Loading ...
Sorry, an error occurred while loading the content.

Re: Trouble configuring backup MX to reject unauth destination

Expand Messages
  • Titanus Eramius
    Sat, 09 Feb 2013 10:25:31 -0600 skrev Noel Jones : ... Sorry for the late response, it took some time to dig through all the
    Message 1 of 28 , Feb 16, 2013
    • 0 Attachment
      Sat, 09 Feb 2013 10:25:31 -0600 skrev Noel Jones
      <njones@...>:

      ...

      > Nothing wrong with this setup. It's very easy to configure,
      > requires no third-party software or additional packages, and it's
      > easy to understand where your mail goes. I expect that's why it's
      > used as an example on the spamassassin wiki, and doesn't necessarily
      > mean it's the recommended or preferred method.
      >
      > It's not necessarily the highest performance or the most flexible,
      > but if it suits your needs, no need to change.
      >
      > Folks who need more usually pick some third-party filtering software
      > that can run pre-queue as an smtpd_proxy_filter or milter. These
      > are, without exception, more complicated than the setup you
      > currently have. The big advantage of a pre-queue filter is you can
      > safely REJECT unwanted mail.
      >
      > Amavisd-new is a popular choice for pre-queue filtering since it's
      > fast, reliable, flexible, and can integrate both SpamAssassin and
      > antivirus.
      >
      >
      > -- Noel Jones

      Sorry for the late response, it took some time to dig through all the
      information. The use of pre-queue filtering would solve another problem
      I've been working on: What to do with mail from (user)blacklisted
      senders.

      I plan on upgrading Debians stable Postfix to the current stable
      version of 2.10 so I may benefit from postscreen, and that will
      probably be a good time to install amavisd-new as a pre-queue filter.

      Thank you for the help once again.
    • DTNX Postmaster
      ... A possible shortcut to getting postscreen is using the 2.9.3 version available in the Debian backports repository. That s what we currently use, instead of
      Message 2 of 28 , Feb 16, 2013
      • 0 Attachment
        On Feb 16, 2013, at 12:18, Titanus Eramius <titanus@...> wrote:

        > I plan on upgrading Debians stable Postfix to the current stable
        > version of 2.10 so I may benefit from postscreen, and that will
        > probably be a good time to install amavisd-new as a pre-queue filter.
        >
        > Thank you for the help once again.

        A possible shortcut to getting postscreen is using the 2.9.3 version
        available in the Debian backports repository. That's what we currently
        use, instead of building custom packages.

        HTH,
        Jona
      • Titanus Eramius
        Sat, 16 Feb 2013 12:39:24 +0100 skrev DTNX Postmaster ... Thank you for pointing the obvious out. I don t know why I didn t thought of backports, but I will
        Message 3 of 28 , Feb 16, 2013
        • 0 Attachment
          Sat, 16 Feb 2013 12:39:24 +0100 skrev DTNX Postmaster
          <postmaster@...>:

          > On Feb 16, 2013, at 12:18, Titanus Eramius <titanus@...> wrote:
          >
          > > I plan on upgrading Debians stable Postfix to the current stable
          > > version of 2.10 so I may benefit from postscreen, and that will
          > > probably be a good time to install amavisd-new as a pre-queue
          > > filter.
          > >
          > > Thank you for the help once again.
          >
          > A possible shortcut to getting postscreen is using the 2.9.3 version
          > available in the Debian backports repository. That's what we
          > currently use, instead of building custom packages.
          >
          > HTH,
          > Jona
          >

          Thank you for pointing the obvious out.
          I don't know why I didn't thought of backports, but I will surely be
          using 2.9.3 from there instead of building from source.
        • Titanus Eramius
          Thinking about this, I might have been to specific in my question. At the fundamental level I would like to have 2 or more Postfix servers capable of receiving
          Message 4 of 28 , Feb 19, 2013
          • 0 Attachment
            Thinking about this, I might have been to specific in my question.

            At the fundamental level I would like to have 2 or more Postfix servers
            capable of receiving virtual mail for multiple domains, where one of
            the servers also handles relaying and local delivery. The rest should
            function as backup MX.

            I've tried with relay_domains, but it matches on domain-level which is
            too much. I then applied relay_recipient_maps, but it don't seem to
            have any effect, which means that addresses is still matched on domain
            basis.

            Every Postfix will have access to a complete list of recipients
            through MySQL.

            So the question becomes two-part:
            Why can't I get relay_recipient_maps to work?

            How would you recommend to set up a backup MX?
            One obvious way is not to do it, but some of the mail is not mine,
            which is why I at least would like the option to run a backup MX.
          • Viktor Dukhovni
            ... http://www.postfix.org/DEBUG_README.html#mail http://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup Wildcard entries in canonical_maps and
            Message 5 of 28 , Feb 19, 2013
            • 0 Attachment
              On Tue, Feb 19, 2013 at 12:21:35PM +0100, Titanus Eramius wrote:

              > I've tried with relay_domains, but it matches on domain-level which is
              > too much. I then applied relay_recipient_maps, but it don't seem to
              > have any effect, which means that addresses is still matched on domain
              > basis.
              >
              > Every Postfix will have access to a complete list of recipients
              > through MySQL.
              >
              > So the question becomes two-part:
              > Why can't I get relay_recipient_maps to work?

              http://www.postfix.org/DEBUG_README.html#mail
              http://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup

              Wildcard entries in canonical_maps and virtual_alias_maps are the
              most common reason for recipient validation failing to distinguish
              between valid and invalid recipients.

