Re: Why does smtp ignore trivial-rewrite's next hop, replacing it with main.cf's relayhost or DNS-MX-resolution?

[Wietse Venema]

The Postfix SMTP client is not as smart as you appear to believe.
It receives the nexthop from the queue manager.

- If the nexthop from the queue manager is an [ipaddress] then the
  SMTP client uses that address.

- If the nexthop from the queue manager is a domain name, then the
  SMTP client uses DNS (dpending on smtp_host_lookup configuration).

When will the queue manager ignore the nexthop from trivial-rewrite?
The queue manager will override that nexthop when a destination is
specified with REDIRECT or FILTER.

Insteead of debug logging, all we need is "postconf -n" command
output, non-debug logging, and perhaps "postconf -P" command output.
Based on that we can find out if any table queries are needed.

Wietse

Re: Why does smtp ignore trivial-rewrite's next hop, replacing it with main.cf's relayhost or DNS-MX-resolution?

[Postfix-jtroendle]

Goedenavond Wietse, your help is very much appreciated :)

Am 08.07.2022 um 17:04 schrieb Wietse Venema:

When will the queue manager ignore the nexthop from trivial-rewrite?
The queue manager will override that nexthop when a destination is
specified with REDIRECT or FILTER.


Maybe I set up accidentally a REDIRECT or FILTER.

postconf -n
compatibility_level = 3.6
inet_protocols = ipv4
mydomain = mydomain.com
myhostname = smarthost.mydomain.com
mynetworks = 127.0.0.0/8
relayhost = [4.4.4.1]
smtp_tls_note_starttls_offer = yes
smtpd_tls_cert_file = /etc/ssl/certs/smarthost_mydomain_com-fullchain.crt
smtpd_tls_key_file = /etc/ssl/private/smarthost_mydomain_com.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_prng_update_period = 3600s
tls_random_source = dev:/dev/urandom

postconf -P
smtp/inet/content_filter =
smtp/inet/mynetworks = /etc/postfix/exo_networks
smtp/inet/smtp_tls_mandatory_ciphers = high
smtp/inet/smtp_tls_mandatory_protocols = >=TLSv1.2
smtp/inet/smtp_tls_security_level = encrypt
smtp/inet/smtpd_client_restrictions = permit_mynetworks,reject
submission/inet/content_filter =
submission/inet/rewrite_service_name = submission-rewrite
submission/inet/smtp_tls_security_level = encrypt
submission/inet/smtpd_client_restrictions = permit_sasl_authenticated,reject
submission/inet/smtpd_sasl_auth_enable = yes
submission/inet/smtpd_sasl_path = private/auth
submission/inet/smtpd_sasl_security_options = noanonymous
submission/inet/smtpd_sasl_tls_security_options = noanonymous
submission/inet/smtpd_sasl_type = dovecot
submission/inet/syslog_name = postfix/submission
2525/inet/content_filter =
2525/inet/mynetworks = 127.0.0.0/8,10.10.10.0/24,10.11.20.0/24,10.10.30.0/24
2525/inet/receive_override_options = 
no_unknown_recipient_checks,no_header_body_checks,no_milters

2525/inet/rewrite_service_name = from-relay-rewrite
2525/inet/smtpd_client_restrictions =
2525/inet/smtpd_helo_restrictions =
2525/inet/smtpd_recipient_restrictions = permit_mynetworks,reject
2525/inet/smtpd_relay_restrictions =
2525/inet/smtpd_sender_restrictions =
submission-rewrite/unix/sender_dependent_relayhost_maps = 
hash:/etc/postfix/transport_to_senders_relay

submission-rewrite/unix/syslog_name = postfix/submission-rewrite
submission-rewrite/unix/transport_maps = 
hash:/etc/postfix/transport_to_exo_domains
from-relay-rewrite/unix/relayhost = 
[mydomain-com02b.mail.protection.outlook.com]

relay/unix/syslog_name = postfix/$service_name

The services "smtp" and "2525" are only placeholders right now. I tried 
to get the "submission" service up and running first, that is where I 
went into the nexthop issue.



