Re: Redirect all mail from one domain to the same u...@otherdomain?

2009-02-09 Thread jeff_homeip
--- In postfix-us...@yahoogroups.com, Victor Duchovni
victor.ducho...@... wrote:

 On Sun, Feb 08, 2009 at 09:50:16PM -0800, Jeff Weinberger wrote:

 
  I am trying to figure out the best way to map one domain to
another with
  the same users...precisely the behavior I am trying to achieve is:
when
  mail is sent (from outside, or from another user within my postfix
  installation) to u...@... I want it redirected to u...@...
  - in otherwords, the user is preserved, but the domain is
  translated/rewritten. To be more specific:
 
  us...@... gets re-routed to us...@...
  us...@... gets re-routed to us...@...

 - Are you looking to rewrite just the envelope recipient, or also
message
   From/To/Cc headers?

It's only important to rewrite the envelope sender. The result I want
is that the message is delivered to *...@domain2.tld - if it has the
original To/Cc header that's fine, and probably desireable.


 - Is all mail first passed through an SMTP content_filter?

Yes. All mail coming from outside my server is passed through
amavisd-new for spam/virus checking. Mail originating from my server
is passed through a specialized content filter. (via the submission
service)

It is important that this rewrite apply to messages coming from
outside as well as those originating on my server.


 - Are all the original and rewritten recipients delivered to another
host
   via SMTP, or is some of the mail delivered locally (local,
virtual, ...)?

I'm not completely sure this answers your question, but the message
may be only to u...@domain1.tld or to a number of addresses including
u...@domain1.tld. Only the copy of the message to u...@domain1.tld
should get rerouted to u...@domain2.tld.

both domain1.tld and domain2.tld are mine and my postfix instance is
the MX for them. domain1.tld is an alias domain and domain2.tld is a
virtual domain.



 
  My initial guess is to use recipient_canonical_maps and use a pcre
map:
 
  /^(.*)@domain1.tld/   {$1)@domain2.tld

 This guess is wrong for many reasons, but I think it best to first
 understand what problem you are really trying to solve, before we
 tear apart the wrong answer to potentially the wrong question.

Thank you...but I would also like to know if I can impose on your
time, what is wrong with this - it will help me better solve this and
future problems.


  I don't see a way to achieve this with alias_maps and
header_checks (with
  action REDIRECT) would miss messages sent to u...@... where that is
  not the To: or Cc: address (such as list mail).

 This is worse.

That I understood. Thanks.


  Really, I am just checking with experts more knowledgeable than I
whether I
  have chosen a good (or the best) way to achieve this, or if there
is a
  better way.

 Yes, there is a correct way of solving your problem, but first describe
 your problem in more detail.

Does that help? Please let me know if there is any more detail I can
provide.

Thank you for your help!




 --
   Viktor.

 Disclaimer: off-list followups get on-list replies or get ignored.
 Please do not ignore the Reply-To header.

 To unsubscribe from the postfix-users list, visit
 http://www.postfix.org/lists.html or click the link below:
 mailto:majord...@...?body=unsubscribe%20postfix-users

 If my response solves your problem, the best way to thank me is to not
 send an it worked, thanks follow-up. If you must respond, please put
 It worked, thanks in the Subject so I can delete these quickly.





Re: Redirect all mail from one domain to the same u...@otherdomain?

2009-02-09 Thread jeff_homeip
--- In post...@yahoogroups.com, mouss mo...@... wrote:

 jeff_homeip a écrit :
  --- In postfix-us...@yahoogroups.com, Victor Duchovni
  Victor.Duchovni@ wrote:
  On Sun, Feb 08, 2009 at 09:50:16PM -0800, Jeff Weinberger wrote:
 
  I am trying to figure out the best way to map one domain to
  another with
  the same users...precisely the behavior I am trying to achieve is:
  when
  mail is sent (from outside, or from another user within my postfix
  installation) to user@ I want it redirected to user@
  - in otherwords, the user is preserved, but the domain is
  translated/rewritten. To be more specific:
 
  user1@ gets re-routed to user1@
  user2@ gets re-routed to user2@
  - Are you looking to rewrite just the envelope recipient, or also
  message
From/To/Cc headers?
 
  It's only important to rewrite the envelope sender.

 you mean the envelope recipient.

yes, sorry, my typo.

 if so, use virtual_alias_maps. however,
 don't use wildcard virtual aliases. instead, generate one mapping for
 each user:

 us...@... us...@...
 ...


that creates some complications...and might be too difficult

but why not use wildcard virtual aliases? You noted below that they break 
recipient
validations. Do you mean that smtp_recipient_restrictions won't work? at all or 
parts?

Wildcard virtual aliases seems like the best waybut I want to understand 
the implications
on everything esle before I proceed.

Thanks!