              --
              Viktor.
            • Titanus Eramius
              Tue, 19 Feb 2013 16:31:05 +0000 skrev Viktor Dukhovni ... Thank you for the response and sorry for the slow reply. The problem seems to be related with the
              Message 6 of 28 , Mar 22, 2013
              • 0 Attachment
                Tue, 19 Feb 2013 16:31:05 +0000 skrev Viktor Dukhovni
                <postfix-users@...>:

                > On Tue, Feb 19, 2013 at 12:21:35PM +0100, Titanus Eramius wrote:
                >
                > > I've tried with relay_domains, but it matches on domain-level which
                > > is too much. I then applied relay_recipient_maps, but it don't seem
                > > to have any effect, which means that addresses is still matched on
                > > domain basis.
                > >
                > > Every Postfix will have access to a complete list of recipients
                > > through MySQL.
                > >
                > > So the question becomes two-part:
                > > Why can't I get relay_recipient_maps to work?
                >
                > http://www.postfix.org/DEBUG_README.html#mail
                > http://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup
                >
                > Wildcard entries in canonical_maps and virtual_alias_maps are the
                > most common reason for recipient validation failing to distinguish
                > between valid and invalid recipients.
                >

                Thank you for the response and sorry for the slow reply.

                The problem seems to be related with the virtual setup, but I'm not
                sure how to best describe and document it.

                Besides aptget.dk this server also hosts cogky.dk (among others), and
                while unknown recipients is being correctly rejected with a 550 when
                sent to aptget.dk, they are not when sent to the other virtual domains.
                Instead they are accepted and then returned by the MAILER_DAEMON, which
                in turn opens the server to backscatter.

                I have tried setting "local_recipient_maps = $virtual_mailbox_maps"
                in main.cf, but without any apparent effect. To be honest, I'm unsure if
                I have set "virtual_mailbox_maps" correct, but when testing it with
                postalias it seems to work
                titanus@aptget:/etc/postfix$ sudo postalias -q titanus@...
                mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
                aptget.dk/titanus/

                When I test mysql_virtual_mailbox_maps.cf with a non-existent address,
                nothing is returned and the exit status is 1.

                What I would like to achieve, is that Postfix rejects mail to
                non-existent recipients before accepting mail.

                Thanks again, Titanus


                postconf -n
                alias_maps = hash:/etc/aliases

                bounce_template_file = /etc/postfix/bounce.cf

                broken_sasl_auth_clients = yes

                config_directory = /etc/postfix

                delay_warning_time = 4

                disable_vrfy_command = yes

                dovecot_destination_recipient_limit = 1

                inet_interfaces = 46.21.105.38

                local_recipient_maps = $virtual_mailbox_maps

                mailman_destination_recipient_limit = 1

                maximal_queue_lifetime = 15

                message_size_limit = 26214400

                mydestination = localhost

                mydomain = aptget.dk

                myhostname = aptget.aptget.dk

                mynetworks = 127.0.0.0/8

                postscreen_dnsbl_action = enforce

                postscreen_dnsbl_sites = truncate.gbudb.net*2 b.barracudacentral.org*1
                zen.spamhaus.org*1 bl.spamcop.net*1

                postscreen_dnsbl_threshold = 2

                postscreen_greet_action = enforce

                recipient_canonical_classes = envelope_recipient

                recipient_canonical_maps = hash:/etc/postfix/pfix-no-srs.cf,
                tcp:127.0.0.1:10002

                sender_canonical_classes = envelope_sender

                sender_canonical_maps = hash:/etc/postfix/pfix-no-srs.cf,
                tcp:127.0.0.1:10001

                smtp_tls_security_level = may

                smtp_tls_session_cache_database =
                btree:$data_directory/smtp_tls_session_cache

                smtpd_data_restrictions = reject_unauth_pipelining,
                reject_multi_recipient_bounce,

                smtpd_helo_required = yes

                smtpd_recipient_restrictions = reject_non_fqdn_sender,
                reject_non_fqdn_recipient, reject_unknown_sender_domain,
                reject_unknown_recipient_domain, reject_unauth_destination,

                smtpd_sasl_auth_enable = yes

                smtpd_sasl_exceptions_networks = $mynetworks

                smtpd_sasl_path = private/auth

                smtpd_sasl_security_options = noanonymous

                smtpd_sasl_type = dovecot

                smtpd_tls_ask_ccert = yes

                smtpd_tls_cert_file = /etc/ssl/self-signed/smtpd.crt

                smtpd_tls_key_file = /etc/ssl/self-signed/smtpd.key

                smtpd_tls_loglevel = 1

                smtpd_tls_received_header = yes

                smtpd_tls_security_level = may

                smtpd_tls_session_cache_database =
                btree:$data_directory/smtpd_tls_session_cache

                spamassassin_destination_recipient_limit = 1

                tls_random_source = dev:/dev/urandom

                transport_maps = hash:/etc/postfix/transport.cf

                virtual_alias_maps =
                proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf

                virtual_gid_maps = static:5000

                virtual_mailbox_base = /home/vmail

                virtual_mailbox_domains =
                proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf

                virtual_mailbox_maps =
                proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf

                virtual_transport = dovecot

                virtual_uid_maps = static:5000
              • Wietse Venema
                ... Where is cogky.dk defined: mydestination, virtual_alias_domains, virtual_mailbox_domains, relay_domains? It must be only one. This answer determines where
                Message 7 of 28 , Mar 22, 2013
                • 0 Attachment
                  Titanus Eramius:
                  > Besides aptget.dk this server also hosts cogky.dk (among others), and
                  > while unknown recipients is being correctly rejected with a 550 when
                  > sent to aptget.dk, they are not when sent to the other virtual domains.
                  > Instead they are accepted and then returned by the MAILER_DAEMON, which
                  > in turn opens the server to backscatter.

