Re: Redirect all mail from one domain to the same u...@otherdomain?
--- In postfix-us...@yahoogroups.com, Victor Duchovni victor.ducho...@... wrote: On Sun, Feb 08, 2009 at 09:50:16PM -0800, Jeff Weinberger wrote: I am trying to figure out the best way to map one domain to another with the same users...precisely the behavior I am trying to achieve is: when mail is sent (from outside, or from another user within my postfix installation) to u...@... I want it redirected to u...@... - in otherwords, the user is preserved, but the domain is translated/rewritten. To be more specific: us...@... gets re-routed to us...@... us...@... gets re-routed to us...@... - Are you looking to rewrite just the envelope recipient, or also message From/To/Cc headers? It's only important to rewrite the envelope sender. The result I want is that the message is delivered to *...@domain2.tld - if it has the original To/Cc header that's fine, and probably desireable. - Is all mail first passed through an SMTP content_filter? Yes. All mail coming from outside my server is passed through amavisd-new for spam/virus checking. Mail originating from my server is passed through a specialized content filter. (via the submission service) It is important that this rewrite apply to messages coming from outside as well as those originating on my server. - Are all the original and rewritten recipients delivered to another host via SMTP, or is some of the mail delivered locally (local, virtual, ...)? I'm not completely sure this answers your question, but the message may be only to u...@domain1.tld or to a number of addresses including u...@domain1.tld. Only the copy of the message to u...@domain1.tld should get rerouted to u...@domain2.tld. both domain1.tld and domain2.tld are mine and my postfix instance is the MX for them. domain1.tld is an alias domain and domain2.tld is a virtual domain. My initial guess is to use recipient_canonical_maps and use a pcre map: /^(.*)@domain1.tld/ {$1)@domain2.tld This guess is wrong for many reasons, but I think it best to first understand what problem you are really trying to solve, before we tear apart the wrong answer to potentially the wrong question. Thank you...but I would also like to know if I can impose on your time, what is wrong with this - it will help me better solve this and future problems. I don't see a way to achieve this with alias_maps and header_checks (with action REDIRECT) would miss messages sent to u...@... where that is not the To: or Cc: address (such as list mail). This is worse. That I understood. Thanks. Really, I am just checking with experts more knowledgeable than I whether I have chosen a good (or the best) way to achieve this, or if there is a better way. Yes, there is a correct way of solving your problem, but first describe your problem in more detail. Does that help? Please let me know if there is any more detail I can provide. Thank you for your help! -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@...?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Redirect all mail from one domain to the same u...@otherdomain?
--- In post...@yahoogroups.com, mouss mo...@... wrote: jeff_homeip a écrit : --- In postfix-us...@yahoogroups.com, Victor Duchovni Victor.Duchovni@ wrote: On Sun, Feb 08, 2009 at 09:50:16PM -0800, Jeff Weinberger wrote: I am trying to figure out the best way to map one domain to another with the same users...precisely the behavior I am trying to achieve is: when mail is sent (from outside, or from another user within my postfix installation) to user@ I want it redirected to user@ - in otherwords, the user is preserved, but the domain is translated/rewritten. To be more specific: user1@ gets re-routed to user1@ user2@ gets re-routed to user2@ - Are you looking to rewrite just the envelope recipient, or also message From/To/Cc headers? It's only important to rewrite the envelope sender. you mean the envelope recipient. yes, sorry, my typo. if so, use virtual_alias_maps. however, don't use wildcard virtual aliases. instead, generate one mapping for each user: us...@... us...@... ... that creates some complications...and might be too difficult but why not use wildcard virtual aliases? You noted below that they break recipient validations. Do you mean that smtp_recipient_restrictions won't work? at all or parts? Wildcard virtual aliases seems like the best waybut I want to understand the implications on everything esle before I proceed. Thanks! The reason is that if you use @example.com @example.org then this breaks recipient validation: smtpd will accept anything^example.com, then at delivery time, the user won't be found and a bounce will be generated. in short, you become a source of backscatter (you send bounces to innocents whose addresses were forged by spammers) Unless I don't bounce unknown addresses you can generate the individual mappings with a script. alternatively, if you store users in sql, you can use sql statements to generate these on the fly. examples have been posted multiple times to the list (a long time ago, that said, but you may be lucky...). it would be something like: if (%d='domain1.com') then select %...