On Sat, Apr 14, 2018 at 05:17:09AM +0300, Christos Chatzaras wrote:
> What I want to do:
>
> I want to disable local delivery for e-mails from virtual domains /
> mailboxes when sender / recipient is on same server. I want these
> e-mails to pass through a relay.
>
> --------------
>
> My setup :
[ is overly complicated IMO :) ]
> I have postfix and dovecot on server1.example.com and
> smtp.example.com acts as relay for server1.example.com. MX for
> example.com points to server1.example.com so incoming e-mails go to
> this server. Outgoing e-mails for domains not hosted in
> server1.example.com go through the relay. Now I want the e-mails
> that sender and recipient is on the same server
> (server1.example.com) to go through the relay (smtp.example.com).
> For example, currently I send e-mail from u...@example.com to
> u...@example.com and it does local delivery (e-mail does not leave
> server1.example.com). I want the e-mail to pass through relay
> smtp.example.com
>
> The problem is that if I remove domain example.com from
> virtual_mailbox_domains then e-mails goes from server1.example.com
> to smtp.example.com but when it comes to server1.example.com it
> says "Relay denied" which I believe is related to postfix don't
> consider that is the server that actually hosts this domain (final
> destination).
Yes, explicitly it means that the restriction
"reject_unauth_destination" was matched in smtpd_relay_restrictions.
> --------------
>
> /var/log/mailog :
>
> Apr 12 19:49:08 server1 postfix/smtpd[24278]: connect from
> unknown[62.103.227.xxx]
> Apr 12 19:49:08 server1 postfix/smtpd[24278]: Anonymous TLS connection
> established from unknown[62.103.227.xxx]: TLSv1.2 with cipher
> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
> Apr 12 19:49:08 server1 dovecot: auth:
> passwd-file(u...@example.com,62.103.227.xxx): unknown user
> Apr 12 19:49:09 server1 postfix/smtpd[24278]: 24B2A2730A:
> client=unknown[62.103.227.xxx], sasl_method=PLAIN,
> sasl_username=u...@example.com
> Apr 12 19:49:09 server1 postfix/cleanup[33817]: 24B2A2730A:
> message-id=<671ae13c-dbce-449e-922c-011294a59...@example.com>
> Apr 12 19:49:09 server1 postfix/qmgr[77128]: 24B2A2730A:
> from=<u...@example.com>, size=740, nrcpt=1 (queue active)
> Apr 12 19:49:09 server1 dovecot: lmtp(40507): Connect from local
> Apr 12 19:49:09 server1 dovecot:
> lmtp(u...@example.com)<40507><w+0rEgWOz1o7ngAAPz4RRA>: sieve:
> msgid=<671ae13c-dbce-449e-922c-011294a59...@example.com>: stored mail into
> mailbox 'INBOX'
> Apr 12 19:49:09 server1 dovecot: lmtp(40507): Disconnect from local: Client
> has quit the connection (state = READY)
> Apr 12 19:49:09 server1 postfix/lmtp[34621]: 24B2A2730A:
> to=<u...@example.com>, relay=server1.example.com[private/dovecot-lmtp],
> delay=0.24, delays=0.22/0/0/0.01, dsn=2.0.0, status=sent (250 2.0.0
> <u...@example.com> w+0rEgWOz1o7ngAAPz4RRA Saved)
> Apr 12 19:49:09 server1 postfix/qmgr[77128]: 24B2A2730A: removed
>
> postconf -Mf:
>
> smtp inet n - n - - smtpd
> -o content_filter=filter:
> -o receive_override_options=no_address_mappings
Your content_filter only applies to MX mail on port 25.
> submission inet n - n - - smtpd
> -o smtpd_tls_security_level=may
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> -o milter_macro_daemon_name=ORIGINATING
> smtps inet n - n - - smtpd
> -o smtpd_tls_wrappermode=yes
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> -o milter_macro_daemon_name=ORIGINATING
Perhaps what you want is for the other host to be the MSA (mail
submission agent), and do not accept submission here?
> pickup fifo n - n 60 1 pickup
> cleanup unix n - n - 0 cleanup
> qmgr fifo n - n 300 1 qmgr
> tlsmgr unix - - n 1000? 1 tlsmgr
> rewrite unix - - n - - trivial-rewrite
> bounce unix - - n - 0 bounce
> defer unix - - n - 0 bounce
> trace unix - - n - 0 bounce
> verify unix - - n - 1 verify
> flush unix n - n 1000? 0 flush
> proxymap unix - - n - - proxymap
> proxywrite unix - - n - 1 proxymap
> smtp unix - - n - - smtp
> relay unix - - n - - smtp
> -o smtp_fallback_relay=
> showq unix n - n - - showq
> error unix - - n - - error
> retry unix - - n - - error
> discard unix - - n - - discard
> local unix - n n - - local
> virtual unix - n n - - virtual
> lmtp unix - - n - - lmtp
> anvil unix - - n - 1 anvil
> scache unix - - n - 1 scache
> filter unix - n n - - pipe flags=Rq
> user=filter argv=/usr/local/etc/bogofilter/postfix-filter.sh -f ${sender}
> -- ${recipient}
This is your content_filter. You're using a script, but better
practice would probably be to use smtp. And of course SMTP doesn't
have to be local; your filter could be elsewhere.
Check out amavisd-new as a better means of content filtering. This
also gives you a means of applying different filtering depending on
origin: the spam filtering needed for submission differs from that
which makes sense on your MX stream.
