Hey folks,
I'm struggling to understand why a certain setup doesn't work the way I expect
it to work.
The idea is to configure incoming and outgoing Postfix instances in a certain
way:
smtp service (port 25):
- has some domains in virtual_mailbox_domains (in my case, a pgsql map)
- also has virtual_mailbox_maps and stuff, a rather standard virtual setup
- delivers mail through virtual_transport -> dovecot-lmtp
- stuff like rspamd happens here for spam filtering, ARC signing, ...
=> this already works fine
submission service (port 587):
- demands SMTP AUTH
- has a specific relayhost set (a centralized outgoing mail gateway)
- does not feel responsible for any domains
- hence everything sent through this instance is relayed through the relayhost
=> this is what I am working on
When I define virtual_mailbox_domains in main.cf, everything works as expected
- for incoming mails.
But when someone uses the submission service, authenticates, and the recipient
domain happens to be in virtual_mailbox_domains, that mail gets delivered
directly through the virtual_transport, while I actually want it to be
delivered to the relay host (which _in turn_ should deliver it to the regular
smtp service).
There's several reasons for that; mostly it's that I am heading for "ALL
incoming mail should have passed my dedicated incoming mail infrastructure -
guaranteed", especially regarding spam filtering, regarding ARC signing for
incoming mails and so on. Also there might be cases where a domain in
virtual_mailbox_domains uses my mail server only as a fallback, low-priority
MX, so when someone uses the submission service to send a mail to that domain,
I would like that mail to be sent through the relayhost (which in turn delivers
it according to the domain's primary MX record - so NOT necessarily to my mail
server).
So my first idea was: In my master.cf for the "submission" service, I added "-o
virtual_mailbox_domains=" (empty value) to the smtpd arguments, to override the
main.cf setting, assuming that the submission service then no longer regards
the domain as its own (and hence delivers it to the relayhost). Surprisingly
that didn't have any effect: The domain still got delivered locally.
So I thought, okay, then I am taking virtual_mailbox_domains out of main.cf and
instead move it into the "smtp" service configuration in my master.cf, so I
basically have this now (leaving out a few other options that I deem irrelevant
for this problem):
smtp inet n - y - - smtpd
-o smtpd_sasl_auth_enable=no
-o virtual_mailbox_domains=pgsql:/etc/postfix/sql/domains.cf
-o virtual_mailbox_maps=pgsql:/etc/postfix/sql/accounts.cf
submission inet n - y - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_security_options=noanonymous
To my absolute surprise, this didn't work either: Exactly the same
"virtual_mailbox_domains=pgsql:/etc/postfix/sql/domains.cf" setting works well
in main.cf, but not at all when using it with "-o" in master.cf. All incoming
mail now results in "Relay Access Denied".
It's not that I can't solve this myself by running two _completely_ separate
Postfix instances (one with a main-incoming.cf and one with a main-outgoing.cf)
but that would result in quite some config duplication. But most importantly I
would like to _understand_ why it doesn't work the way I thought. Surprisingly
I can see that Postfix _does_ do a dict_open for the
pgsql:/etc/postfix/sql/accounts.cf map - but not for the
pgsql:/etc/postfix/sql/domains.cf map.
I already came across https://marc.info/?l=postfix-users&m=173779720216180&w=2
which seems somewhat related and also gave me an idea that I don't just have
some nasty typo in my config but some basic misunderstanding; to quote that
mailing list posting:
> > I would try:
> >
> > master.cf:
> > smtpd [...]
> > -o virtual_mailbox_domains=example.com,example.org
>
> This does not do what you think it does, because the classification of
> addresses into address classes happens in the trivial-rewrite service,
> not in smtpd(8). Best to not jump-in and reply with "I would try", if
> you don't actually have an answer.
If anyone could enlighten me why my idea doesn't work as intended, and if there
would be a way to make it work with just the two services and without having to
run two separate Postfix instances, that would truly make my day.
Thank you in advance,
Jonas
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