@domain2..com from virtual_alias else select alias from virtual_alias where address=%s (that's not quite right in the syntax, but you get the idea). This wont' work, as I'd have to write a special select clause for each domain I want to work this way. The result I want is that the message is delivered to *...@domain2.tld - if it has the original To/Cc header that's fine, and probably desireable. so you want virtual_alias_maps (yes, these apply to _all_ domains. don't confuse with virtual_alias_domains). - Is all mail first passed through an SMTP content_filter? Yes. All mail coming from outside my server is passed through amavisd-new for spam/virus checking. Mail originating from my server is passed through a specialized content filter. (via the submission service) you must disable rewrite except in one smtpd in a chain. see the FILTER README (look for no_address_mappings) or amavisd-new README.postfix. if you don't, then virtual aliases will be expanded twice (before and after the filter), which may result in duplicate mail (think of a foo - foo, bar, which becomes foo - foo, foo, bar if expanded twice). I already do that..thanks It is important that this rewrite apply to messages coming from outside as well as those originating on my server. virtual_alias_maps apply to all mail. - Are all the original and rewritten recipients delivered to another host via SMTP, or is some of the mail delivered locally (local, virtual, ...)? I'm not completely sure this answers your question, but the message may be only to u...@... or to a number of addresses including u...@... Only the copy of the message to u...@... should get rerouted to u...@... both domain1.tld and domain2.tld are mine and my postfix instance is the MX for them. domain1.tld is an alias domain and domain2.tld is a virtual domain. My initial guess is to use recipient_canonical_maps and use a pcre map: /^(.*)@domain1.tld/ {$1)@domain2.tld This guess is wrong for many reasons, but I think it best to first understand what problem you are really trying to solve, before we tear apart the wrong answer to potentially the wrong question. Thank you...but I would also like to know if I can impose on your time, what is wrong with this - it will help me better solve this and future problems. see above. wildcard virtual aliases and canonical break recipient validations. [snip]
Re: Question about reject_unauthenticated_sender_login_mismatch
--- In post...@yahoogroups.com, Victor Duchovni victor.ducho...@... wrote: On Mon, Jan 12, 2009 at 09:35:14PM -0800, Jeff Weinberger wrote: When a sender is not authenticated, and reject_unauthenticated_sender_login_mismatch is specified, postfix takes the MAIL FROM address, looks it up in smtpd_sender_login_maps and if it's found, the message is rejected? Essentially the lookup is just for the existence of the MAIL FROM address in the smtpd_sender_login_maps table? Yes, that's what I said. Am I then correct in concluding that with: smtpd_sender_restrictions = permit_sasl_authenticated, reject_authenticated_sender_login_mismatch, reject Observe that the order of the first two elements is not entirely correct. that the permit_sasl_autheticated obviates the need for reject_unauthenticated_sender_login_mismatch? (as there would never be an unauthenticated sender permitted...) Yes. this saves you a table lookup before unauthenticated senders are rejected outright via reject. And am I also correct in concluding that if unauthenticated senders were allowed (as they would have to be for smtpd to accept messages from the internet), that reject_unauthenticated_sender_login_mismatch would prevent any non-authenticated sender from sending a message from (with MAIL FROM) any address listed in my smtpd_sender_login_maps? Yes, that's I said. I think I've misunderstood this again. here's the behavior I observed: I added -o smtpd_sender_restrictions=reject_unauthenticated_sender_login_mismatch to my master.cf smtp service entry (receiving mail on port 25). It then rejected all mail. Each message was rejected because the sender was not authenticated. This is obviously undesireable behavior for this service, as I will never receive any mail. The behavior I was seeking was that it would reject messages where the MAIL FROM is one of the addresses that validly authenticates. In other words if a spammer were to forge the MAIL FROM address as one of my valid users, then send the message to that same user or any other user on my server, postfix would reject it, knowing that that particular address should be sent from a matching (smtpd_sender_login_maps) authenticated user. Further, any mail received with a MAIL FROM that is not listed in my smtpd_sender_login_maps) should then be permitted to pass, at least to the next check. Given that reject_unauthenticated_sender_login_mismatch does not produce this behavior, is there another way to produce this behavior? (with the obvious corollary - is there any reason I would not want to do so?) Thank you!!
