>> virtual_mailbox_domains = hash:/etc/postfix/virtual_mailbox_domains
>>>
>>> virtual_alias_maps = hash:/etc/postfix/virtual_alias
>>>
>>> smtpd_recipient_restrictions = reject_unauth_destination
>>> permit_sasl_authenticated
>>>
>>> a lookup for "[hidden email]" in virtual_mailbox_maps yields a result
>>> /etc/postfix/virtual_mailbox_domains does not contain "domain.tld"
>>> /etc/postfix/virtual_alias only contains "[hidden email]" as a remote
>>> destination
>>>
>>> when i try to relay mail to "[hidden email]" via my server i get
>>> "relaying denied". this is what i expect. when i try to relay mail
>>> to "[hidden email]" after successful smtp authentication postfix
>>> tries to deliver locally. this is contrary to what i thought. is
>>> there a way to make this work other than deleting "[hidden email]"
>>> from virtual_mailbox_maps?
>> My "guess" would be you have your domain in mydestination.
>>
>> No one here can help further without posting `postconf -n`.
>> Substitute example.(com|net|org) instead of your own domain if you so
>> desire.
>>
>> Brian
>>
> the domain in question is definitely not in $mydestination, since the
> problem arises for all virtual domains
>
> the output of postconf -n is below
>
> i "beautified" the main.cf lines in the original post a little, but (i
> think) the basic layout described is the same
>
> matthias
>
> # postconf -n
> alias_maps = hash:/home2/var/virtual_alias
Do not set alias_maps = virtual_alias_maps.  The formor is for *local*
delivery.

> biff = no
> bounce_size_limit = 50000
> broken_sasl_auth_clients = yes
> command_directory = /usr/sbin
> config_directory = /etc/postfix
> daemon_directory = /usr/libexec/postfix
> debug_peer_level = 2
> default_destination_concurrency_limit = 25
> disable_vrfy_command = yes
> header_checks = regexp:/etc/postfix/header_checks
> header_size_limit = 1024
> home_mailbox = Maildir/
> html_directory = no
> inet_interfaces = all
> local_destination_concurrency_limit = 10
> mail_owner = postfix
> mailbox_size_limit = 150000000
> mailq_path = /usr/bin/mailq
> manpage_directory = /usr/local/man
> message_size_limit = 10240000
> mydestination = $myhostname, localhost.$mydomain, localhost
> mydomain = example.com
> myhostname = host.example.com
> mynetworks_style = host
> newaliases_path = /usr/bin/newaliases
> queue_directory = /localdisk/var/spool/node2
> readme_directory = no
> relay_domains = $mydestination
> sample_directory = /etc/postfix
> sendmail_path = /usr/sbin/sendmail.postfix
> setgid_group = postdrop
> smtpd_banner = $myhostname ESMTP
> smtpd_client_restrictions = permit_mynetworks,
> permit_sasl_authenticated, reject_rbl_client
> relays.mail-abuse.org,         reject_rbl_client
> list.dsbl.org,                         reject_rbl_client
> sbl.spamhaus.org,                             reject_rbl_client
> cbl.abuseat.org,                       reject_rbl_client
> dul.dnsbl.sorbs.net
> smtpd_hard_error_limit = 3
> smtpd_helo_required = yes
> smtpd_helo_restrictions = permit_sasl_authenticated,            
> permit_mynetworks, reject_invalid_hostname, reject_unauth_pipelining,
> check_helo_access hash:/etc/postfix/helo_access
> smtpd_recipient_restrictions = permit_mynetworks,          
> permit_sasl_authenticated, reject_unknown_recipient_domain,      
> reject_invalid_hostname,                reject_non_fqdn_hostname,
> reject_non_fqdn_sender reject_non_fqdn_recipient,
> reject_unknown_sender_domain, reject_unknown_recipient_domain,
> reject_unauth_destination, reject_unauth_pipelining, reject_rbl_client
> list.dsbl.org, reject_rbl_client sbl.spamhaus.org, reject_rbl_client
> cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net,
> reject_rhsbl_sender rhsbl.sorbs.net
Highly recommended to move reject_unauth_destination just after
permit_sasl_authenticated.
reject_unauth_pipelining is worthless here, it should be in
smtpd_data_restrictions only.
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_security_options = noanonymous
> smtpd_sender_restrictions = permit_mynetworks,      
> permit_sasl_authenticated, reject_unknown_sender_domain,
> reject_non_fqdn_sender, reject_unauth_pipelining,
> reject_sender_login_mismatch, check_sender_access
> hash:/etc/postfix/sender_access
Remove unauth_pipelining from here too as described above