 The reason is that if you use
 @example.com  @example.org
 then this breaks recipient validation: smtpd will accept
 anything^example.com, then at delivery time, the user won't be found and
 a bounce will be generated. in short, you become a source of backscatter
 (you send bounces to innocents whose addresses were forged by spammers)

Unless I don't bounce unknown addresses


 you can generate the individual mappings with a script. alternatively,
 if you store users in sql, you can use sql statements to generate these
 on the fly. examples have been posted multiple times to the list (a
 long time ago, that said, but you may be lucky...).



it would be something like:

if (%d='domain1.com') then select %...@domain2..com from virtual_alias else 
select alias
from virtual_alias where address=%s

(that's not quite right in the syntax, but you get the idea). This wont' work, 
as I'd have to
write a special select clause for each domain I want to work this way.


  The result I want
  is that the message is delivered to *...@domain2.tld - if it has the
  original To/Cc header that's fine, and probably desireable.
 

 so you want virtual_alias_maps (yes, these apply to _all_ domains. don't
 confuse with virtual_alias_domains).

  - Is all mail first passed through an SMTP content_filter?
 
  Yes. All mail coming from outside my server is passed through
  amavisd-new for spam/virus checking. Mail originating from my server
  is passed through a specialized content filter. (via the submission
  service)
 

 you must disable rewrite except in one smtpd in a chain. see the FILTER
 README (look for no_address_mappings) or amavisd-new README.postfix.

 if you don't, then virtual aliases will be expanded twice (before and
 after the filter), which may result in duplicate mail (think of a foo
 - foo, bar, which becomes foo - foo, foo, bar if expanded twice).


I already do that..thanks

  It is important that this rewrite apply to messages coming from
  outside as well as those originating on my server.
 

 virtual_alias_maps apply to all mail.

  - Are all the original and rewritten recipients delivered to another
  host
via SMTP, or is some of the mail delivered locally (local,
  virtual, ...)?
 
  I'm not completely sure this answers your question, but the message
  may be only to u...@... or to a number of addresses including
  u...@... Only the copy of the message to u...@...
  should get rerouted to u...@...
 
  both domain1.tld and domain2.tld are mine and my postfix instance is
  the MX for them. domain1.tld is an alias domain and domain2.tld is a
  virtual domain.
 
 
  My initial guess is to use recipient_canonical_maps and use a pcre
  map:
  /^(.*)@domain1.tld/   {$1)@domain2.tld
  This guess is wrong for many reasons, but I think it best to first
  understand what problem you are really trying to solve, before we
  tear apart the wrong answer to potentially the wrong question.
 
  Thank you...but I would also like to know if I can impose on your
  time, what is wrong with this - it will help me better solve this and
  future problems.
 

 see above. wildcard virtual aliases and canonical break recipient
 validations.


 [snip]






Re: Question about reject_unauthenticated_sender_login_mismatch

2009-01-14 Thread jeff_homeip
--- In post...@yahoogroups.com, Victor Duchovni victor.ducho...@... wrote:

 On Mon, Jan 12, 2009 at 09:35:14PM -0800, Jeff Weinberger wrote:

  When a sender is not authenticated, and
  reject_unauthenticated_sender_login_mismatch is specified, postfix takes
  the MAIL FROM address, looks it up in smtpd_sender_login_maps and if
  it's found, the message is rejected?
 
  Essentially the lookup is just for the existence of the MAIL FROM
  address in the smtpd_sender_login_maps table?

 Yes, that's what I said.

  Am I then correct in concluding that with:
 
  smtpd_sender_restrictions =
  permit_sasl_authenticated,
  reject_authenticated_sender_login_mismatch,
  reject

 Observe that the order of the first two elements is not entirely
 correct.

  that the permit_sasl_autheticated obviates the need for
  reject_unauthenticated_sender_login_mismatch?
  (as there would never be an unauthenticated sender permitted...)

 Yes. this saves you a table lookup before unauthenticated senders are
 rejected outright via reject.

  And am I also correct in concluding that if unauthenticated senders were
  allowed (as they would have to be for smtpd to accept messages from the
  internet), that reject_unauthenticated_sender_login_mismatch would
  prevent any non-authenticated sender from sending a message from (with MAIL
  FROM) any address listed in my smtpd_sender_login_maps?

 Yes, that's I said.


I think I've misunderstood this again. here's the behavior I observed:

I added  -o 
smtpd_sender_restrictions=reject_unauthenticated_sender_login_mismatch to
my master.cf smtp service entry (receiving mail on port 25).

It then rejected all mail. Each message was rejected because the sender was not
authenticated.

This is obviously undesireable behavior for this service, as I will never 
receive any mail.

The behavior I was seeking was that it would reject messages where the MAIL 
FROM is one
of the addresses that validly authenticates.

In other words if a spammer were to forge the MAIL FROM address as one of my 
valid
users, then send the message to that same user or any other user on my server, 
postfix
would reject it, knowing that that particular address should be sent from a 
matching
(smtpd_sender_login_maps) authenticated user.

Further, any mail received with a MAIL FROM that is not listed in my
smtpd_sender_login_maps) should then be permitted to pass, at least to the next 
check.

