Loading ...
Sorry, an error occurred while loading the content.

Re: Trouble configuring backup MX to reject unauth destination

Expand Messages
  • Wietse Venema
    ... You appear to have a wild-card rule that replaces @cogky.dk with @aptget.dk. Such a rule matches all addresses including invalid ones. Instead use a MySQL
    Message 1 of 28 , Mar 25, 2013
    • 0 Attachment
      Titanus Eramius:
      > > OK, the table is working as it should. Now let's find out
      > > why the bogus recipient is accepted:
      > >
      > > Next step:
      > >
      > > - Connect to the public (not content re-injection) SMTP port and try
      ...
      > MAIL FROM:<>
      > 250 2.1.0 Ok
      > RCPT TO:<real-user@...>
      > 250 2.1.5 Ok
      > RCPT TO:<non-existent@...>
      > 250 2.1.5 Ok

      > If non-existent@... is substituted with non-existent@...,
      > then it is still rejected with "... unknown in virtual mailbox table".

      You appear to have a wild-card rule that replaces @... with
      @.... Such a rule matches all addresses including invalid ones.

      Instead use a MySQL query as decribed in
      http://tech.groups.yahoo.com/group/postfix-users/message/247913

      Wietse
    • Titanus Eramius
      Mon, 25 Mar 2013 14:09:04 -0400 (EDT) skrev Wietse Venema ... Thank you for the link, it was very informative, but didn t solve the problem. I also tried
      Message 2 of 28 , Apr 5, 2013
      • 0 Attachment
        Mon, 25 Mar 2013 14:09:04 -0400 (EDT) skrev Wietse Venema
        <wietse@...>:

        > Titanus Eramius:

        > > MAIL FROM:<>
        > > 250 2.1.0 Ok
        > > RCPT TO:<real-user@...>
        > > 250 2.1.5 Ok
        > > RCPT TO:<non-existent@...>
        > > 250 2.1.5 Ok
        >
        > > If non-existent@... is substituted with non-existent@...,
        > > then it is still rejected with "... unknown in virtual mailbox
        > > table".
        >
        > You appear to have a wild-card rule that replaces @... with
        > @.... Such a rule matches all addresses including invalid ones.
        >
        > Instead use a MySQL query as decribed in
        > http://tech.groups.yahoo.com/group/postfix-users/message/247913
        >
        > Wietse

        Thank you for the link, it was very informative, but didn't solve the
        problem. I also tried making a virtual_mailbox_maps MySQL query that
        always returned false, but Postfix still accepted all mail, and then
        bounced it after Dovecot rejected it.

        I have converted virtual_mailbox_maps and virtual_mailbox_domains to
        textfiles, so it should be easier to debug on the setup. Please note
        that I had to change server to experiment like this, since I depend
        on the other server.

        The servername is nt-data.dk, and the hosted domain (which all mail is
        accepted for) is nt-backup.dk. The behavior is the same, so mail sent
        to non_existent@... is rejected, while mail sent to
        non_existent@... is accepted, and then bounced.

        In main.cf (please see the bottom for postconf -n) is
        virtual_mailbox_domains =
        hash:/etc/postfix/virtual_mailbox_domains.cf
        virtual_mailbox_maps =
        hash:/etc/postfix/virtual_mailbox_maps.cf

        And the content of those files is
        virtual_mailbox_domains.cf:
        nt-backup.dk OK
        nt-data.dk OK

        virtual_mailbox_maps.cf:
        test@... OK
        info@... OK

        It all works like a charm, besides the point that Postfix accepts
        mail to non-existent users on the hosted domain.

        In addition I have read through the relevant documentation again, but I
        still can't figure out where or what the problem might be.