>
> --------------
>
> postconf -n:
snipped, duplicated below:
> % postconf -nf
> authorized_mailq_users =
> authorized_submit_users = root, filter
> body_checks = regexp:/usr/local/etc/postfix/body_checks
> command_directory = /usr/local/sbin
> daemon_directory = /usr/local/libexec/postfix
> data_directory = /var/db/postfix
> debug_peer_level = 2
> debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb
> $daemon_directory/$process_name $process_id & sleep 5
> default_destination_concurrency_limit = 2
> default_destination_rate_delay = 1s
> default_extra_recipient_limit = 10
> header_checks = pcre:/usr/local/etc/postfix/header_checks
> html_directory = /usr/local/share/doc/postfix
> inet_protocols = ipv4
> mail_owner = postfix
> mailq_path = /usr/local/bin/mailq
> manpage_directory = /usr/local/man
> message_size_limit = 25600000
> myhostname = server1.example.com
> mynetworks_style = host
> newaliases_path = /usr/local/bin/newaliases
> queue_directory = /var/spool/postfix
> readme_directory = /usr/local/share/doc/postfix
> relayhost = [smtp.example.com]
So if users submitted directly there, it would come back for
addresses hosted here. That's what you want, right?
You can do this by changing the server name your users use for their
submission server to point to this relayhost instead. It could
possibly be a painless change for the users.
Note: I am supposing you have a large number of users, because this
level of complexity does not make sense for a small number.
> sample_directory = /usr/local/etc/postfix
> sendmail_path = /usr/local/sbin/sendmail
> setgid_group = maildrop
> smtp_bind_address = 138.201.248.xxx
> smtp_destination_concurrency_limit = 2
> smtp_destination_rate_delay = 1s
> smtp_extra_recipient_limit = 10
> smtp_tls_CAfile = /usr/local/share/certs/ca-root-nss.crt
> smtp_tls_cert_file = /etc/ssl/certs/mail.pem
> smtp_tls_key_file = /etc/ssl/private/mail.pem
> smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
> smtp_tls_protocols = !SSLv2,!SSLv3
> smtp_tls_security_level = may
> smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
> smtpd_banner = $myhostname
> smtpd_delay_reject = yes
> smtpd_helo_required = yes
> smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated,
> reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit
> smtpd_recipient_restrictions = check_recipient_access
> hash:/usr/local/etc/postfix/recipient_access, check_policy_service {
> inet:127.0.0.1:10040, timeout=10s, default_action=dunno },
> permit_sasl_authenticated, reject_non_fqdn_sender,
> reject_non_fqdn_recipient, reject_unknown_recipient_domain,
> reject_unauth_destination, reject_unauth_pipelining,
> reject_invalid_helo_hostname, reject_rbl_client zen.spamhaus.org,
> reject_rbl_client bad.psky.me, reject_rbl_client b.barracudacentral.org,
> reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org,
I don't consider spamcop safe for outright rejection, at least not
without DNSWL whitelisting. Also, CBL is part of Zen, so this is a
wasted lookup. And postscreen has been around for many years now,
you should look at it:
http://www.postfix.org/POSTSCREEN_README.html
http://rob0.nodns4.us/postscreen.html
> reject_rbl_client truncate.gbudb.net, reject_rbl_client bl.blocklist.de,
> reject_rbl_client dnsbl.dronebl.org, check_policy_service
> inet:127.0.0.1:10023, permit
> smtpd_relay_restrictions = permit_sasl_authenticated, defer_unauth_destination
You should force all submission through submission/submissions
services, or as mentioned above, through a separate MSA. You don't
want to accept submission on port 25.
smtpd_relay_restrictions = reject_unauth_destination
> smtpd_sasl_auth_enable = yes
This, also, is not appropriate for port 25.
> smtpd_sasl_authenticated_header = yes
> smtpd_sasl_local_domain = $myhostname
> smtpd_sasl_path = /var/run/dovecot/auth-client
You could have your auth socket on TCP, and thus your remote MSA
could use it to authenticate your users. (You would of course want
to protect access to this socket via firewall or more. Perhaps a VPN
connection between the two hosts, and only listen on the VPN
address.)
> smtpd_sasl_type = dovecot
> smtpd_sender_restrictions = reject_unlisted_sender, permit_sasl_authenticated,
> reject_non_fqdn_sender, check_sender_access
> hash:/usr/local/etc/postfix/sender_access, reject_unknown_sender_domain,
> permit
> smtpd_tls_CAfile = /usr/local/share/certs/ca-root-nss.crt
> smtpd_tls_ask_ccert = yes
why?
> smtpd_tls_cert_file = /etc/ssl/certs/mail.pem
> smtpd_tls_key_file = /etc/ssl/private/mail.pem
> smtpd_tls_loglevel = 1
> smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
> smtpd_tls_protocols = !SSLv2,!SSLv3
> smtpd_tls_received_header = yes
> smtpd_tls_security_level = may
> smtpd_tls_session_cache_database =
> btree:$data_directory/smtpd_tls_session_cache
> tls_random_source = dev:/dev/urandom
> transport_maps = hash:/usr/local/etc/postfix/recipient_transport
> unknown_local_recipient_reject_code = 550
> virtual_alias_maps = hash:/usr/local/etc/postfix/virtual
> virtual_gid_maps = hash:/usr/local/etc/postfix/virtual_uids
> virtual_mailbox_base = /home/mail
> virtual_mailbox_domains = hash:/usr/local/etc/postfix/domains
> virtual_mailbox_maps = hash:/usr/local/etc/postfix/vmailbox
> virtual_minimum_uid = 100
> virtual_transport = lmtp:unix:private/dovecot-lmtp
> virtual_uid_maps = hash:/usr/local/etc/postfix/virtual_uids
> % postconf -nf
[ once was fine, thanks ]
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