Given that reject_unauthenticated_sender_login_mismatch does not produce this 
behavior,
is there another way to produce this behavior? (with the obvious corollary - is 
there any
reason I would not want to do so?)

Thank you!!



Re: Question about reject_unauthenticated_sender_login_mismatch

2009-01-14 Thread jeff_homeip
--- In post...@yahoogroups.com, Victor Duchovni victor.ducho...@... wrote:

 On Wed, Jan 14, 2009 at 11:15:54PM -, jeff_homeip wrote:

  I think I've misunderstood this again. here's the behavior I observed:
 
  I added  -o
smtpd_sender_restrictions=reject_unauthenticated_sender_login_mismatch to
  my master.cf smtp service entry (receiving mail on port 25).
 
  It then rejected all mail. Each message was rejected because the sender was 
  not
  authenticated.

 You should not really expect us to help you with this with no log entries,
 associated postconf -n, and actual master.cf entries.


I'm always happy to provide whatever might be helpful, and yet always conscious 
of
excessively long messages. I generally don't post postconf -n in its entirety 
for that and
disclosure reasons (yes, I'm paranoid). But I try to give the relevant entries 
and anything
else you think will help.



  The behavior I was seeking was that it would reject messages where
  the MAIL FROM is one of the addresses that validly authenticates.

 The reject_unauthenticated_sender_login_mismatch feature only rejects
 addresses listed in the smtpd_sender_logim_maps table:

 /*
  * Reject if the client is not logged in and the sender address has an
  * owner.
  */
 if (smtpd_sasl_is_active(state)  state-sasl_username == 0) {
 reply = (const RESOLVE_REPLY *) ctable_locate(smtpd_resolve_cache, 
 sender);
 if (reply-flags  RESOLVE_FLAG_FAIL)
 reject_dict_retry(state, sender);
 if (check_mail_addr_find(state, sender, smtpd_sender_login_maps,
  STR(reply-recipient), (char **) 0) != 0)
 return (smtpd_check_reject(state, MAIL_ERROR_POLICY, 553, 5.7.1,
%s: Sender address rejected: not logged in, sender));
 }

 So either your report is incomplete/inaccurate, or you have managed to
 list all the senders you tested in smtpd_sender_login_maps (difficult
 with indexed files, easier with regexp tables and SQL lookups).

  Given that reject_unauthenticated_sender_login_mismatch does not
  produce this behavior, [ ... ]

 With false premises you can reach any conclusion.

I am quite certain that my premises are not false. I tested it with senders who 
I know for a
fact ARE listed in the smtpd_sender_login_maps both as authenticated (they were
accepted) and from another client that did not authenticate (they were properly 
rejected).

Then I waited for someone else to send mail to one of my users. Here is the log 
entry that
was produced:

Jan 14 15:03:37 s postfix/smtpd[44746]: NOQUEUE: reject: RCPT from
mail37.messagelabs.com[216.82.241.83]: 553 5.7.1 katie.prev...@morris.com: 
Sender
address rejected: not logged in; from=katie.prev...@morris.com
to=myu...@userdomain.tld proto=SMTP helo=mail37.messagelabs.com

only altered to avoid posting one of my users' e-mail addresses and otherwise 
as logged.
The address logged as from=... is not in my smtpd_sender_login_maps (I 
looked again
to be sure) and is not a user or sender on my server at all.

The master.cf entry is:

smtp  inet  n   -   n   -   -   smtpd
   -o smtpd_sender_restrictions=reject_unauthenticated_sender_login_mismatch

that is the only line I used.

I would expect the above-mentioned mail to be permitted, and in other cases I 
have had
no problems.

Immediately after seeing this in the logs, I removed the -o
smtpd_sender_restrictions=reject_unauthenticated_sender_login_mismatch from my
master.cf entry, and since then no mail has been rejected with a reason of not 
logged in.

I don't know how else to interpret this behavior, other than to conclude that 
adding that
line to my master.cf caused the mail to be rejected, which is not what I 
expected.

Knowing that I cannot determine, apparently, what will be helpful in diagnosing 
this
behavior or suggesting ways I can achieve the desired behavior, I am posting 
below my
complete postconf -n (some addresses and sensitive items edited out as noted, 
but
otherwise unaltered).

I am hoping that you or someone will either identify what I've done wrong or 
help me find
a way to achieve the desired behavior.

If there is any additional information I have not provided here that would be 
helpful in
doing one of these two, please ask - I will provide as much as I am able.

Thank you for your help.

--Jeff

postconf -n:

alias_database = mysql:/etc/postfix/mysql_alias_maps.cf
alias_maps = mysql:/etc/postfix/mysql_alias_maps.cf
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
default_verp_delimiters = +=
disable_vrfy_command = yes
html_directory = /etc/postfix/html
inet_interfaces = all
local_recipient_maps =
luser_relay = address hidden
mail_owner = postfix user
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 0
mydestination = mysql

Re: holding messages for one address or one domain in the queue?

