Loading ...
Sorry, an error occurred while loading the content.

293906Re: Local UNIX accounts, aliasing & rejecting mail to non-public UNIX accounts

Expand Messages
  • Craig R. Skinner
    Jun 19, 2013
      On 2013-06-19 Wed 10:55 AM |, Stan Hoeppner wrote:
      >
      > I'm anything but an expert in this particular area of Postfix, but I
      > think the problem is that Craig is trying to use virtual_alias_maps when
      > he should probably just be using the local aliases file. His Postfix
      > hosts a single mail domain IIUC.

      To start with at least.

      > He's simply wanting to create alias
      > addresses presented to the public for each local UNIX mailbox address.

      Correct.

      > Additionally he wants to reject any inbound mail destined for the actual
      > local UNIX addresses, as well as system/role accounts.

      Correct again.

      > These last two are straightforward. For the first:
      >
      > /etc/postfix/reject-local-system
      >
      > jb4356@... reject Unknown User
      > jb8921@... reject Unknown User
      > sshd@... reject Unknown User
      > named@... reject Unknown User
      > dovecot@... reject Unknown User
      > squid@... reject Unknown User
      > postfix@... reject Unknown User
      >
      > and use
      >
      > smtpd_recipient_restrictions
      > ...
      > check_recipient_access hash:/etc/postfix/reject-local-system
      > ...


      $ for account in $(cut -d: -f1 /etc/passwd | grep -v master$); \
      do \
      print "${account}@... reject Unknown User" >> \
      /etc/postfix/reject-local-system.map; \
      done

      $ postmap ....

      $ postmap -q sshd@... reject-local-system.map
      reject Unknown User

      main.cf:
      smtpd_recipient_restrictions =
      reject_non_fqdn_hostname
      reject_invalid_hostname
      reject_non_fqdn_sender
      ....
      ...
      ...
      check_recipient_access btree:$config_directory/reject-local-system.map
      ...
      ..


      >
      > To satisfy the second:
      >
      > jb4356@... --> reject as unknown
      > jb8921@... --> reject as unknown
      >
      > Simply do not put "$myhostname, localhost.$mydomain" in mydestination,
      > assuming $myhostname is an FQDN equal to "serverX.example.com". In fact
      > there's likely no need to have anything in mydestination other than your
      > domain name.
      >

      main.cf:
      mydestination = $mydomain
      # no virtual_alias_* stuff



      restart postfix and then .... system accounts are still getting mail;-

      $ uptime | sendmail postfix@...
      Jun 19 19:12:16 server1 postfix/pickup[2654]: 0776A6753: uid=1097 from=<user1>
      Jun 19 19:12:16 server1 postfix/cleanup[8207]: 0776A6753: message-id=<20130619181216.0776A6753@...>
      Jun 19 19:12:16 server1 postfix/qmgr[8538]: 0776A6753: from=<user.name@...>, size=344, nrcpt=1 (queue active)
      Jun 19 19:12:16 server1 dovecot: lmtp(9851): Connect from local Jun 19 19:12:16 server1 dovecot: lmtp(9851, postfix): Error: user
      _postfix: Initialization failed: Namespace '': mkdir(/var/mail/postfix) failed: Permission denied (euid=507(postfix) egid=507(postfix) missing +w perm: /var/mail, dir owned by 0:0 mode=0755)
      Jun 19 19:12:16 server1 dovecot: lmtp(9851): Disconnect from local: Client quit (in reset)


      $ uptime | sendmail user1@...
      Jun 19 19:12:33 server1 postfix/pickup[2654]: C90DB6765: uid=1097 from=<user1>
      Jun 19 19:12:33 server1 postfix/cleanup[8207]: C90DB6765: message-id=<20130619181233.C90DB6765@...>
      Jun 19 19:12:33 server1 postfix/qmgr[8538]: C90DB6765: from=<user.name@...>, size=344, nrcpt=1 (queue active)
      Jun 19 19:12:33 server1 dovecot: lmtp(9851): Connect from local
      Jun 19 19:12:33 server1 dovecot: lmtp(9851, user1): w9hyI0r0wVF7JgAANm01jw: sieve: msgid=<20130619181233.C90DB6765@...>: stored mail into mailbox 'INBOX'


      My next thought is to remove /etc/passwd from:
      local_recipient_maps = proxy:unix:passwd.byname $alias_maps

      Ideas?
      --
      Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
    • Show all 37 messages in this topic