Re: Question about reject_unauthenticated_sender_login_mismatch
--- In post...@yahoogroups.com, Victor Duchovni victor.ducho...@... wrote: On Wed, Jan 14, 2009 at 11:15:54PM -, jeff_homeip wrote: I think I've misunderstood this again. here's the behavior I observed: I added -o smtpd_sender_restrictions=reject_unauthenticated_sender_login_mismatch to my master.cf smtp service entry (receiving mail on port 25). It then rejected all mail. Each message was rejected because the sender was not authenticated. You should not really expect us to help you with this with no log entries, associated postconf -n, and actual master.cf entries. I'm always happy to provide whatever might be helpful, and yet always conscious of excessively long messages. I generally don't post postconf -n in its entirety for that and disclosure reasons (yes, I'm paranoid). But I try to give the relevant entries and anything else you think will help. The behavior I was seeking was that it would reject messages where the MAIL FROM is one of the addresses that validly authenticates. The reject_unauthenticated_sender_login_mismatch feature only rejects addresses listed in the smtpd_sender_logim_maps table: /* * Reject if the client is not logged in and the sender address has an * owner. */ if (smtpd_sasl_is_active(state) state-sasl_username == 0) { reply = (const RESOLVE_REPLY *) ctable_locate(smtpd_resolve_cache, sender); if (reply-flags RESOLVE_FLAG_FAIL) reject_dict_retry(state, sender); if (check_mail_addr_find(state, sender, smtpd_sender_login_maps, STR(reply-recipient), (char **) 0) != 0) return (smtpd_check_reject(state, MAIL_ERROR_POLICY, 553, 5.7.1, %s: Sender address rejected: not logged in, sender)); } So either your report is incomplete/inaccurate, or you have managed to list all the senders you tested in smtpd_sender_login_maps (difficult with indexed files, easier with regexp tables and SQL lookups). Given that reject_unauthenticated_sender_login_mismatch does not produce this behavior, [ ... ] With false premises you can reach any conclusion. I am quite certain that my premises are not false. I tested it with senders who I know for a fact ARE listed in the smtpd_sender_login_maps both as authenticated (they were accepted) and from another client that did not authenticate (they were properly rejected). Then I waited for someone else to send mail to one of my users. Here is the log entry that was produced: Jan 14 15:03:37 s postfix/smtpd[44746]: NOQUEUE: reject: RCPT from mail37.messagelabs.com[216.82.241.83]: 553 5.7.1 katie.prev...@morris.com: Sender address rejected: not logged in; from=katie.prev...@morris.com to=myu...@userdomain.tld proto=SMTP helo=mail37.messagelabs.com only altered to avoid posting one of my users' e-mail addresses and otherwise as logged. The address logged as from=... is not in my smtpd_sender_login_maps (I looked again to be sure) and is not a user or sender on my server at all. The master.cf entry is: smtp inet n - n - - smtpd -o smtpd_sender_restrictions=reject_unauthenticated_sender_login_mismatch that is the only line I used. I would expect the above-mentioned mail to be permitted, and in other cases I have had no problems. Immediately after seeing this in the logs, I removed the -o smtpd_sender_restrictions=reject_unauthenticated_sender_login_mismatch from my master.cf entry, and since then no mail has been rejected with a reason of not logged in. I don't know how else to interpret this behavior, other than to conclude that adding that line to my master.cf caused the mail to be rejected, which is not what I expected. Knowing that I cannot determine, apparently, what will be helpful in diagnosing this behavior or suggesting ways I can achieve the desired behavior, I am posting below my complete postconf -n (some addresses and sensitive items edited out as noted, but otherwise unaltered). I am hoping that you or someone will either identify what I've done wrong or help me find a way to achieve the desired behavior. If there is any additional information I have not provided here that would be helpful in doing one of these two, please ask - I will provide as much as I am able. Thank you for your help. --Jeff postconf -n: alias_database = mysql:/etc/postfix/mysql_alias_maps.cf alias_maps = mysql:/etc/postfix/mysql_alias_maps.cf broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix debug_peer_level = 2 default_verp_delimiters = += disable_vrfy_command = yes html_directory = /etc/postfix/html inet_interfaces = all local_recipient_maps = luser_relay = address hidden mail_owner = postfix user mailbox_size_limit = 0 mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man message_size_limit = 0 mydestination = mysql
Re: holding messages for one address or one domain in the queue?