2009-01-14 Thread jeff_homeip
--- In post...@yahoogroups.com, wie...@... (Wietse Venema) wrote:

 Jeff Weinberger:
  This may seem like an odd question, but I need to find a way to
  suspend delivery of mail to one account or one domain for a short
  period of time to allow me to do a bit of maintenance.
 
  As it stands now, I use maildrop as my delivery transport for virtual
  mailboxes.
 
  Is there a way to tell postfix to hold the mail in its queue until I
  tell it I'm ready?

 /etc/postfix/transport:
 u...@...  retry:4.4.1 Service unavailable
 another.example.com   retry:4.4.1 Service unavailable

  Is this as simple as having maildrop return a temporary failure code?

 That would work, too.

 Postfix will return mail when it exceeds $maximal_queue_lifetime.

  and if that happens, postfix will retry at certain intervals (or on
  postqueue -f) right? And if that is a good way to do it, what return
  code should maildrop return?

 If using pipe-to-command: /usr/include/sysexits.h's EX_TEMPFAIL
 If using LMTP: a suitable 4XX numeric code.

   Wietse


Thank you - I should have thought of the transport map also.

i appreciate your help!





Re: Question about reject_unauthenticated_sender_login_mismatch

2009-01-14 Thread jeff_homeip
--- In post...@yahoogroups.com, Victor Duchovni victor.ducho...@... wrote:

 On Wed, Jan 14, 2009 at 08:54:52PM -0600, Noel Jones wrote:

   Jan 14 15:03:37 s postfix/smtpd[44746]: NOQUEUE: reject: RCPT from
   mail37.messagelabs.com[216.82.241.83]: 553 5.7.1 katie.prev...@...:
   Sender address rejected: not logged in; from=katie.prev...@...
   to=myu...@... proto=SMTP helo=mail37.messagelabs.com
 
  The map lookup matched on katie.prev...@...
  If you're using SQL for this table, you need to re-examine your query.
  Test queries with something like:
 
  postmap -q katie.prev...@... mysql:/path/to/xxx.cf

 Spot on!

  Note there is a difference between not found and an empty response.

 In most cases Postfix suppresses empty results (and records a warning
 int the logs).

 On Thu, Jan 15, 2009 at 12:21:51AM -, jeff_homeip wrote:

   So either your report is incomplete/inaccurate, or you have managed to
   list all the senders you tested in smtpd_sender_login_maps (difficult
   with indexed files, easier with regexp tables and SQL lookups).
 
  Jan 14 15:03:37 s postfix/smtpd[44746]: NOQUEUE: reject: RCPT from
  mail37.messagelabs.com[216.82.241.83]: 553 5.7.1 katie.prev...@...:
  Sender address rejected: not logged in; from=katie.prev...@...
  to=myu...@... proto=SMTP helo=mail37.messagelabs.com
 
 
  I don't know how else to interpret this behavior, other than to conclude
  that adding that line to my master.cf caused the mail to be rejected,
  which is not what I expected.

 I suggested two possibilities (and even hinted at SQL query issues as
 a possible cause), you seem to have overlooked the second.

  smtpd_sender_login_maps = 
  mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf

 There's the problem. Now test the table as Noel suggested.

 $ echo katie.prev...@... |
   postmap -q - mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf

 --
   Viktor.

 Disclaimer: off-list followups get on-list replies or get ignored.
 Please do not ignore the Reply-To header.

 To unsubscribe from the postfix-users list, visit
 http://www.postfix.org/lists.html or click the link below:
 mailto:majord...@...?body=unsubscribe%20postfix-users

 If my response solves your problem, the best way to thank me is to not
 send an it worked, thanks follow-up. If you must respond, please put
 It worked, thanks in the Subject so I can delete these quickly.


Noel, Viktor:

I see why you think that - but I did test with postmap -q quite extensively 
before I added
this, sorry I didn't mention it here.

I just tested again with this result:

% /etc/postfix : postmap -q katie.prev...@morris.com
mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf
% /etc/postfix :

postmap returned an empty result, which I thought was correct. Should it be 
returning
something different? If so, what should the result for an address not listed on 
my server
be?

I appreciate your help and your work to narrow down and isolate the issue here. 
Thanks!

--Jeff






Re: Question about reject_unauthenticated_sender_login_mismatch

2009-01-14 Thread jeff_homeip
--- In post...@yahoogroups.com, Victor Duchovni victor.ducho...@... wrote:

 On Thu, Jan 15, 2009 at 05:17:07AM -, jeff_homeip wrote:

   There's the problem. Now test the table as Noel suggested.
  
   $ echo katie.prevost@ |
 postmap -q - mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf
 
  I just tested again with this result:
 
  % /etc/postfix : postmap -q katie.prev...@...
  mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf
  % /etc/postfix :

 Please use the suggested:

 echo lookup-key | postmap -q - table

 form. Also as documented, smtpd_sender_login_maps uses additional
 lookup keys:

 http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps

 smtpd_sender_login_maps (default: empty)

 Optional lookup table with the SASL login names that own sender
 (MAIL FROM) addresses.

