Loading ...
Sorry, an error occurred while loading the content.

Re: Virtual domains

Expand Messages
  • Sahil Tandon
    ... At first glance, I notice you redefine several parameters to their default value. Why? I ll point out just a few of them below. ... This is default. ...
    Message 1 of 18 , Jun 1, 2010
    • 0 Attachment
      On Tue, 01 Jun 2010, curtis@... wrote:

      > > On Tue, 01 Jun 2010, curtis@... wrote:
      > >
      > > [ .. ]
      > >
      > >> At Victor's urging, this afternoon, I enabled the
      > >> relay_recipient_maps and that solved the rejecting unknown before
      > >> the handoff to the amavisd-new, but broke the domains that I need
      > >> to forward all mail for.
      > >
      > > Explain what you mean by 'broke', and make sure to include related log
      > > excerpts. Please also include the output of 'postconf -n' in your next
      > > response.
      > >
      > What I meant was that the system started rejecting unknown recipients
      > (that's good.) however all mail that all I do is filter and relay started
      > getting rejected as unknown recipients (that's bad.)
      >
      > postconf -n follows.

      At first glance, I notice you redefine several parameters to their
      default value. Why? I'll point out just a few of them below.

      > access_map_reject_code = 554

      This is default.

      > bounce_queue_lifetime = 0

      Are you sure about this?

      > defer_code = 550

      Why?

      > local_recipient_maps = mysql:/etc/postfix/sql-recipients.cf
      > local_transport = no local mail delivery

      Hm?

      > mail_owner = postfix

      Again, default.

      > relay_recipient_maps =

      Why is this empty? As per ADDRESS_CLASS_README: "If this parameter
      value is empty, the Postfix SMTP server accepts all recipients for
      domains listed with the relay_domains parameter."

      --
      Sahil Tandon <sahil@...>
    • curtis@maurand.com
      ... Probably not a good idea, but I was stabbing at things without really understanding them. I was working from readme s and examples. the postfix book that
      Message 2 of 18 , Jun 2, 2010
      • 0 Attachment
        > On Tue, 01 Jun 2010, curtis@... wrote:
        >

        >> postconf -n follows.
        >
        > At first glance, I notice you redefine several parameters to their
        > default value. Why? I'll point out just a few of them below.
        >
        >> access_map_reject_code = 554
        >
        > This is default.
        >
        >> bounce_queue_lifetime = 0
        >
        > Are you sure about this?

        Probably not a good idea, but I was stabbing at things without really
        understanding them. I was working from readme's and examples. the postfix
        book that I have is good, but incomplete when it comes to virtual domains
        and wasn't any help in what I wanted to do. I'll look at the
        bounce_queue_lifetime and set it to something appropriate.
        >
        >> defer_code = 550
        >
        > Why?
        Why not? I'll look more at the docs.
        >
        >> local_recipient_maps = mysql:/etc/postfix/sql-recipients.cf
        >> local_transport = no local mail delivery
        >
        > Hm?
        >
        >> mail_owner = postfix

        Again, I was stabbing at things, here trying to get the system to reject
        where it wasn't rejecting. The fact is there is no local transport.
        There are no local accounts. Everything is handled by dbmail. I will set
        that up, its simple enough. Thanks for pointing that out.

        >
        > Again, default.
        >
        >> relay_recipient_maps =
        >
        > Why is this empty? As per ADDRESS_CLASS_README: "If this parameter
        > value is empty, the Postfix SMTP server accepts all recipients for
        > domains listed with the relay_domains parameter."