--- In post...@yahoogroups.com, wie...@... (Wietse Venema) wrote: Jeff Weinberger: This may seem like an odd question, but I need to find a way to suspend delivery of mail to one account or one domain for a short period of time to allow me to do a bit of maintenance. As it stands now, I use maildrop as my delivery transport for virtual mailboxes. Is there a way to tell postfix to hold the mail in its queue until I tell it I'm ready? /etc/postfix/transport: u...@... retry:4.4.1 Service unavailable another.example.com retry:4.4.1 Service unavailable Is this as simple as having maildrop return a temporary failure code? That would work, too. Postfix will return mail when it exceeds $maximal_queue_lifetime. and if that happens, postfix will retry at certain intervals (or on postqueue -f) right? And if that is a good way to do it, what return code should maildrop return? If using pipe-to-command: /usr/include/sysexits.h's EX_TEMPFAIL If using LMTP: a suitable 4XX numeric code. Wietse Thank you - I should have thought of the transport map also. i appreciate your help!
Re: Question about reject_unauthenticated_sender_login_mismatch
--- In post...@yahoogroups.com, Victor Duchovni victor.ducho...@... wrote: On Wed, Jan 14, 2009 at 08:54:52PM -0600, Noel Jones wrote: Jan 14 15:03:37 s postfix/smtpd[44746]: NOQUEUE: reject: RCPT from mail37.messagelabs.com[216.82.241.83]: 553 5.7.1 katie.prev...@...: Sender address rejected: not logged in; from=katie.prev...@... to=myu...@... proto=SMTP helo=mail37.messagelabs.com The map lookup matched on katie.prev...@... If you're using SQL for this table, you need to re-examine your query. Test queries with something like: postmap -q katie.prev...@... mysql:/path/to/xxx.cf Spot on! Note there is a difference between not found and an empty response. In most cases Postfix suppresses empty results (and records a warning int the logs). On Thu, Jan 15, 2009 at 12:21:51AM -, jeff_homeip wrote: So either your report is incomplete/inaccurate, or you have managed to list all the senders you tested in smtpd_sender_login_maps (difficult with indexed files, easier with regexp tables and SQL lookups). Jan 14 15:03:37 s postfix/smtpd[44746]: NOQUEUE: reject: RCPT from mail37.messagelabs.com[216.82.241.83]: 553 5.7.1 katie.prev...@...: Sender address rejected: not logged in; from=katie.prev...@... to=myu...@... proto=SMTP helo=mail37.messagelabs.com I don't know how else to interpret this behavior, other than to conclude that adding that line to my master.cf caused the mail to be rejected, which is not what I expected. I suggested two possibilities (and even hinted at SQL query issues as a possible cause), you seem to have overlooked the second. smtpd_sender_login_maps = mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf There's the problem. Now test the table as Noel suggested. $ echo katie.prev...@... | postmap -q - mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@...?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly. Noel, Viktor: I see why you think that - but I did test with postmap -q quite extensively before I added this, sorry I didn't mention it here. I just tested again with this result: % /etc/postfix : postmap -q katie.prev...@morris.com mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf % /etc/postfix : postmap returned an empty result, which I thought was correct. Should it be returning something different? If so, what should the result for an address not listed on my server be? I appreciate your help and your work to narrow down and isolate the issue here. Thanks! --Jeff
Re: Question about reject_unauthenticated_sender_login_mismatch