> transport_maps = ldap:/etc/postfix/ldapmaps/virtual_transport.cf
> unknown_local_recipient_reject_code = 550
> virtual_alias_maps = hash:/home2/var/virtual_alias
> virtual_gid_maps = ldap:/etc/postfix/ldapmaps/virtual_mailbox_gid.cf
> virtual_mailbox_base = /
> virtual_mailbox_domains = hash:/home2/var/virtual_relay_domains
> virtual_mailbox_limit = 150000000
> virtual_mailbox_maps = ldap:/etc/postfix/ldapmaps/virtual_mailbox.cf
> virtual_uid_maps = ldap:/etc/postfix/ldapmaps/virtual_mailbox_uid.cf
>
>
Reply | Threaded
Open this post in threaded view
|

Re: smtp auth/local delivery question

/dev/rob0
In reply to this post by Matthias Leopold-2
On Fri May 2 2008 09:51:00 Matthias Leopold wrote:

> Brian Evans schrieb:
> > Matthias Leopold wrote:
> >> a lookup for "[hidden email]" in virtual_mailbox_maps yields a
> >> result /etc/postfix/virtual_mailbox_domains does not contain
> >> "domain.tld" /etc/postfix/virtual_alias only contains
> >> "[hidden email]" as a remote destination
> >>
> >> when i try to relay mail to "[hidden email]" via my server i get
> >> "relaying denied". this is what i expect. when i try to relay mail
> >> to "[hidden email]" after successful smtp authentication postfix
> >> tries to deliver locally. this is contrary to what i thought. is
> >> there a way to make this work other than deleting
> >> "[hidden email]" from virtual_mailbox_maps?

A virtual_mailbox_maps listing for "[hidden email]" is meaningless
unless domain.tld is in virtual_mailbox_domains.

> > My "guess" would be you have your domain in mydestination.
> >
> > No one here can help further without posting `postconf -n`.
> > Substitute example.(com|net|org) instead of your own domain if you
> > so desire.
>
> the domain in question is definitely not in $mydestination, since the
> problem arises for all virtual domains

Then perhaps your virtual_mailbox_domains lookup is the problem. For a
hash: map:
        example.com put
        example.net anything
        domain.tld here

> # postconf -n

You have a lot of default settings in there.

> smtpd_client_restrictions = permit_mynetworks,

See the ongoing thread about Zen for some good RBL advice.

> reject_unauth_pipelining,

You have this in several places except for the one where it might do
something: it should be in smtpd_data_restrictions. See
postconf.5.html#reject_unauth_pipelining for information. (You have
"html_directory = no" which is unfortunate. Good idea to keep the
documentation handy.)

> smtpd_sender_restrictions = permit_mynetworks,
>        permit_sasl_authenticated,
> reject_unknown_sender_domain,
> reject_non_fqdn_sender,
> reject_unauth_pipelining,
> reject_sender_login_mismatch,

Oops, you already accepted that with permit_sasl_authenticated above.
Order of restrictions (in each stage) is very important.

> transport_maps = ldap:/etc/postfix/ldapmaps/virtual_transport.cf

What is the purpose of this? If you don't know why you have
transport_maps, you probably shouldn't have it set.

> virtual_mailbox_domains = hash:/home2/var/virtual_relay_domains

As above, this is probably where the problem lies. The file name is
interesting, and appears to be misleading. Generally it's better
administrative practice to keep the map filenames associated with the
Postfix functionality they implement.

transport_maps is another suspect.

If you still don't have enough clues to find the problem on your own,
your followup post should include complete logging of one of the
problem messages along with relevant line[s] in virtual_mailbox_domains
and postmap -q output for the subject domain and user@domain from the
ldap:/etc/postfix/ldapmaps/virtual_transport.cf query.
--
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header