The non-debug log of an e-mail from testa to testa is

Jul  8 19:02:04 localhost postfix/submission/smtpd[106104]: warning: 
dict_nis_init: NIS domain name not set - NIS lookups disabled
Jul  8 19:02:05 localhost postfix/submission/smtpd[106104]: connect from 
XYZ.dynamic.kabel-deutschland.de[188.194.X.Y]
Jul  8 19:02:06 localhost postfix/submission/smtpd[106104]: Anonymous 
TLS connection established from 
XYZ.dynamic.kabel-deutschland.de[188.194.X.Y]: TLSv1.3 with cipher 
TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 
server-signature ECDSA (P-384) server-digest SHA384
Jul  8 19:02:08 localhost postfix/submission/smtpd[106104]: C9C5E4A99A: 
client=XYZ.dynamic.kabel-deutschland.de[188.194.X.Y], sasl_method=PLAIN, 
sasl_username=m...@mydomain.com
Jul  8 19:02:08 localhost postfix/cleanup[106110]: C9C5E4A99A: 
message-id=
Jul  8 19:02:08 localhost postfix/qmgr[106093]: C9C5E4A99A: 
from=, size=868, nrcpt=1 (queue active)
Jul  8 19:02:08 localhost postfix/submission/smtpd[106104]: disconnect 
from XYZ.dynamic.kabel-deutschland.de[188.194.X.Y] ehlo=2 starttls=1 
auth=1 mail=1 rcpt=1 data=1 quit=1 commands=8
Jul  8 19:02:38 localhost postfix/smtp[106112]: connect to 
4.4.4.1[4.4.4.1]:25: Connection timed out
Jul  8 19:02:38 localhost postfix/smtp[106112]: C9C5E4A99A: 
to=, relay=none, delay=30, delays=0.07/0.01/30/0, 
dsn=4.4.1, status=deferred (connect to 4.4.4.1[4.4.4.1]:25: Connection 
timed out)



Best regards,
Josef

Re: Why does smtp ignore trivial-rewrite's next hop, replacing it with main.cf's relayhost or DNS-MX-resolution?

[Viktor Dukhovni]

On Fri, Jul 08, 2022 at 09:08:28PM +0200, Postfix-jtroendle wrote:

> submission/inet/rewrite_service_name = submission-rewrite

Your mistake is believing that the trivial rewrite service setting in
smtpd(8) can determine message routing.  This is not the case.  This
only determines the address class for access control.

Actual routing decisions are made by qmgr(8) when it contacts the
default rewrite service.  Whatever you're trying to do with
"rewrite_service_name" is too clever, and either can be done more
simply within a single Postfix instance, or requires a separate
Postfix instance for submission, in which there's a dedicated
qmgr(8) that uses the custom transport table.



> Jul  8 19:02:04 localhost postfix/submission/smtpd[106104]: warning: 
> dict_nis_init: NIS domain name not set - NIS lookups disabled

You should change local_recipient_maps or whatever default setting
that is trying to do "nis".

On Fri, Jul 08, 2022 at 04:26:04PM +0200, Postfix-jtroendle wrote:

> Jul  8 10:29:19 localhost postfix/submission-rewrite/trivial-rewrite[103626]: 
> maps_find: address_verify_transport_maps: 
> hash:/etc/postfix/transport_to_exo_domains(0,lock|no_regsub|fold_fix|utf8_request):
>  * = relay:[1.1.1.3]

This is not a routing decision, see above.  So it is not surprising
that it does not do what you thought it does.  Routing decisions
are made by the queue manager each time a message enters the active
queue, and not preselected at message ingestion.

-- 
Viktor.

Re: Why does smtp ignore trivial-rewrite's next hop, replacing it with main.cf's relayhost or DNS-MX-resolution?

[Postfix-jtroendle]

Am 08.07.2022 um 21:35 schrieb Viktor Dukhovni:

On Fri, Jul 08, 2022 at 09:08:28PM +0200, Postfix-jtroendle wrote:


submission/inet/rewrite_service_name = submission-rewrite

Your mistake is believing that the trivial rewrite service setting in
smtpd(8) can determine message routing.  This is not the case.  This
only determines the address class for access control.

Actual routing decisions are made by qmgr(8) when it contacts the
default rewrite service.  Whatever you're trying to do with
"rewrite_service_name" is too clever, and either can be done more
simply within a single Postfix instance, or requires a separate
Postfix instance for submission, in which there's a dedicated
qmgr(8) that uses the custom transport table.


Thank you very much for your explanation, Viktor. I followed your second 
recommendation and set up a multi instance setup that works perfectly now.




Jul  8 19:02:04 localhost postfix/submission/smtpd[106104]: warning:
dict_nis_init: NIS domain name not set - NIS lookups disabled

You should change local_recipient_maps or whatever default setting
that is trying to do "nis".


It was alias_maps with its default value. Fixed.


Josef