 Specify zero or more type:table lookup tables. With lookups from
 indexed files such as DB or DBM, or from networked tables such as
 NIS, LDAP or SQL, the following search operations are done with a
 sender address of u...@domain:

 1) u...@domain
 This table lookup is always done and has the highest precedence.

 2) user
 This table lookup is done only when the domain part of the sender
 address matches $myorigin, $mydestination, $inet_interfaces
 or $proxy_interfaces.

 3) @domain
 This table lookup is done last and has the lowest precedence.

 In all cases the result of table lookup must be either not found
 or a list of SASL login names separated by comma and/or whitespace.

 You need to tset the full set of lookup keys (sh, ksh or bash, not csh):

 (
   echo morris.com |
   postmap -q - mysql:/etc/postfix/mysql_mydestination_maps.cf 2 
   echo katie.prevost
   sleep 1
   echo katie.prev...@...
   echo @morris.com
 ) | postmap -q - mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf

 All this assumes that the sender address in question is unmodified...


% /etc/postfix : (
 echo morris.com |
 postmap -q - mysql:/etc/postfix/mysql_mydestination_maps.cf 2 
 echo katie.prevost
 sleep 1
 echo katie.prev...@...
 echo @morris.com
 ) | postmap -q - mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf
% /etc/postfix :

again, an empty result set.

I'm not sure of all the possible meanings of All this assumes that the sender 
address in
question is unmodified... but I know I've left the sender address untouched 
and I don't
think I have anything that rewrites the sender address, so as far as I know 
it's unmodified.

I appreciate you continuing to seek possible causes.

I am having another issue which  is not exactly this, but is related to this 
thread, and i
suspect there may be some relation (I think it's the same thing - getting my 
restriction
slightly wrong):

Per your and Wietse's suggestions, I changed:

  -o smtpd_sender_restrictions=
permit_sasl_authenticated,reject_sender_login_mismatch,reject

in my submission service to:

  -o
smtpd_sender_restrictions=reject_sender_login_mismatch,permit_sasl_authenticated,rejec
t

so that the permit_sasl_authenticated didn't obviate the 
reject_sender_login_mismatch.

Now I am unable to send mail when authenticated as me with a valid address from 
a client
outside of my_networks.

My master.cf submission entry is:

submission inet n   -   n   -   -   smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  -o
smtpd_sender_restrictions=reject_sender_login_mismatch,permit_sasl_authenticated,rejec
t
  -o milter_macro_daemon_name=ORIGINATING

in its unaltered entirety. my postconf -n remains as in the message in this 
thread of
several hours ago.

The log entry is:

Jan 14 22:10:06 s postfix/smtpd[1557]: NOQUEUE: reject: RCPT from
unknown[32.155.5.72]: 554 5.7.1 jweinber...@mac.com: Relay access denied;
from=j...@jweinberger.homeip.net to=jweinber...@mac.com proto=ESMTP
helo=[10.97.215.245]

I am using my mobile phone to test this, but I verified that it is submitting 
on port 587.

jweinber...@mac.com is another address that is also mine. It is listed as a 
valid from
address sasl authenticated user in my smtpd_sender_login_maps (so I can send 
messages
from that when I don't have immediate access to my regular mail client and Im 
logged in
as j...@jweinberger.homeip.net.

If I send to another unrelated address, it works fine, so this is clearly 
caused by the fact
that the address to which I'm sending is also listed in smtpd_sender_login_maps.

I didn't expect this behavior, but I'm guessing it's what postfix is supposed 
to do.

Can you explain why this happens? and do you have any suggestions to avoid it?

Thank you again.





Re: Question about reject_unauthenticated_sender_login_mismatch (additional info

2009-01-14 Thread jeff_homeip
--- In post...@yahoogroups.com, Victor Duchovni victor.ducho...@... wrote:

 On Thu, Jan 15, 2009 at 05:17:07AM -, jeff_homeip wrote:

   There's the problem. Now test the table as Noel suggested.
  
   $ echo katie.prevost@ |
 postmap -q - mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf
 
  I just tested again with this result:
 
  % /etc/postfix : postmap -q katie.prev...@...
  mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf
  % /etc/postfix :

 Please use the suggested:

 echo lookup-key | postmap -q - table

 form. Also as documented, smtpd_sender_login_maps uses additional
 lookup keys:

 http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps

 smtpd_sender_login_maps (default: empty)

 Optional lookup table with the SASL login names that own sender
 (MAIL FROM) addresses.

 Specify zero or more type:table lookup tables. With lookups from
 indexed files such as DB or DBM, or from networked tables such as
 NIS, LDAP or SQL, the following search operations are done with a
 sender address of u...@domain:

 1) u...@domain
 This table lookup is always done and has the highest precedence.