        Well, when I filled this in, that's when it broke things the mail relay.
        >
        > --
        > Sahil Tandon <sahil@...>
        >
        Sahil, thank you for your help. As near as I can tell, what I need to do
        is set up two areas.

        for hosted domains:
        virtual_mailbox_domains
        virtual_mailbox_maps
        virtual_transport

        for relay domains:
        relay_domains
        relay_transport
        relay_recipient_maps

        correct?
      • Charles Marcus
        ... The general rule is, use the default setting unless you fully understand what it does and why you need to change it. In other words, only change the bare
        Message 3 of 18 , Jun 2, 2010
        • 0 Attachment
          On 2010-06-02 8:21 AM, curtis@... wrote:
          > Probably not a good idea, but I was stabbing at things without
          > really understanding them. I was working from readme's and examples.
          > the postfix book that I have is good, but incomplete when it comes to
          > virtual domains and wasn't any help in what I wanted to do. I'll
          > look at the bounce_queue_lifetime and set it to something
          > appropriate.

          The general rule is, use the default setting unless you fully understand
          what it does and why you need to change it.

          In other words, only change the bare minimum to get your install working
          properly, then as you understand different aspects (especially for UCE
          control), slowly start introducing changes, but again, only when you
          understand what it is you are changing and why.

          --

          Best regards,

          Charles
        • /dev/rob0
          ... No, don t do that. This will cause you to be a backscatter spammer. There s no valid business model for that. They re surely not paying you enough to cover
          Message 4 of 18 , Jun 2, 2010
          • 0 Attachment
            On Tue, Jun 01, 2010 at 08:48:27PM -0400, curtis@... wrote:
            > I have several domains that I have non-unix mailboxes (they are
            > stored by sql using an alternative lmtp daemon after running them
            > through amavisd-new. This works under the current configuration,
            > but I'm not bouncing anything until after it goes through
            > amavisd-new and I'd like to reject incoming mail for unknown
            > recipients before being sent to amavisd-new. amavisd-new is a
            > massive resource hog and the less that I have to send to it for
            > processing, the better.
            >
            > I have a couple of domains that I need to forward all mail since
            > they are sent to an exchange server.

            No, don't do that. This will cause you to be a backscatter spammer.
            There's no valid business model for that. They're surely not paying
            you enough to cover the costs of being treated like a spammer!

            > There's a proxy thing that I
            > can do to check those, but that's another topic.

            It's trivial[1], and it's a FAQ on this list. The answer is to use
            reject_unverified_recipient for those domains.

            > For now suffice it to say that for these few domains, I need to
            > filter and forward all mail destined for them.

            Spam is wrong, however valid you might think your reasons are.

            > I've been using the transport maps to accomplish the handoff to the
            > lmtp server. I was using the local_recipient_maps for the mailbox
            > checking, but the system is not recognizing those users as local.
            >
            > At Victor's urging, this afternoon, I enabled the
            > relay_recipient_maps and that solved the rejecting unknown before
            > the handoff to the amavisd-new, but broke the domains that I need
            > to forward all mail for.

            You'll want a wildcard, catchall entry for those domains. You will
            find an example of this at postconf.5.html#relay_recipient_maps .

            > From all the reading that I've done, it looks to me like I need
            > some sort of hybrid system.
            >
            > The virtual How-To is confusing and I don't see any clear examples
            > of what I'm looking to do.

            Perhaps because what you're wanting is partly beyond the scope of
            VIRTUAL_README.

            > It looks like I need to do the relay_domains and the transports
            > thing for the domains that need to be forwarded.

            Right, typically transport_maps are needed for relay_domains. See
            http://www.postfix.org/ADDRESS_CLASS_README.html#relay_domain_class
            for the explanation. You do NOT need to tinker with the default
            relay_transport, but you probably DO need to use transport_maps to
            override the nexthop that DNS would tell you[2].

            > It also looks like I need to use the virtual_mailbox_domains,
            > virtual_mailbox_maps, but I don't see how to get from there, to the
            > alternat lmtp. Everything I've read says that it all goes to local
            > unix accounts and that's not what I need.

            Typically dbmail-served domains should be in virtual_mailbox_domains
            and the user query in virtual_mailbox_maps, yes. You can mangle the
            local address class to do this, just as you can force a square peg
            into a round hole. It won't fit quite right. I don't know what dbmail
            documentation shows, but you're better off doing it the right way for
            Postfix.