                  Where is cogky.dk defined: mydestination, virtual_alias_domains,
                  virtual_mailbox_domains, relay_domains? It must be only one.

                  This answer determines where the "known" recipients must be listed:
                  local_recipient_maps, virtual_alias_maps,m virtual_mailbox_maps,
                  relay_recipients. If you list the domain or recipients in the wrong
                  place then mail will be rejected.

                  See http://www.postfix.org/ADDRESS_CLASS_README.html

                  Wietse
                • Titanus Eramius
                  Fri, 22 Mar 2013 16:55:21 -0400 (EDT) skrev Wietse Venema ... The goal is a virtual only mailserver, so the domains is stored in MySQL and fetched through
                  Message 8 of 28 , Mar 22, 2013
                  • 0 Attachment
                    Fri, 22 Mar 2013 16:55:21 -0400 (EDT) skrev Wietse Venema
                    <wietse@...>:

                    > Titanus Eramius:
                    > > Besides aptget.dk this server also hosts cogky.dk (among others),
                    > > and while unknown recipients is being correctly rejected with a 550
                    > > when sent to aptget.dk, they are not when sent to the other virtual
                    > > domains. Instead they are accepted and then returned by the
                    > > MAILER_DAEMON, which in turn opens the server to backscatter.
                    >
                    > Where is cogky.dk defined: mydestination, virtual_alias_domains,
                    > virtual_mailbox_domains, relay_domains? It must be only one.
                    >
                    > This answer determines where the "known" recipients must be listed:
                    > local_recipient_maps, virtual_alias_maps,m virtual_mailbox_maps,
                    > relay_recipients. If you list the domain or recipients in the wrong
                    > place then mail will be rejected.
                    >
                    > See http://www.postfix.org/ADDRESS_CLASS_README.html
                    >
                    > Wietse

                    The goal is a "virtual only" mailserver, so the domains is stored
                    in MySQL and fetched through virtual_mailbox_domains. Besides
                    virtual_mailbox_domains, I use virtual_mailbox_maps and
                    virtual_alias_maps.

                    The documentation is among the best documentation I have seen, but I
                    can't seem to find the solution, even though I have read most of what I
                    could find in relation to virtual handling.

                    One more "clue" is the error messages when sending to non-existent
                    users. When sending to aptget.dk Postfix responds with
                    "550 5.1.1 <non_existent@...>: Recipient address rejected: User
                    unknown in virtual mailbox table".

                    When sending to cogky.dk the response is only "<non_existent@...>:
                    user unknown"

                    Thank you for your time, Titanus
                  • Wietse Venema
                    ... With the domain defined in virtual_mailbox_domains, mail will fail with user unknown in virtual mailbox table when the recipient is not found in
                    Message 9 of 28 , Mar 22, 2013
                    • 0 Attachment
                      Titanus Eramius:
                      > Fri, 22 Mar 2013 16:55:21 -0400 (EDT) skrev Wietse Venema
                      > > Where is cogky.dk defined: mydestination, virtual_alias_domains,
                      > > virtual_mailbox_domains, relay_domains? It must be only one.
                      > >
                      > > This answer determines where the "known" recipients must be listed:
                      > > local_recipient_maps, virtual_alias_maps,m virtual_mailbox_maps,
                      > > relay_recipients. If you list the domain or recipients in the wrong
                      > > place then mail will be rejected.
                      > >
                      > > See http://www.postfix.org/ADDRESS_CLASS_README.html
                      >
                      > The goal is a "virtual only" mailserver, so the domains is stored
                      > in MySQL and fetched through virtual_mailbox_domains. Besides
                      > virtual_mailbox_domains, I use virtual_mailbox_maps and
                      > virtual_alias_maps.

                      With the domain defined in virtual_mailbox_domains, mail will fail
                      with "user unknown in virtual mailbox table" when the recipient is
                      not found in virtual_mailbox_maps. This is described in agonizing
                      detail in ADDRESS_CLASS_README.

                      Test your lookups:

                      postmap -q cogky.dk the-virtual_mailbox_domains-table
                      This should return a result (the value does not matter).

                      postmap -q real-user@... the-virtual_mailbox_maps-table
                      This should return a result (the mailbox file name).

                      postmap -q bogus-user@... the-virtual_mailbox_maps-table
                      This should return no result (Postfix treats this as "user unknown
                      in virtual mailbox table").