 2) user
 This table lookup is done only when the domain part of the sender
 address matches $myorigin, $mydestination, $inet_interfaces
 or $proxy_interfaces.

 3) @domain
 This table lookup is done last and has the lowest precedence.

 In all cases the result of table lookup must be either not found
 or a list of SASL login names separated by comma and/or whitespace.

 You need to tset the full set of lookup keys (sh, ksh or bash, not csh):

 (
   echo morris.com |
   postmap -q - mysql:/etc/postfix/mysql_mydestination_maps.cf 2 
   echo katie.prevost
   sleep 1
   echo katie.prev...@...
   echo @morris.com
 ) | postmap -q - mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf

 All this assumes that the sender address in question is unmodified...

 --
   Viktor.

 Disclaimer: off-list followups get on-list replies or get ignored.
 Please do not ignore the Reply-To header.

 To unsubscribe from the postfix-users list, visit
 http://www.postfix.org/lists.html or click the link below:
 mailto:majord...@...?body=unsubscribe%20postfix-users

 If my response solves your problem, the best way to thank me is to not
 send an it worked, thanks follow-up. If you must respond, please put
 It worked, thanks in the Subject so I can delete these quickly.


Here's some additional information on the issue of not being able to send from 
outside
my_networks from one authorized address to another:

I restored my master.cf from my latest backup and before I started testing the
reject_(un)authorixed, I had one additional smtpd_sender_restrictions 
listed:

  -o
smtpd_sender_restrictions=$submission_sender_restrictions,reject_sender_login_mismatc
h,permit_sasl_authenticated,reject

in my submission service. it's defined in main.cf as:

submission_sender_restrictions =check_sender_access
pcre:/etc/postfix/smtpd_sender_restrictions.pcre

smtpd_sender_restrictions.pcre is:

/^(.*)/ PREPEND X-Envelope-Sender: ${1}

just the one line where I hope I can capture the envelope sender (this is 
related to an
earlier issue where my spam filter failed to preserve the envelope sender, so 
this is a
workaround).

When I added this back, all worked fine. If I remove this one restriction
(check_sender_access), I can no longer send.

is this check_sender_access, because it's not rejecting the sender, allowing it 
somehow?

I thought this information might be useful or important.

Thanks again!





Re: Question about reject_unauthenticated_sender_login_mismatch

2009-01-12 Thread jeff_homeip
--- In post...@yahoogroups.com, Victor Duchovni victor.ducho...@... wrote:

 On Mon, Jan 12, 2009 at 09:35:14PM -0800, Jeff Weinberger wrote:

  When a sender is not authenticated, and
  reject_unauthenticated_sender_login_mismatch is specified, postfix takes
  the MAIL FROM address, looks it up in smtpd_sender_login_maps and if
  it's found, the message is rejected?
 
  Essentially the lookup is just for the existence of the MAIL FROM
  address in the smtpd_sender_login_maps table?

 Yes, that's what I said.

  Am I then correct in concluding that with:
 
  smtpd_sender_restrictions =
  permit_sasl_authenticated,
  reject_authenticated_sender_login_mismatch,
  reject

 Observe that the order of the first two elements is not entirely
 correct.

  that the permit_sasl_autheticated obviates the need for
  reject_unauthenticated_sender_login_mismatch?
  (as there would never be an unauthenticated sender permitted...)

 Yes. this saves you a table lookup before unauthenticated senders are
 rejected outright via reject.

  And am I also correct in concluding that if unauthenticated senders were
  allowed (as they would have to be for smtpd to accept messages from the
  internet), that reject_unauthenticated_sender_login_mismatch would
  prevent any non-authenticated sender from sending a message from (with MAIL
  FROM) any address listed in my smtpd_sender_login_maps?

 Yes, that's I said.

thank you for confirming, and allowing my still-growing knowledge of postfix to 
confirm
your answers. this will help quite a lot!


 --
   Viktor.

 Disclaimer: off-list followups get on-list replies or get ignored.
 Please do not ignore the Reply-To header.

 To unsubscribe from the postfix-users list, visit
 http://www.postfix.org/lists.html or click the link below:
 mailto:majord...@...?body=unsubscribe%20postfix-users

 If my response solves your problem, the best way to thank me is to not
 send an it worked, thanks follow-up. If you must respond, please put
 It worked, thanks in the Subject so I can delete these quickly.






Re: forcing authenticated users to use port 587?

2009-01-08 Thread jeff_homeip
--- In post...@yahoogroups.com, Sahil Tandon sa...@... wrote:

 Jeff Weinberger wrote:

  I noticed that on several occasions,  and in the default master.cf:
 
  -o milter_macro_daemon_name=ORIGINATING
 
  is suggested for the submission service. I'm not familiar with Milters 
  and can't find information on what this is or what this does (at least 
  in my search of the docs). Can you offer any pointers to where I can
  learn more specifics about milter macro daemons and this specific one?

