Hi, I got 2 domains, let's call them example.org and example.com and i want them to share the same mail addresses. So f...@example.org and f...@example.com should always reach the same destination.
The mail system consists of 2 MX hosts and a single backend MTA that
forwards all mails to my imap server. The MX hosts use virtual_domains
and virtual_alias_maps to check whether a specific recipient exists and
then forward the mail to the internal host or in some cases to external
mail servers.
For years now the virtual_alias_map for example.org and example.com
looked like this:
<snip>
/^(.*)@example\.com$/ ${1}@example.org
/^foo@example\.org$/ f...@some-other-domain.org
/^bar@example\.org$/ bar@external-domain.something
</snip>
This worked just fine but, for some reason only now, i realized this
makes @example.com a backscatter spam source.
Re-reading the documentation over and over again i yesterday realized
that a simple non-regexp table containing
<snip>
@example.com @example.org
...
</snip>
does suffice to do the same thing. However the problem i'm having stays
the same.
Looking into the source code the reason for this behaviour is that,
while the virtual_alias_maps lookup as done by the cleanup daemon is
recursive the same lookup by smtpd is not. It will simple except
anything that is a match in any of the various lookup tables (just
search for 'virt_alias_maps' in smtpd/smtpd-check.c to find the code i'm
referring to).
For now the problem is not too severe since example.com is not used
often and the whole mail system has very low traffic. So any massive
misuse of the system would have triggered my monitoring.
Still this is not a situation that i want to keep any longer and even
worse i recently had to do a similiar setup for somebody else. The
premise is basically the same only that for this system addresses for
mails to example.org are resolved using an LDAP lookup and the mail
system uses virtual_mailbox_maps to filter non existing users. This
domain will be used much more frequently and will soon attract spammers.
So my first question is whether the above analysis is correct?
If yes i think the documention doesn't state well enough that this is
the case. For me it is obvious that in case the virtual alias is
pointing to an external address it will not be checked but i was
surprised to have the same behaviour for addresses that are handled by
the same MTA. Especially since the documentation explicitly says that
the lookups in virtual_alias_maps are recursive.
And of course my next question: How can i change my setup to make it
work without turning my MX hosts to backscatter spam sources?
For the originial system i of course can use a regexp lookup that looks
something like this:
<snip>
/^foo@example\.(org|com)$/ f...@some-other-domain.org
/^bar@example\.(org|com)$/ bar@external-domain.something
</snip>
This is what i will be doing as soon as i finished writing this mail. Of
course for the other system this is not as easy. The only thing i can
think of right now is to have a cron script that generates a
virtual_alias_map for example.com based on the LDAP entries for
example.org. Is this really the only way or is there another solution to
this?
regards
christian
signature.asc
Description: OpenPGP digital signature