--- In post...@yahoogroups.com, Victor Duchovni victor.ducho...@... wrote: On Thu, Jan 15, 2009 at 05:17:07AM -, jeff_homeip wrote: There's the problem. Now test the table as Noel suggested. $ echo katie.prevost@ | postmap -q - mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf I just tested again with this result: % /etc/postfix : postmap -q katie.prev...@... mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf % /etc/postfix : Please use the suggested: echo lookup-key | postmap -q - table form. Also as documented, smtpd_sender_login_maps uses additional lookup keys: http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps smtpd_sender_login_maps (default: empty) Optional lookup table with the SASL login names that own sender (MAIL FROM) addresses. Specify zero or more type:table lookup tables. With lookups from indexed files such as DB or DBM, or from networked tables such as NIS, LDAP or SQL, the following search operations are done with a sender address of u...@domain: 1) u...@domain This table lookup is always done and has the highest precedence. 2) user This table lookup is done only when the domain part of the sender address matches $myorigin, $mydestination, $inet_interfaces or $proxy_interfaces. 3) @domain This table lookup is done last and has the lowest precedence. In all cases the result of table lookup must be either not found or a list of SASL login names separated by comma and/or whitespace. You need to tset the full set of lookup keys (sh, ksh or bash, not csh): ( echo morris.com | postmap -q - mysql:/etc/postfix/mysql_mydestination_maps.cf 2 echo katie.prevost sleep 1 echo katie.prev...@... echo @morris.com ) | postmap -q - mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf All this assumes that the sender address in question is unmodified... % /etc/postfix : ( echo morris.com | postmap -q - mysql:/etc/postfix/mysql_mydestination_maps.cf 2 echo katie.prevost sleep 1 echo katie.prev...@... echo @morris.com ) | postmap -q - mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf % /etc/postfix : again, an empty result set. I'm not sure of all the possible meanings of All this assumes that the sender address in question is unmodified... but I know I've left the sender address untouched and I don't think I have anything that rewrites the sender address, so as far as I know it's unmodified. I appreciate you continuing to seek possible causes. I am having another issue which is not exactly this, but is related to this thread, and i suspect there may be some relation (I think it's the same thing - getting my restriction slightly wrong): Per your and Wietse's suggestions, I changed: -o smtpd_sender_restrictions= permit_sasl_authenticated,reject_sender_login_mismatch,reject in my submission service to: -o smtpd_sender_restrictions=reject_sender_login_mismatch,permit_sasl_authenticated,rejec t so that the permit_sasl_authenticated didn't obviate the reject_sender_login_mismatch. Now I am unable to send mail when authenticated as me with a valid address from a client outside of my_networks. My master.cf submission entry is: submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions= -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions=reject_sender_login_mismatch,permit_sasl_authenticated,rejec t -o milter_macro_daemon_name=ORIGINATING in its unaltered entirety. my postconf -n remains as in the message in this thread of several hours ago. The log entry is: Jan 14 22:10:06 s postfix/smtpd[1557]: NOQUEUE: reject: RCPT from unknown[32.155.5.72]: 554 5.7.1 jweinber...@mac.com: Relay access denied; from=j...@jweinberger.homeip.net to=jweinber...@mac.com proto=ESMTP helo=[10.97.215.245] I am using my mobile phone to test this, but I verified that it is submitting on port 587. jweinber...@mac.com is another address that is also mine. It is listed as a valid from address sasl authenticated user in my smtpd_sender_login_maps (so I can send messages from that when I don't have immediate access to my regular mail client and Im logged in as j...@jweinberger.homeip.net. If I send to another unrelated address, it works fine, so this is clearly caused by the fact that the address to which I'm sending is also listed in smtpd_sender_login_maps. I didn't expect this behavior, but I'm guessing it's what postfix is supposed to do. Can you explain why this happens? and do you have any suggestions to avoid it? Thank you again.