                      Wietse
                    • mouss
                      ... one possible reason is that you configured a wildcard alias: @cogky.dk == @aptget.dk (that is anything to cogky maps to same address in aptget.dk). if so,
                      Message 10 of 28 , Mar 24, 2013
                      • 0 Attachment
                        Le 23/03/2013 00:02, Titanus Eramius a écrit :
                        > [snip]
                        > The goal is a "virtual only" mailserver, so the domains is stored
                        > in MySQL and fetched through virtual_mailbox_domains. Besides
                        > virtual_mailbox_domains, I use virtual_mailbox_maps and
                        > virtual_alias_maps.
                        >
                        > The documentation is among the best documentation I have seen, but I
                        > can't seem to find the solution, even though I have read most of what I
                        > could find in relation to virtual handling.
                        >
                        > One more "clue" is the error messages when sending to non-existent
                        > users. When sending to aptget.dk Postfix responds with
                        > "550 5.1.1 <non_existent@...>: Recipient address rejected: User
                        > unknown in virtual mailbox table".
                        >
                        > When sending to cogky.dk the response is only "<non_existent@...>:
                        > user unknown"
                        >

                        one possible reason is that you configured a wildcard alias:
                        @... ==> @...
                        (that is anything to cogky maps to same address in aptget.dk).

                        if so, that's your problem. you need to configure mappings only for
                        existing users.
                        since you use mysql, this should be easy to do.
                      • Titanus Eramius
                        Fri, 22 Mar 2013 19:12:40 -0400 (EDT) skrev Wietse Venema ... aptget:~# postalias -q cogky.dk mysql:/etc/postfix/mysql_virtual_mailbox_domains.cf cogky.dk ...
                        Message 11 of 28 , Mar 25, 2013
                        • 0 Attachment
                          Fri, 22 Mar 2013 19:12:40 -0400 (EDT) skrev Wietse Venema
                          <wietse@...>:

                          > Test your lookups:
                          >
                          > postmap -q cogky.dk the-virtual_mailbox_domains-table
                          > This should return a result (the value does not matter).

                          aptget:~# postalias -q cogky.dk
                          mysql:/etc/postfix/mysql_virtual_mailbox_domains.cf
                          cogky.dk

                          > postmap -q real-user@... the-virtual_mailbox_maps-table
                          > This should return a result (the mailbox file name).

                          aptget:~# postalias -q real-user@...
                          mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
                          cogky.dk/real-user/

                          > postmap -q bogus-user@... the-virtual_mailbox_maps-table
                          > This should return no result (Postfix treats this as "user unknown
                          > in virtual mailbox table").

                          And this does not return a result. Bash gives a error-status of 1.


                          Sun, 24 Mar 2013 09:36:03 +0100 skrev mouss <mouss@...>:

                          > one possible reason is that you configured a wildcard alias:
                          > @... ==> @...
                          > (that is anything to cogky maps to same address in aptget.dk).

                          As far as I can see that should not be the case. All addresses and
                          aliases in the database have a left hand side to it. Is there a way to
                          test this?


                          I'm using Dovecot 2 as LDA for final delivery and IMAP-services, so
                          "virtual_transport" is set to "dovecot" in main.cf and the following
                          lines are in master.cf:

                          dovecot unix - n n - - pipe
                          flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -d
                          ${recipient}


                          When looking through the log, it looks like the "user unknown"
                          response comes from Dovecot and not Postfix:

                          Mar 25 13:43:53 aptget postfix/smtpd[24133]: connect from
                          unknown[92.243.255.38]

                          Mar 25 13:43:54 aptget postfix/smtpd[24133]:
                          Anonymous TLS connection established from unknown[92.243.255.38]: TLSv1
                          with cipher DHE-RSA-AES128-SHA (128/128 bits)

                          Mar 25 13:43:54 aptget dovecot: auth-worker(24136): mysql(localhost):
                          Connected to database postfix

                          Mar 25 13:43:54 aptget postfix/smtpd[24133]: BB6AD371DDC4:
                          client=unknown[92.243.255.38], sasl_method=LOGIN,
                          sasl_username=HIDDEN_USER@...

                          Mar 25 13:43:54 aptget postfix-policyd: connection from: 127.0.0.1
                          port: 48937 slots: 0 of 4096 used

                          Mar 25 13:43:54 aptget postfix-policyd: connecting to mysql database:
                          localhost

                          Mar 25 13:43:54 aptget postfix-policyd: connected..

                          Mar 25 13:43:54 aptget postfix-policyd: rcpt=16, throttle=clear(a),
                          host=92.243.255.38, from=titanus@..., to=unknown-user@...,
                          size=365/26214400, quota=365/1800000000, count=1/125(10),
                          rcpt=1/600(11), threshold=0%|0%|0%, sasl_username=HIDDEN_USER@...

                          Mar 25 13:43:54 aptget postfix/cleanup[24138]: BB6AD371DDC4:
                          message-id=<20130325134351.5c2e026f@...>

                          Mar 25 13:43:54 aptget postfix/qmgr[23982]: BB6AD371DDC4:
                          from=<titanus@...>, size=663, nrcpt=1 (queue active)

                          Mar 25 13:43:55 aptget postfix/pipe[24140]: BB6AD371DDC4:
                          to=<unknown-user@...>, relay=dovecot, delay=0.38,
                          delays=0.26/0.03/0/0.09, dsn=5.1.1, status=bounced (user unknown)

                          Mar 25 13:43:55 aptget postfix/cleanup[24138]: 16228371DE3E:
                          message-id=<20130325124355.16228371DE3E@...>

