virtual_alias_domains and catch-all

Hi,

I have a postfix-3.5.6 system on fedora32 that accepts mail for a
domain (example.com) just using $mydestination and
smtpd_recipient_restrictions with check_recipient_access. Now I'd like
to add a catch-all for another domain (vexample.com) using
virtual_alias_domains and having a problem.

I've read the VIRTUAL_README and trying to implement the section
involving the user having an existing account.

Mail is being rejected with Recipient address rejected:

Sep 19 20:40:26 propemail postfix/smtpd[503632]: NOQUEUE: reject: RCPT
from ns3.example.com[107.155.111.2]: 554 5.7.1 <[hidden email]>:
Recipient address rejected: Access denied;
from=<[hidden email]> to=<[hidden email]> proto=ESMTP
helo=<arcade.mydomain.com>

/etc/postfix/virtual:
[hidden email]         alex

/etc/postfix/main.cf:
virtual_alias_domains = vexample.com
virtual_alias_maps = hash:/etc/postfix/virtual

I've also experimented with canonical_maps, but I think that would be
in addition to virtual_alias_domains?

canonical_maps = regexp:/etc/postfix/canonical-redirect

/etc/postfix/canonical-redirect
/[hidden email]/ alex

What am I doing wrong? I've included my postconf output below.

/etc/postfix/local_recip_map includes lines for each

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_mail_to_files = alias,forward
always_bcc = mail-archive
body_checks = regexp:/etc/postfix/body_checks.pcre
bounce_queue_lifetime = 1d
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
compatibility_level = 2
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
default_destination_concurrency_limit = 10
disable_mime_input_processing = no
enforce_login = reject_authenticated_sender_login_mismatch,
permit_sasl_authenticated, reject
header_checks = pcre:/etc/postfix/header_checks
home_mailbox = Maildir/
html_directory = no
indexed = ${default_database_type}:${config_directory}/
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
maximal_queue_lifetime = 2d
message_size_limit = 24000000
mydestination = $myhostname, localhost.$mydomain, example.com
mynetworks = 127.0.0.0/8, 107.155.111.2
newaliases_path = /usr/bin/newaliases.postfix
polite_destination_concurrency_limit = 3
polite_destination_rate_delay = 0
polite_destination_recipient_limit = 5
polite_initial_destination_concurrency = 1
queue_directory = /var/spool/postfix
rbl_reply_maps = ${stress?hash:/etc/postfix/rbl_reply_maps}
readme_directory = /usr/share/doc/postfix/README_FILES
relay_domains = $mydestination, example.com
sample_directory = /usr/share/doc/postfix/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_CAfile = /var/www/mail.example.com-443/ssl/DigiCertCA.crt
smtp_tls_exclude_ciphers = 3DES
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtpd_client_connection_count_limit = 100
smtpd_recipient_restrictions = hash:/etc/postfix/bad_recipients,
permit_mynetworks, permit_sasl_authenticated,
reject_non_fqdn_recipient, reject_non_fqdn_sender,
reject_unauth_destination reject_unknown_sender_domain,
reject_unknown_recipient_domain, check_client_access
hash:/etc/postfix/client_checks, check_sender_access
hash:/etc/postfix/sender_checks, check_recipient_access
pcre:/etc/postfix/local_recip_map, reject
smtpd_restriction_classes = enforce_login
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = hash:/etc/postfix/sender_login_maps
smtpd_sender_restrictions = check_sasl_access ${indexed}sasl-access
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file =
/var/www/mail.example.com-443/ssl/mail_example_com-2020.crt
smtpd_tls_key_file = /var/www/mail.example.com-443/ssl/mail.example.com-2020.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_req_ccert = no
smtpd_tls_security_level = may
smtpd_tls_session_cache_database =
btree:/var/lib/postfix/smtpd_tls_session_cache
submission_overrides = no_unknown_recipient_checks, no_header_body_checks
tls_random_source = dev:/dev/urandom
transport_maps = regexp:/etc/postfix/transport_limit
turtle_destination_concurrency_limit = 1
turtle_destination_rate_delay = 4s
turtle_destination_recipient_limit = 2
turtle_initial_destination_concurrency = 1
unknown_local_recipient_reject_code = 550
virtual_alias_domains = vexample.com
virtual_alias_maps = hash:/etc/postfix/virtual