Re: Question about reject_unauthenticated_sender_login_mismatch (additional info
--- In post...@yahoogroups.com, Victor Duchovni victor.ducho...@... wrote: On Thu, Jan 15, 2009 at 05:17:07AM -, jeff_homeip wrote: There's the problem. Now test the table as Noel suggested. $ echo katie.prevost@ | postmap -q - mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf I just tested again with this result: % /etc/postfix : postmap -q katie.prev...@... mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf % /etc/postfix : Please use the suggested: echo lookup-key | postmap -q - table form. Also as documented, smtpd_sender_login_maps uses additional lookup keys: http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps smtpd_sender_login_maps (default: empty) Optional lookup table with the SASL login names that own sender (MAIL FROM) addresses. Specify zero or more type:table lookup tables. With lookups from indexed files such as DB or DBM, or from networked tables such as NIS, LDAP or SQL, the following search operations are done with a sender address of u...@domain: 1) u...@domain This table lookup is always done and has the highest precedence. 2) user This table lookup is done only when the domain part of the sender address matches $myorigin, $mydestination, $inet_interfaces or $proxy_interfaces. 3) @domain This table lookup is done last and has the lowest precedence. In all cases the result of table lookup must be either not found or a list of SASL login names separated by comma and/or whitespace. You need to tset the full set of lookup keys (sh, ksh or bash, not csh): ( echo morris.com | postmap -q - mysql:/etc/postfix/mysql_mydestination_maps.cf 2 echo katie.prevost sleep 1 echo katie.prev...@... echo @morris.com ) | postmap -q - mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf All this assumes that the sender address in question is unmodified... -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@...?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly. Here's some additional information on the issue of not being able to send from outside my_networks from one authorized address to another: I restored my master.cf from my latest backup and before I started testing the reject_(un)authorixed, I had one additional smtpd_sender_restrictions listed: -o smtpd_sender_restrictions=$submission_sender_restrictions,reject_sender_login_mismatc h,permit_sasl_authenticated,reject in my submission service. it's defined in main.cf as: submission_sender_restrictions =check_sender_access pcre:/etc/postfix/smtpd_sender_restrictions.pcre smtpd_sender_restrictions.pcre is: /^(.*)/ PREPEND X-Envelope-Sender: ${1} just the one line where I hope I can capture the envelope sender (this is related to an earlier issue where my spam filter failed to preserve the envelope sender, so this is a workaround). When I added this back, all worked fine. If I remove this one restriction (check_sender_access), I can no longer send. is this check_sender_access, because it's not rejecting the sender, allowing it somehow? I thought this information might be useful or important. Thanks again!
Re: Question about reject_unauthenticated_sender_login_mismatch
--- In post...@yahoogroups.com, Victor Duchovni victor.ducho...@... wrote: On Mon, Jan 12, 2009 at 09:35:14PM -0800, Jeff Weinberger wrote: When a sender is not authenticated, and reject_unauthenticated_sender_login_mismatch is specified, postfix takes the MAIL FROM address, looks it up in smtpd_sender_login_maps and if it's found, the message is rejected? Essentially the lookup is just for the existence of the MAIL FROM address in the smtpd_sender_login_maps table? Yes, that's what I said. Am I then correct in concluding that with: smtpd_sender_restrictions = permit_sasl_authenticated, reject_authenticated_sender_login_mismatch, reject Observe that the order of the first two elements is not entirely correct. that the permit_sasl_autheticated obviates the need for reject_unauthenticated_sender_login_mismatch? (as there would never be an unauthenticated sender permitted...) Yes. this saves you a table lookup before unauthenticated senders are rejected outright via reject. And am I also correct in concluding that if unauthenticated senders were allowed (as they would have to be for smtpd to accept messages from the internet), that reject_unauthenticated_sender_login_mismatch would prevent any non-authenticated sender from sending a message from (with MAIL FROM) any address listed in my smtpd_sender_login_maps? Yes, that's I said. thank you for confirming, and allowing my still-growing knowledge of postfix to confirm your answers. this will help quite a lot! -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@...?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: forcing authenticated users to use port 587?