                          Mar 25 13:43:55 aptget postfix/bounce[24142]: BB6AD371DDC4: sender
                          non-delivery notification: 16228371DE3E

                          Mar 25 13:43:55 aptget postfix/qmgr[23982]: 16228371DE3E: from=<>,
                          size=2673, nrcpt=1 (queue active)

                          Mar 25 13:43:55 aptget postfix/qmgr[23982]: BB6AD371DDC4: removed

                          Mar 25 13:43:55 aptget postfix/smtpd[24133]: disconnect from
                          unknown[92.243.255.38]


                          Thank you again for helping
                          Titanus


                          postconf -n
                          alias_maps = hash:/etc/aliases

                          bounce_template_file = /etc/postfix/bounce.cf

                          broken_sasl_auth_clients = yes

                          config_directory = /etc/postfix

                          delay_warning_time = 4

                          disable_vrfy_command = yes

                          dovecot_destination_recipient_limit = 1

                          inet_interfaces = 46.21.105.38

                          local_recipient_maps = $virtual_mailbox_maps

                          mailman_destination_recipient_limit = 1

                          maximal_queue_lifetime = 15

                          message_size_limit = 26214400

                          mydestination = localhost

                          mydomain = aptget.dk

                          myhostname = aptget.aptget.dk

                          mynetworks = 127.0.0.0/8

                          postscreen_dnsbl_action = enforce
                          postscreen_dnsbl_sites = truncate.gbudb.net*2 b.barracudacentral.org*1
                          zen.spamhaus.org*1 bl.spamcop.net*1

                          postscreen_dnsbl_threshold = 2

                          postscreen_greet_action = enforce

                          recipient_canonical_classes = envelope_recipient

                          recipient_canonical_maps = hash:/etc/postfix/pfix-no-srs.cf,
                          tcp:127.0.0.1:10002

                          sender_canonical_classes = envelope_sender

                          sender_canonical_maps = hash:/etc/postfix/pfix-no-srs.cf,
                          tcp:127.0.0.1:10001

                          smtp_tls_security_level = may

                          smtp_tls_session_cache_database =
                          btree:$data_directory/smtp_tls_session_cache

                          smtpd_data_restrictions = reject_unauth_pipelining,
                          reject_multi_recipient_bounce,

                          smtpd_helo_required = yes

                          smtpd_recipient_restrictions = reject_non_fqdn_sender,
                          reject_non_fqdn_recipient, reject_unknown_sender_domain,
                          reject_unknown_recipient_domain, reject_unauth_destination,

                          smtpd_sasl_auth_enable = yes

                          smtpd_sasl_exceptions_networks = $mynetworks

                          smtpd_sasl_path = private/auth

                          smtpd_sasl_security_options = noanonymous

                          smtpd_sasl_type = dovecot

                          smtpd_tls_ask_ccert = yes

                          smtpd_tls_cert_file = /etc/ssl/self-signed/smtpd.crt

                          smtpd_tls_key_file = /etc/ssl/self-signed/smtpd.key

                          smtpd_tls_loglevel = 1

                          smtpd_tls_received_header = yes

                          smtpd_tls_security_level = may

                          smtpd_tls_session_cache_database =
                          btree:$data_directory/smtpd_tls_session_cache

                          spamassassin_destination_recipient_limit = 1

                          tls_random_source = dev:/dev/urandom

                          transport_maps = hash:/etc/postfix/transport.cf

                          virtual_alias_maps =
                          proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf

                          virtual_gid_maps = static:5000

                          virtual_mailbox_base = /home/vmail

                          virtual_mailbox_domains =
                          proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf

                          virtual_mailbox_maps =
                          proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf

                          virtual_transport = dovecot

                          virtual_uid_maps = static:5000
                        • Wietse Venema
                          ... OK, the table is working as it should. Now let s find out why the bogus recipient is accepted: Next step: - Connect to the public (not content
                          Message 12 of 28 , Mar 25, 2013
                          • 0 Attachment
                            Titanus Eramius:
                            > Fri, 22 Mar 2013 19:12:40 -0400 (EDT) skrev Wietse Venema
                            > <wietse@...>:
                            >
                            > > Test your lookups:
                            > >
                            > > postmap -q cogky.dk the-virtual_mailbox_domains-table
                            > > This should return a result (the value does not matter).
                            >
                            > aptget:~# postalias -q cogky.dk
                            > mysql:/etc/postfix/mysql_virtual_mailbox_domains.cf
                            > cogky.dk
                            >
                            > > postmap -q real-user@... the-virtual_mailbox_maps-table
                            > > This should return a result (the mailbox file name).
                            >
                            > aptget:~# postalias -q real-user@...
                            > mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
                            > cogky.dk/real-user/
                            >
                            > > postmap -q bogus-user@... the-virtual_mailbox_maps-table
                            > > This should return no result (Postfix treats this as "user unknown
                            > > in virtual mailbox table").
                            >
                            > And this does not return a result. Bash gives a error-status of 1.

                            OK, the table is working as it should. Now let's find out
                            why the bogus recipient is accepted:

                            Next step:

                            - Connect to the public (not content re-injection) SMTP port and try

                            $ telnet hostname 25
                            ehlo ...
                            mail from:<>
                            rcpt to:<real-user@...>
                            rcpt to:<bogus-user@...>
                            quit

                            One recipient should be accepted, the other not.

