Re: address verify vs. virtual_alias_maps
Any chance to get this answered? Wietse?
please at least tell me if my problem is:
A, known bug/problem of postfix, will be fixed (when?)
B, can be solved by proper configuration (some hint?)
C, feature request
btw i'm using postfix 2.4.1, but i didnt see such problem/fix mentioned
in later changelogs. if it's fixed in 2.5, then i'll upgrade.
thanks a lot,
> > > We have a posfix mail server, which does content filtering (spam virus etc)
> > > for all of our mail servers, as a relay. I've enabled address verify
> > > (both sender and recipient) for all of our server domains. It's working fine.
> > >
> > > Now I've added
> > > virtual_alias_maps = hash:/etc/postfix/virtual, ldap:ldapforward, ldap:ldapvirtual
> > > which does address translation for many of our domains where the
> > > addresses are redirected to other addresses (users moved and have their
> > > old mail forwarded, and some users moved to an ms exchange server).
> > > The problem is, that I dont want to do address verification for these
> > > foregin domains, where some of our addresses are forwarded/virtaal_aliased.
> > > (there are some servers, where address verify doesnt work)
> > >
> > > Is there any way, to tell postfix which domains NOT to verify
> > > mail to? Adding it to check_recipient_access maps in
> > > smtpd_recipient_restrictions doesnt work, as it's used by smtpd only,
> > > and address verify ignores that when doing the address verify.
> > > Or any way to force verify to verify only mails to listed domains,
> > > and do this domain check _after_ resolving virtual_alias mappings ?
> > >
> > > For example:
> > > smtpd receives a connection, with recipient arpi@....
> > > there is a such line in the check_recipient_access map:
> > > bmf.hu reject_unverified_recipient
> > > so it does address verify. it's ok.
> > > but this address is mapped to an external address in virtual_alias_maps:
> > > arpi@... arpi@...
> > > so the verify process connects thot.banki.hu to verify this address.
> > > but i dont want it to connect thot.banki.hu!
> > >
> > please show evidence (relevant logs).
> i dont really see why do you need it, i think it's clear what's
> happening, the question is how to avoid it.
> but here is it:
> i sent a mail from root@... to arpi@...,
> which has virtual maps entry to arpi@...:
> virtual_alias_maps = hash:/etc/postfix/virtual, ldap:ldapforward,
> arpi@... arpi@...
> for the demonstration, i set firewall to drop packets from the
> relay server to thot.banki.hu, so you can see the address verify fail.
> (normally there is no trace in logs of address verify, only if it fails)
> Nov 28 22:40:15 sendmail postfix/smtpd: connect from b
> Nov 28 22:40:15 sendmail postfix/smtpd: 5116C800EE: cl
> Nov 28 22:40:15 sendmail postfix/smtpd: 5116C800EE: reject: RCPT
> from bb-server.archeo.mta.hu[22.214.171.124]: 450 4.1.1 <arpi@...>:
> Recipient address rejected: unverified address: connect to 19
> 126.96.36.199[188.8.131.52]: Connection timed out; from=<roo
> t@...> to=<arpi@...> proto=ESMTP helo=<server.archeo.mta.hu>
> here is the mailq of the sender (server.archeo.mta.hu):
> -Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
> 7D0CE170E0 288 Wed Nov 28 22:38:20 root@...
> (host sendmail.bmf.hu[184.108.40.206] said: 450 4.1.1 <arpi@...>:
> Recipient address rejected: unverified address: connect to
> 220.127.116.11[18.104.22.168]: Connection timed out (in reply to RCPT TO
> (22.214.171.124 is the IP of thot.banki.hu)
> > and while you are at it, show output of 'postconf -n'. is there a
> > transport entry for bmf.hu?
> yes, of course. (the relay server doesnt have local users)
> bmf.hu :[webmail.bmf.hu]
> > > if the address is listed in virtual_alias_maps, then it's an existing
> > > address (but at least an address i can assume it's a working one)
> > > so no further checks needed!
> > >
> > > i hope the problem is clear now.
> > > any ideas?
> > >
> > > A'rpi
> > >
> > >