--- In post...@yahoogroups.com, Sahil Tandon sa...@... wrote: Jeff Weinberger wrote: I noticed that on several occasions, and in the default master.cf: -o milter_macro_daemon_name=ORIGINATING is suggested for the submission service. I'm not familiar with Milters and can't find information on what this is or what this does (at least in my search of the docs). Can you offer any pointers to where I can learn more specifics about milter macro daemons and this specific one? This parameter is clearly defined in the documentation: http://www.postfix.org/postconf.5.html#milter_macro_daemon_name http://www.postfix.org/MILTER_README.html Thanks for pointing it out - I've read it several times already. ORIGINATING is not mentioned at all in MILTER_README. And while I'm sure the postconf(5) brief explanation is meaningful to you, it means nothing to me. As I noted, I am completely unfamiliar with milters, and don't know what a milter daemon is. I don't expect a tutorial, but I am hoping that the very knowledgeable people on this list can suggest somewhere where I can learn enough to understand what this: milter_macro_daemon_name=ORIGINATING does and what it means. Any explanation of why it is suggested in the default set up in the distribution is helpful as well. Thank you. Also you noted: In the final step of my scenario, that's the behavior I want to achieve. Will that simple step work? Yes. You can completely disable submission on port 25 and prevent relaying to destinations you don't accept by hosts outside of mynetworks. Does smtpd_sasl_auth_enable = no completely disable submission and prevent relaying for hosts I don't accept? or is there more I have to make sure I do? This disables submission via SASL authenticated clients on port 25. -- Sahil Tandon sa...@...
Re: Getting reject_sender_login_mismatch/smtpd_sender_login_maps and mysql to wo
--- In post...@yahoogroups.com, Victor Duchovni victor.ducho...@... wrote: On Tue, Jan 06, 2009 at 12:16:00PM -0800, Jeff Weinberger wrote: Hi: I would very much appreciate any help, advice, pointers, etc. to resolve an issue I am encountering. I am having a challenge trying to use a mysql table for smtpd_sender_login_maps. Right now I have: In main.cf: smtpd_sender_login_maps=mysql:/path/to/map.cf smtpd_sender_restrictions=reject_sender_login_mismatch, My virtual mailbox table contains the username for authentication (which is also the e-mail address), the password and I am using a text (VARCHAR) field to hold the list of e-mail addresses that each user is allowed to send from. For example, my e-mail is jeff (at) jweinberger.homeip.net. I can send as that e-mail, but I also want to allow sending from someothername (at) jweinberger.homeip.net and from jeff (at) some-other-domain-I- own.tld. so the table row looks like: field username: jeff (at) jweinberger.homeip.net field password: (password) field valid_from: jeff (at) jweinberger.homeip.net, someothername (at) jweinberger.homeip.net, jeff (at) some-other-domain-I-own.tld This violates 1st normal form. Avoid multi-value fields stored as a concatenation. The correct schema for this uses an additional table to correlate addresses to users: The select statement in the maps.cf file is select username from virtual_mailbox_table where (INSTR(valid_from, %s) 0) which successfully (tested outside postfix) looks up the sender address and returns the login name (field: username). This is an inefficient table scan. You need a better schema to model this. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@...?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly. Victor: Thank you. I know that it is not a good model for the way postfix requires the query, but from a logical standpoint, I am trying to this about it as which addresses is a user allowed to send from. This makes sense when you think about a user having e-mail service through my server, and using that to send e-mail from another unrelated valid address then he/she owns. (validating that is also important, but not in the scope of this issue). So I want to associate valid from addresses with the user, not the other way around. I understand fully the point of view that postfix takes, asking who is allowed to send from this e-mail address (more or less masquerade as this e-mail identity), which makes sense also. There may be better schema for answering the question I am asking, but it sounds from your response (I am assuming, possibly dangerously) That there is no way to do what I want to do without creating another table in the database, indexed by from address with resuting lists of users. Is that correct? Also, this seems that it won't work either. As inefficient as my query is, it successfully returned the list of valid SASL users for a given from address. But whether it found only one SASL user or a list of them, postfix rejected the mail with the same error. All of the above debate about the most effective way to achieve this is helpful, but the important question is this: Why does postfix reject the mail when the mysql query return one or several valid SASL users? And, if there are multiple SASL users permitted to send e-mail from a specific address, does postfix expect the query to return a one-row result with the one result containing a list of valid SASL users, or to return one row per SASL user, with each row containing the user name only? Any suggestions on how to make the query work? Thank you!!