 This parameter is clearly defined in the documentation:
 http://www.postfix.org/postconf.5.html#milter_macro_daemon_name
 http://www.postfix.org/MILTER_README.html

Thanks for pointing it out - I've read it several times already.

ORIGINATING is not mentioned at all in MILTER_README.

And while I'm sure the postconf(5) brief explanation is meaningful to you, it 
means
nothing to me.

As I noted, I am completely unfamiliar with milters, and don't know what a 
milter daemon
is.

I don't expect a tutorial, but I am hoping that the very knowledgeable people 
on this list
can suggest somewhere where I can learn enough to understand what this:

milter_macro_daemon_name=ORIGINATING

does and what it means.

Any explanation of why it is suggested in the default set up in the 
distribution is helpful
as well.

Thank you.


  Also you noted:
 
  In the final step of my scenario, that's the behavior I want to
  achieve.
  Will that simple step work?
 
  Yes. You can completely disable submission on port 25 and prevent
  relaying to destinations you don't accept by hosts outside of
  mynetworks.
 
  Does smtpd_sasl_auth_enable = no completely disable submission and
  prevent relaying for hosts I don't accept? or is there more I have to
  make sure I do?

 This disables submission via SASL authenticated clients on port 25.

 --
 Sahil Tandon sa...@...






Re: Getting reject_sender_login_mismatch/smtpd_sender_login_maps and mysql to wo

2009-01-06 Thread jeff_homeip
--- In post...@yahoogroups.com, Victor Duchovni victor.ducho...@... wrote:

 On Tue, Jan 06, 2009 at 12:16:00PM -0800, Jeff Weinberger wrote:

  Hi:
 
  I would very much appreciate any help, advice, pointers, etc. to
  resolve an issue I am encountering.
 
  I am having a challenge trying to use a mysql table for
  smtpd_sender_login_maps. Right now I have:
 
  In main.cf:
 smtpd_sender_login_maps=mysql:/path/to/map.cf
 smtpd_sender_restrictions=reject_sender_login_mismatch, 
 
  My virtual mailbox table contains the username for authentication
  (which is also the e-mail address), the password and I am using a text 
  (VARCHAR) field to hold the list of e-mail addresses that each user is 
  allowed to send from.
 
  For example, my e-mail is jeff (at) jweinberger.homeip.net. I can send 
  as that e-mail, but I also want to allow sending from someothername
  (at) jweinberger.homeip.net and from jeff (at) some-other-domain-I-
  own.tld. so the table row looks like:
 
  field username: jeff (at) jweinberger.homeip.net
  field password: (password)
  field valid_from: jeff (at) jweinberger.homeip.net,  someothername
  (at) jweinberger.homeip.net, jeff (at) some-other-domain-I-own.tld

 This violates 1st normal form. Avoid multi-value fields stored as
 a concatenation. The correct schema for this uses an additional
 table to correlate addresses to users:

  The select statement in the maps.cf file is select username from
  virtual_mailbox_table where (INSTR(valid_from, %s)  0) which
  successfully (tested outside postfix) looks up the sender address and
  returns the login name (field: username).

 This is an inefficient table scan. You need a better schema to model this.

 --
   Viktor.

 Disclaimer: off-list followups get on-list replies or get ignored.
 Please do not ignore the Reply-To header.

 To unsubscribe from the postfix-users list, visit
 http://www.postfix.org/lists.html or click the link below:
 mailto:majord...@...?body=unsubscribe%20postfix-users

 If my response solves your problem, the best way to thank me is to not
 send an it worked, thanks follow-up. If you must respond, please put
 It worked, thanks in the Subject so I can delete these quickly.


Victor: Thank you.

I know that it is not a good model for the way postfix requires the query, but 
from a
logical standpoint, I am trying to this about it as which addresses is a user 
allowed to send
from. This makes sense when you think about  a user having e-mail service 
through my
server, and using that to send e-mail from another unrelated valid address then 
he/she
owns. (validating that is also important, but not in the scope of this issue).

So I want to associate valid from addresses with the user, not the other way 
around.

I understand fully the point of view that postfix takes, asking who is allowed 
to send from
this e-mail address (more or less masquerade as this e-mail identity), which 
makes sense
also.

There may be better schema for answering the question I am asking, but it 
sounds from
your response (I am assuming, possibly dangerously) That there is no way to do 
what I
want to do without creating another table in the database, indexed by from 
address with
resuting lists of users. Is that correct?

Also, this seems that it won't work either. As inefficient as my query is, it 
successfully
returned the list of valid SASL users for a given from address. But whether it 
found only
one SASL user or a list of them, postfix rejected the mail with the same error.

All of the above debate about the most effective way to achieve this is 
helpful, but the
important question is this:

Why does postfix reject the mail when the mysql query return one or several 
valid SASL
users?

And, if there are multiple SASL users permitted to send e-mail from a specific 
address,
does postfix expect the query to return a one-row result with the one result 
containing a
list of valid SASL users, or to return one row per SASL user, with each row 
containing the
user name only?