                            - Same experiment for mail over the submission port, if you have one:

                            $ openssl s_client -starttls smtp -connect hostname:587
                            ehlo ...
                            mail from:<>
                            rcpt to:<real-user@...>
                            rcpt to:<bogus-user@...>
                            quit

                            This is just in case.

                            Wietse
                          • Titanus Eramius
                            Mon, 25 Mar 2013 11:30:41 -0400 (EDT) skrev Wietse Venema ... Both RCPT TOs are successful titanus@asrock:~$ telnet 46.21.105.38 25 Trying 46.21.105.38...
                            Message 13 of 28 , Mar 25, 2013
                            • 0 Attachment
                              Mon, 25 Mar 2013 11:30:41 -0400 (EDT) skrev Wietse Venema
                              <wietse@...>:

                              > Titanus Eramius:
                              > > Fri, 22 Mar 2013 19:12:40 -0400 (EDT) skrev Wietse Venema
                              > > <wietse@...>:
                              > >
                              > > > Test your lookups:
                              > > >
                              > > > postmap -q cogky.dk the-virtual_mailbox_domains-table
                              > > > This should return a result (the value does not matter).
                              > >
                              > > aptget:~# postalias -q cogky.dk
                              > > mysql:/etc/postfix/mysql_virtual_mailbox_domains.cf
                              > > cogky.dk
                              > >
                              > > > postmap -q real-user@... the-virtual_mailbox_maps-table
                              > > > This should return a result (the mailbox file name).
                              > >
                              > > aptget:~# postalias -q real-user@...
                              > > mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
                              > > cogky.dk/real-user/
                              > >
                              > > > postmap -q bogus-user@... the-virtual_mailbox_maps-table
                              > > > This should return no result (Postfix treats this as "user unknown
                              > > > in virtual mailbox table").
                              > >
                              > > And this does not return a result. Bash gives a error-status of 1.
                              >
                              > OK, the table is working as it should. Now let's find out
                              > why the bogus recipient is accepted:
                              >
                              > Next step:
                              >
                              > - Connect to the public (not content re-injection) SMTP port and try
                              >
                              > $ telnet hostname 25
                              > ehlo ...
                              > mail from:<>
                              > rcpt to:<real-user@...>
                              > rcpt to:<bogus-user@...>
                              > quit
                              >
                              > One recipient should be accepted, the other not.
                              >
                              > - Same experiment for mail over the submission port, if you have one:
                              >
                              > $ openssl s_client -starttls smtp -connect hostname:587
                              > ehlo ...
                              > mail from:<>
                              > rcpt to:<real-user@...>
                              > rcpt to:<bogus-user@...>
                              > quit
                              >
                              > This is just in case.
                              >
                              > Wietse

                              Both RCPT TOs are successful

                              titanus@asrock:~$ telnet 46.21.105.38 25
                              Trying 46.21.105.38...
                              Connected to 46.21.105.38.
                              Escape character is '^]'.
                              220 aptget.aptget.dk ESMTP Postfix
                              EHLO Hej
                              250-aptget.aptget.dk
                              250-PIPELINING
                              250-SIZE 26214400
                              250-ETRN
                              250-STARTTLS
                              250-AUTH PLAIN LOGIN
                              250-AUTH=PLAIN LOGIN
                              250-ENHANCEDSTATUSCODES
                              250-8BITMIME
                              250 DSN
                              MAIL FROM:<>
                              250 2.1.0 Ok
                              RCPT TO:<real-user@...>
                              250 2.1.5 Ok
                              RCPT TO:<non-existent@...>
                              250 2.1.5 Ok
                              QUIT
                              221 2.0.0 Bye
                              Connection closed by foreign host.

                              If non-existent@... is substituted with non-existent@...,
                              then it is still rejected with "... unknown in virtual mailbox table".

                              When trying with submission through telnet, I'm afraid I can't get the
                              syntax right. But when using the mail client Claws Mail, Postfix
                              accepts non-existent addresses for cogky.dk

                              ...
                              [17:51:52] ESMTP< 235 2.7.0 Authentication successful
                              [17:51:52] ESMTP> MAIL FROM:<nicky@...> SIZE=371
                              [17:51:52] SMTP< 250 2.1.0 Ok
                              [17:51:52] SMTP> RCPT TO:<non-existent@...>
                              [17:51:52] SMTP< 250 2.1.5 Ok
                              ...

                              Thank you, Titanus
                            • Wietse Venema
                              ... You appear to have a wild-card rule that replaces @cogky.dk with @aptget.dk. Such a rule matches all addresses including invalid ones. Instead use a MySQL
                              Message 14 of 28 , Mar 25, 2013
                              • 0 Attachment
                                Titanus Eramius:
                                > > OK, the table is working as it should. Now let's find out
                                > > why the bogus recipient is accepted:
                                > >
                                > > Next step:
                                > >
                                > > - Connect to the public (not content re-injection) SMTP port and try
                                ...
                                > MAIL FROM:<>
                                > 250 2.1.0 Ok
                                > RCPT TO:<real-user@...>
                                > 250 2.1.5 Ok
                                > RCPT TO:<non-existent@...>
                                > 250 2.1.5 Ok

                                > If non-existent@... is substituted with non-existent@...,
                                > then it is still rejected with "... unknown in virtual mailbox table".

                                You appear to have a wild-card rule that replaces @... with
                                @.... Such a rule matches all addresses including invalid ones.