Re: how to specify an over-ride in master.cf that contains whitespace
--- In post...@yahoogroups.com, Victor Duchovni victor.ducho...@... wrote: On Tue, Jan 06, 2009 at 07:07:59PM -0800, Jeff Weinberger wrote: According to the master(5) documentation: do not specify whitespace around the =. In parameter values, either avoid whitespace altogether, use commas instead of spaces, or consider overrides like -o name=$override_parameter with $over- ride_parameter set in main.cf. So will this work: main.cf: $my_test_sender_restrictions=check_sender_access pcre:/path/to/ file.pcre master.cf -o smtpd_sender_restrictions= $my_test_sender_restrictions,reject_sender_login_mismatch,. or am I missing something? http://archives.neohapsis.com/archives/postfix/2005-07/1384.html -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@...?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly. Thank you very much! exactly what I needed to know. (sorry it didn't come up when I googled...) --Jeff
Re: Can recipient_bcc_maps be over-riden in master.cf?
--- In postfix-us...@yahoogroups.com, Magnus Bäck mag...@... wrote: On Sunday, December 28, 2008 at 08:09 CET, Jeff Weinberger j...@... wrote: [...] When mail arrives, the bcc is generated and sent. Then when the mail is injected back into postfix after the content filter, another bcc is generated and sent. The secind bcc is, of course, undesireable. I tried adding: -o recipient_bcc_maps= to the overrides for localhost:10026 (where dspam reinjects the mail) but that did not change the behavior. It still generated the second bcc. See FILTER_README, look for the keyword receive_override_options. master.cf: localhost:10026 inet ... smtpd -o receive_override_options=no_address_mappings Please do not start new threads by replying to old messages. -- Magnus Bäck mag...@... Feeling a bit stupid today - that's exactly what is suggested also in ADDRESS_REWRITING_README right after the recipient_bcc_maps (which is the example I followed in the first place). Sorry. Thank you very much - and, of course, it worked perfectly!
Re: Can content_filter take a map as an argument?
--- In postfix-us...@yahoogroups.com, Sahil Tandon sa...@... wrote: jweinbergerhj wrote: I know it's a simple question...but doea any know if this: content_filter=hash:/path/to/table (or mysql:/path/to/filters.cf) will work? No. From postconf(5): content_filter (default: empty) The name of a mail delivery transport that filters mail after it is queued. This parameter uses the same syntax as the right-hand side of a Postfix transport(5) table. This setting has a lower precedence than a content filter that is specified with an access(5) table or in a header_checks(5) or body_checks(5) table. I'm trying to test some new content filters and want to be able to apply them per domain or per address (recipient) for my test and personal domains before I make them standard. You could use check_recipient_access; example: /etc/postfix/main.cf: smtpd_recipient_restrictions = .. check_recipient_access hash:/etc/postfix/filters .. /etc/postfix/filters recipi...@... FILTER foo:bar There are some caveats and limitations; for more information see: http://www.postfix.org/access.5.html http://www.postfix.org/FILTER_README.html -- Sahil Tandon sa...@... Sahil Thanks!! I read This parameter uses the same syntax as the right-hand side of a Postfix transport(5) table as meaning it can take the same syntax as transport_maps, i.e. a table. Maybe not. check_recipient_access works fine, but it is problematic for me, as the messages get passed to the content filter before alias translation, which causes problems with aliases that map to virtual mailboxes. Also I would need check_recipient_access to be a mysql: table (which it can be), but I don't know how to control the matching order in a mysql table lookup - any ideas? Do you (or anyone) have any ideas on how to overcome this? I also came up with another way to do this...does anyone have any thoughts on how this will work? Make the content filter into the transport using transport_maps. Then when the content filter injects the messages back into postfix, use master.cf -o transport_maps to override and make the actual transport maps effective. Will that work? Thanks for your help! --Jeff