            > Can anyone point me in the right direction in the docs that explain
            > how to do this or a couple of examples?

            Read over the aforementioned ADDRESS_CLASS_README.


            [1] I hate to use the word, "trivial," because nothing in email
            administration is ever trivial. Misunderstandings of how mail
            works lead to bad management decisions, too. Suffice to say
            that if the basic understanding of Postfix and email is good,
            this solution is pretty easy.
            [2] Another option, besides transport_maps, would be a special DNS
            view with a different MX value for the domain in question. If
            this does not make sense to you, disregard it for now, but it
            might make sense later.
            --
            Offlist mail to this address is discarded unless
            "/dev/rob0" or "not-spam" is in Subject: header
          • Victor Duchovni
            ... Because it is an incredibly bad idea. Transient errors need to generate *transient* (4XX) error response codes. Setting the defer_code to 5XX is about as
            Message 5 of 18 , Jun 2, 2010
            • 0 Attachment
              On Wed, Jun 02, 2010 at 08:21:03AM -0400, curtis@... wrote:

              > >> defer_code = 550
              > >
              > > Why?
              >
              > Why not? I'll look more at the docs.

              Because it is an incredibly bad idea. Transient errors need to
              generate *transient* (4XX) error response codes. Setting the
              defer_code to 5XX is about as misguided as it gets.

              --
              Viktor.
            • Curtis Maurand
              ... Point taken and its fixed. I have things working the way they should be now. amavisd-new is not working hard, but spamhaus is. I have to look at
              Message 6 of 18 , Jun 2, 2010
              • 0 Attachment
                On 6/2/2010 1:20 PM, Victor Duchovni wrote:
                On Wed, Jun 02, 2010 at 08:21:03AM -0400, curtis@... wrote:
                
                  
                defer_code = 550
                        
                Why?
                      
                Why not?  I'll look more at the docs.
                    
                Because it is an incredibly bad idea. Transient errors need to
                generate *transient* (4XX) error response codes. Setting the
                defer_code to 5XX is about as misguided as it gets.
                
                  
                Point taken and its fixed.

                I have things working the way they should be now.  amavisd-new is not working hard, but spamhaus is.  I have to look at harvesting addresses and setting up my own rbl, but thats a discussion for the pdns list.  :-)

                relay_domains = cdb:/etc/postfix/transport
                relay_domains_reject_code = 554
                relay_recipient_maps =
                smtpd_client_restrictions = permit_mynetworks, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client \ ix.dnsbl.manitu.net, permit
                smtpd_recipient_restrictions = reject_unauth_destination, reject_unlisted_recipient
                smtpd_sasl_auth_enable = yes
                transport_maps = cdb:/etc/postfix/transport, mysql:/etc/postfix/transport.cf
                unknown_local_recipient_reject_code = 550
                unverified_recipient_reject_code = 550
                unverified_sender_reject_code = 550
                virtual_mailbox_domains = mysql:/etc/postfix/virtual.cf
                virtual_mailbox_maps = mysql:/etc/postfix/sql-recipients.cf
                virtual_transport = mysql:/etc/postfix/transport.cf

                as of this minute

                42930 messages blocked by rbl zen.spamhaus.org

                416 messages quarantined by amavis

                666 messages blocked by amavis


                Thanks for all of your help,
                Curtis



              • Charles Marcus
                ... Hopefully you aren t BOUNCING these ( rejecting *after* you ve accepted them, which, once they get to amavisd-new, you ve accepted them unless you re
                Message 7 of 18 , Jun 2, 2010
                • 0 Attachment
                  On 2010-06-02 4:15 PM, Curtis Maurand wrote:
                  > 666 messages blocked by amavis

                  Hopefully you aren't BOUNCING these ('rejecting' *after* you've accepted
                  them, which, once they get to amavisd-new, you've accepted them unless
                  you're using it in a pre-queue filter, which is resource intensive and
                  only practical on a low volume server)).

                  --

                  Best regards,

                  Charles
                Your message has been successfully submitted and would be delivered to recipients shortly.