On Sat, Sep 19, 2020 at 09:09:15PM -0400, Alex wrote:

Presenting the restrictions in a readable layout is part of
communicating the configuration clearly:

Had you done that, you might have paused to consider which recipients
this is configured to permit.   After eliminating reject-only rules and
"bad_recipients" (which really should be preceded by
"check_recipient_access", for clarity), and rules that don't look at the
recipient address, you're left with:

> smtpd_recipient_restrictions =
>   permit_mynetworks,
>   permit_sasl_authenticated,
>   check_recipient_access pcre:/etc/postfix/local_recip_map,
>   reject

That should make the issue clear.

--
    Viktor.

Hi,

On Sat, Sep 19, 2020 at 9:45 PM Viktor Dukhovni
<[hidden email]> wrote:
The missing "check_recipient_access" was a typo. I didn't even realize
it would work without it.

> > smtpd_recipient_restrictions =
> >   permit_mynetworks,
> >   permit_sasl_authenticated,
> >   check_recipient_access pcre:/etc/postfix/local_recip_map,
> >   reject

But this doesn't account for the catch-all for the vexample.com
domain. Are you saying that because of the reject, the virtual map is
never processed?

For testing, I had the following in /etc/postfix/virtual:

/etc/postfix/virtual:
[hidden email]         alex

thinking that an email from [hidden email] would be delivered to
'alex' but that is what produced the Recipient Access error above.

It may be the processing order that I don't understand here.

On Sun, Sep 20, 2020 at 08:53:36AM -0400, Alex wrote:

> > > smtpd_recipient_restrictions =
> > >   permit_mynetworks,
> > >   permit_sasl_authenticated,
> > >   check_recipient_access pcre:/etc/postfix/local_recip_map,
> > >   reject
>
> But this doesn't account for the catch-all for the vexample.com
> domain. Are you saying that because of the reject, the virtual map is
> never processed?

I don't know what you're finding surprising here. There's no magic, the
restrictions are evaluated *exactly* as written.  There's no mention
of virtual here, so for remote senders, only recipients listed in

    check_recipient_access pcre:/etc/postfix/local_recip_map,

are permitted and all others are rejected.

> For testing, I had the following in /etc/postfix/virtual:
>
> /etc/postfix/virtual:
> [hidden email]         alex

I don't see how that't relevant.  Address-class-specific recpient
validation happens after recipient restrictons, and does not preëmpt
reject results.

--
    Viktor.

Hi,

On Sun, Sep 20, 2020 at 10:06 PM Viktor Dukhovni
<[hidden email]> wrote:
Okay, at the risk of sounding redundant and perhaps obtuse, there's no
way to have a catch-all for one domain while having recipient
restrictions for others?

Can I add the /etc/postfix/virtual map as a check_recipient_access
restriction and have it processed first?

Alex:
Of course there is, you just add the domain wildcard to local_recip_map.

    LHS             RHS
    =====================
    example.com     permit

> Can I add the /etc/postfix/virtual map as a check_recipient_access
> restriction and have it processed first?

No, the maps have different syntax (both LHS and RHS).

        Wietse

On Mon, Sep 21, 2020 at 11:15:01AM -0400, Wietse Venema wrote:

In this particular case, given that the existing rule uses a PCRE table,
rather than easy to make mistakes with patterns, I'd recommend just
using an "inline" table above the final "reject" rule:

    check_recipient_access inline:{example.com=OK},

or, if you like more whitespace:

    check_recipient_access inline:{ { example.com = OK } },

but the correct PCRE pattern would be:

    /@example\.com$/    OK

--
    Viktor.