Any suggestions on how to make the query work?

Thank you!!





Re: how to specify an over-ride in master.cf that contains whitespace

2009-01-06 Thread jeff_homeip
--- In post...@yahoogroups.com, Victor Duchovni victor.ducho...@... wrote:

 On Tue, Jan 06, 2009 at 07:07:59PM -0800, Jeff Weinberger wrote:

  According to the master(5) documentation:
  do not specify whitespace around the =.   In  parameter  values,  
  either  avoid whitespace altogether, use commas instead of spaces,
  or  consider  overrides  like  -o name=$override_parameter
  with $over- ride_parameter set in main.cf.
 
  So will this work:
  main.cf:
 $my_test_sender_restrictions=check_sender_access pcre:/path/to/
  file.pcre
 
  master.cf
 -o smtpd_sender_restrictions=
  $my_test_sender_restrictions,reject_sender_login_mismatch,.
  or am I missing something?

 http://archives.neohapsis.com/archives/postfix/2005-07/1384.html

 --
   Viktor.

 Disclaimer: off-list followups get on-list replies or get ignored.
 Please do not ignore the Reply-To header.

 To unsubscribe from the postfix-users list, visit
 http://www.postfix.org/lists.html or click the link below:
 mailto:majord...@...?body=unsubscribe%20postfix-users

 If my response solves your problem, the best way to thank me is to not
 send an it worked, thanks follow-up. If you must respond, please put
 It worked, thanks in the Subject so I can delete these quickly.


Thank you very much! exactly what I needed to know. (sorry it didn't come up 
when I
googled...)

--Jeff





Re: Can recipient_bcc_maps be over-riden in master.cf?

2008-12-28 Thread jeff_homeip
--- In postfix-us...@yahoogroups.com, Magnus Bäck mag...@... wrote:

 On Sunday, December 28, 2008 at 08:09 CET,
  Jeff Weinberger j...@... wrote:

 [...]

  When mail arrives, the bcc is generated and sent. Then when the mail
  is injected back into postfix after the content filter, another bcc is
  generated and sent. The secind bcc is, of course, undesireable.
 
  I tried adding:
 
-o recipient_bcc_maps=
 
  to the overrides for localhost:10026 (where dspam reinjects the mail)
  but that did not change the behavior. It still generated the second
  bcc.

 See FILTER_README, look for the keyword receive_override_options.

 master.cf:
 localhost:10026 inet ... smtpd
 -o receive_override_options=no_address_mappings

 Please do not start new threads by replying to old messages.

 --
 Magnus Bäck
 mag...@...


Feeling a bit stupid today - that's exactly what is suggested also in
ADDRESS_REWRITING_README right after the recipient_bcc_maps (which is the 
example I
followed in the first place). Sorry.

Thank you very much - and, of course, it worked perfectly!






Re: Can content_filter take a map as an argument?

2008-12-17 Thread jeff_homeip
--- In postfix-us...@yahoogroups.com, Sahil Tandon sa...@... wrote:

 jweinbergerhj wrote:

  I know it's a simple question...but doea any know if this:
 
  content_filter=hash:/path/to/table (or mysql:/path/to/filters.cf)
 
  will work?

 No.  From postconf(5):

  content_filter (default: empty)

   The name of a mail delivery transport that filters mail after it is
   queued.

   This parameter uses the same syntax as the right-hand side of a
   Postfix transport(5) table. This setting has a lower precedence
   than a content filter that is specified with an access(5) table or
   in a header_checks(5) or body_checks(5) table.

  I'm trying to test some new content filters and want to be able to
apply them per
  domain or per address (recipient) for my test and personal domains
before I make them
  standard.

 You could use check_recipient_access; example:

 /etc/postfix/main.cf:
 smtpd_recipient_restrictions =
  ..
  check_recipient_access hash:/etc/postfix/filters
  ..

 /etc/postfix/filters
 recipi...@... FILTER foo:bar

 There are some caveats and limitations; for more information see:
 http://www.postfix.org/access.5.html
 http://www.postfix.org/FILTER_README.html

 --
 Sahil Tandon sa...@...

Sahil

Thanks!!

I read This parameter uses the same syntax as the right-hand side of
a Postfix transport(5) table as meaning it can take the same syntax
as transport_maps, i.e. a table. Maybe not.

check_recipient_access works fine, but it is problematic for me, as
the messages get passed to the content filter before alias
translation, which causes problems with aliases that map to virtual
mailboxes.

Also I would need check_recipient_access to be a mysql: table (which
it can be), but I don't know how to control the matching order in a
mysql table lookup - any ideas?

Do you (or anyone) have any ideas on how to overcome this?

I also came up with another way to do this...does anyone have any
thoughts on how this will work?

Make the content filter into the transport using transport_maps. Then
when the content filter injects the messages back into postfix, use
master.cf -o transport_maps to override and make the actual transport
maps effective.

Will that work?

Thanks for your help!

--Jeff