                                Instead use a MySQL query as decribed in
                                http://tech.groups.yahoo.com/group/postfix-users/message/247913

                                Wietse
                              • Titanus Eramius
                                Mon, 25 Mar 2013 14:09:04 -0400 (EDT) skrev Wietse Venema ... Thank you for the link, it was very informative, but didn t solve the problem. I also tried
                                Message 15 of 28 , Apr 5, 2013
                                • 0 Attachment
                                  Mon, 25 Mar 2013 14:09:04 -0400 (EDT) skrev Wietse Venema
                                  <wietse@...>:

                                  > Titanus Eramius:

                                  > > MAIL FROM:<>
                                  > > 250 2.1.0 Ok
                                  > > RCPT TO:<real-user@...>
                                  > > 250 2.1.5 Ok
                                  > > RCPT TO:<non-existent@...>
                                  > > 250 2.1.5 Ok
                                  >
                                  > > If non-existent@... is substituted with non-existent@...,
                                  > > then it is still rejected with "... unknown in virtual mailbox
                                  > > table".
                                  >
                                  > You appear to have a wild-card rule that replaces @... with
                                  > @.... Such a rule matches all addresses including invalid ones.
                                  >
                                  > Instead use a MySQL query as decribed in
                                  > http://tech.groups.yahoo.com/group/postfix-users/message/247913
                                  >
                                  > Wietse

                                  Thank you for the link, it was very informative, but didn't solve the
                                  problem. I also tried making a virtual_mailbox_maps MySQL query that
                                  always returned false, but Postfix still accepted all mail, and then
                                  bounced it after Dovecot rejected it.

                                  I have converted virtual_mailbox_maps and virtual_mailbox_domains to
                                  textfiles, so it should be easier to debug on the setup. Please note
                                  that I had to change server to experiment like this, since I depend
                                  on the other server.

                                  The servername is nt-data.dk, and the hosted domain (which all mail is
                                  accepted for) is nt-backup.dk. The behavior is the same, so mail sent
                                  to non_existent@... is rejected, while mail sent to
                                  non_existent@... is accepted, and then bounced.

                                  In main.cf (please see the bottom for postconf -n) is
                                  virtual_mailbox_domains =
                                  hash:/etc/postfix/virtual_mailbox_domains.cf
                                  virtual_mailbox_maps =
                                  hash:/etc/postfix/virtual_mailbox_maps.cf

                                  And the content of those files is
                                  virtual_mailbox_domains.cf:
                                  nt-backup.dk OK
                                  nt-data.dk OK

                                  virtual_mailbox_maps.cf:
                                  test@... OK
                                  info@... OK

                                  It all works like a charm, besides the point that Postfix accepts
                                  mail to non-existent users on the hosted domain.

                                  In addition I have read through the relevant documentation again, but I
                                  still can't figure out where or what the problem might be.

                                  Thanks again


                                  postconf -n
                                  alias_maps = hash:/etc/aliases

                                  bounce_template_file = /etc/postfix/bounce.cf

                                  broken_sasl_auth_clients = yes

                                  config_directory = /etc/postfix

                                  delay_warning_time = 4

                                  disable_vrfy_command = yes

                                  inet_interfaces = all

                                  local_recipient_maps = $virtual_mailbox_maps

                                  maximal_queue_lifetime = 15

                                  mydestination =

                                  myhostname = ntdata.nt-data.dk

                                  mynetworks = 127.0.0.0/8

                                  recipient_canonical_classes = envelope_recipient

                                  recipient_canonical_maps = hash:/etc/postfix/pfix-no-srs.cf,
                                  tcp:127.0.0.1:10002

                                  sender_canonical_classes = envelope_sender

                                  sender_canonical_maps = hash:/etc/postfix/pfix-no-srs.cf,
                                  tcp:127.0.0.1:10001

                                  smtp_tls_security_level = may

                                  smtp_tls_session_cache_database =
                                  btree:$data_directory/smtp_tls_session_cache

                                  smtpd_data_restrictions =
                                  reject_unauth_pipelining,
                                  reject_multi_recipient_bounce,
                                  permit

                                  smtpd_helo_required = yes

                                  smtpd_recipient_restrictions =
                                  reject_non_fqdn_sender,
                                  reject_non_fqdn_recipient,
                                  reject_unknown_sender_domain,
                                  reject_unknown_recipient_domain,
                                  reject_rbl_client truncate.gbudb.net,
                                  reject_unauth_destination,
                                  permit

                                  smtpd_sasl_auth_enable = yes

                                  smtpd_sasl_exceptions_networks = $mynetworks

                                  smtpd_sasl_path = private/auth

                                  smtpd_sasl_security_options = noanonymous

                                  smtpd_sasl_type = dovecot

                                  smtpd_tls_ask_ccert = yes

                                  smtpd_tls_cert_file = /etc/ssl/self-signed/smtpd.crt

                                  smtpd_tls_key_file = /etc/ssl/self-signed/smtpd.key

                                  smtpd_tls_loglevel = 1

                                  smtpd_tls_received_header = yes

                                  smtpd_tls_security_level = may

                                  smtpd_tls_session_cache_database =
                                  btree:$data_directory/smtpd_tls_session_cache

                                  tls_random_source = dev:/dev/urandom

                                  transport_maps = hash:/etc/postfix/transport.cf

                                  virtual_mailbox_domains = hash:/etc/postfix/virtual_mailbox_domains.cf

                                  virtual_mailbox_maps = hash:/etc/postfix/virtual_mailbox_maps.cf

                                  virtual_transport = dovecot
                                • Brian Evans
                                  ... You say you return false ? Postfix expects to receive no results (a.k.a. 0 rows) if a virtual_mailbox_maps address in mysql does not exist. Do not return
                                  Message 16 of 28 , Apr 5, 2013
                                  • 0 Attachment
                                    On 4/5/2013 6:56 AM, Titanus Eramius wrote:
                                    > Mon, 25 Mar 2013 14:09:04 -0400 (EDT) skrev Wietse Venema
                                    > <wietse@...>:
                                    >
                                    >> Titanus Eramius:
                                    >>> MAIL FROM:<>
                                    >>> 250 2.1.0 Ok
                                    >>> RCPT TO:<real-user@...>
                                    >>> 250 2.1.5 Ok
                                    >>> RCPT TO:<non-existent@...>
                                    >>> 250 2.1.5 Ok
                                    >>> If non-existent@... is substituted with non-existent@...,
                                    >>> then it is still rejected with "... unknown in virtual mailbox
                                    >>> table".
                                    >> You appear to have a wild-card rule that replaces @... with
                                    >> @.... Such a rule matches all addresses including invalid ones.
                                    >>
                                    >> Instead use a MySQL query as decribed in
                                    >> http://tech.groups.yahoo.com/group/postfix-users/message/247913
                                    >>
                                    >> Wietse
                                    > Thank you for the link, it was very informative, but didn't solve the
                                    > problem. I also tried making a virtual_mailbox_maps MySQL query that
                                    > always returned false, but Postfix still accepted all mail, and then
                                    > bounced it after Dovecot rejected it.

                                    You say you return "false"?
                                    Postfix expects to receive no results (a.k.a. 0 rows) if a
                                    virtual_mailbox_maps address in mysql does not exist.
                                    Do not return "false", empty string, null, or any other value if it does
                                    not exist.

                                    Brian
                                  • Titanus Eramius
                                    Fri, 05 Apr 2013 08:49:39 -0400 skrev Brian Evans ... False may be the wrong word, and I m sorry if it is. What I mean is, virtual_mailbox_maps always returns
                                    Message 17 of 28 , Apr 5, 2013
                                    • 0 Attachment
                                      Fri, 05 Apr 2013 08:49:39 -0400 skrev Brian Evans
                                      <grknight@...>:

                                      > > Thank you for the link, it was very informative, but didn't solve
                                      > > the problem. I also tried making a virtual_mailbox_maps MySQL query
                                      > > that always returned false, but Postfix still accepted all mail,
                                      > > and then bounced it after Dovecot rejected it.
                                      >
                                      > You say you return "false"?
                                      > Postfix expects to receive no results (a.k.a. 0 rows) if a
                                      > virtual_mailbox_maps address in mysql does not exist.
                                      > Do not return "false", empty string, null, or any other value if it
                                      > does not exist.

                                      False may be the wrong word, and I'm sorry if it is. What I mean is,
                                      virtual_mailbox_maps always returns nothing from MySQL, like so:

                                      titanus@ntdata:/etc/postfix$ sudo postmap -q test@...
                                      mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
                                      titanus@ntdata:/etc/postfix$ echo $?
                                      1
                                      (this user exists)

                                      titanus@ntdata:/etc/postfix$ sudo postmap -q non_existent@...
                                      mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
                                      titanus@ntdata:/etc/postfix$ echo $?
                                      1
                                      (this user does not)

                                      I did this because I had some trouble constructing the query-string
                                      Wietse recommended, and thought this would be a simple and easy way to
                                      test if virtual_mailbox_maps was the problem.

                                      When trying the syntax within the MySQL CLI, a "Empty set" is returned
                                      when querying for a non-existent user

                                      mysql> SELECT username FROM mailbox
                                      -> WHERE username = 'non_existent@...';
                                      Empty set (0.00 sec)


                                      I hope this better explains what I meant
                                      Cheers
                                    • Titanus Eramius
                                      Solved it :-) When sending to unknown users, Postfix now rejects the mail with User unknown in virtual mailbox table , and it does so for hosted (that is,
                                      Message 18 of 28 , Apr 6, 2013
                                      • 0 Attachment
                                        Solved it :-)

                                        When sending to unknown users, Postfix now rejects the mail with "User
                                        unknown in virtual mailbox table", and it does so for hosted (that is,
                                        virtual mailbox domains) domains as well.

                                        It seems the SRS-daemon* I have been using with the main.cf parameters
                                        recipient_canonical_maps
                                        recipient_canonical_classes
                                        sender_canonical_maps
                                        sender_canonical_classes

                                        was the root of the problem. I have just commented them out to solve
                                        it. Reading through the documentation for those four parameters, does
                                        not seem to indicate why they would mess with Postfix' ability to use
                                        virtual_mailbox_maps.

                                        But I guess my lack of understanding about Postfix internals is a
                                        problem as well. I am sorry for the wasted time, and would like to
                                        thank all who helped out.

                                        Have a nice weekend


                                        * https://github.com/Fruneau/pfixtools
                                      Your message has been successfully submitted and would be delivered to recipients shortly.