        Thanks again


        postconf -n
        alias_maps = hash:/etc/aliases

        bounce_template_file = /etc/postfix/bounce.cf

        broken_sasl_auth_clients = yes

        config_directory = /etc/postfix

        delay_warning_time = 4

        disable_vrfy_command = yes

        inet_interfaces = all

        local_recipient_maps = $virtual_mailbox_maps

        maximal_queue_lifetime = 15

        mydestination =

        myhostname = ntdata.nt-data.dk

        mynetworks = 127.0.0.0/8

        recipient_canonical_classes = envelope_recipient

        recipient_canonical_maps = hash:/etc/postfix/pfix-no-srs.cf,
        tcp:127.0.0.1:10002

        sender_canonical_classes = envelope_sender

        sender_canonical_maps = hash:/etc/postfix/pfix-no-srs.cf,
        tcp:127.0.0.1:10001

        smtp_tls_security_level = may

        smtp_tls_session_cache_database =
        btree:$data_directory/smtp_tls_session_cache

        smtpd_data_restrictions =
        reject_unauth_pipelining,
        reject_multi_recipient_bounce,
        permit

        smtpd_helo_required = yes

        smtpd_recipient_restrictions =
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unknown_sender_domain,
        reject_unknown_recipient_domain,
        reject_rbl_client truncate.gbudb.net,
        reject_unauth_destination,
        permit

        smtpd_sasl_auth_enable = yes

        smtpd_sasl_exceptions_networks = $mynetworks

        smtpd_sasl_path = private/auth

        smtpd_sasl_security_options = noanonymous

        smtpd_sasl_type = dovecot

        smtpd_tls_ask_ccert = yes

        smtpd_tls_cert_file = /etc/ssl/self-signed/smtpd.crt

        smtpd_tls_key_file = /etc/ssl/self-signed/smtpd.key

        smtpd_tls_loglevel = 1

        smtpd_tls_received_header = yes

        smtpd_tls_security_level = may

        smtpd_tls_session_cache_database =
        btree:$data_directory/smtpd_tls_session_cache

        tls_random_source = dev:/dev/urandom

        transport_maps = hash:/etc/postfix/transport.cf

        virtual_mailbox_domains = hash:/etc/postfix/virtual_mailbox_domains.cf

        virtual_mailbox_maps = hash:/etc/postfix/virtual_mailbox_maps.cf

        virtual_transport = dovecot
      • Brian Evans
        ... You say you return false ? Postfix expects to receive no results (a.k.a. 0 rows) if a virtual_mailbox_maps address in mysql does not exist. Do not return
        Message 3 of 28 , Apr 5, 2013
        • 0 Attachment
          On 4/5/2013 6:56 AM, Titanus Eramius wrote:
          > Mon, 25 Mar 2013 14:09:04 -0400 (EDT) skrev Wietse Venema
          > <wietse@...>:
          >
          >> Titanus Eramius:
          >>> MAIL FROM:<>
          >>> 250 2.1.0 Ok
          >>> RCPT TO:<real-user@...>
          >>> 250 2.1.5 Ok
          >>> RCPT TO:<non-existent@...>
          >>> 250 2.1.5 Ok
          >>> If non-existent@... is substituted with non-existent@...,
          >>> then it is still rejected with "... unknown in virtual mailbox
          >>> table".
          >> You appear to have a wild-card rule that replaces @... with
          >> @.... Such a rule matches all addresses including invalid ones.
          >>
          >> Instead use a MySQL query as decribed in
          >> http://tech.groups.yahoo.com/group/postfix-users/message/247913
          >>
          >> Wietse
          > Thank you for the link, it was very informative, but didn't solve the
          > problem. I also tried making a virtual_mailbox_maps MySQL query that
          > always returned false, but Postfix still accepted all mail, and then
          > bounced it after Dovecot rejected it.

          You say you return "false"?
          Postfix expects to receive no results (a.k.a. 0 rows) if a
          virtual_mailbox_maps address in mysql does not exist.
          Do not return "false", empty string, null, or any other value if it does
          not exist.

          Brian
        • Titanus Eramius
          Fri, 05 Apr 2013 08:49:39 -0400 skrev Brian Evans ... False may be the wrong word, and I m sorry if it is. What I mean is, virtual_mailbox_maps always returns
          Message 4 of 28 , Apr 5, 2013
          • 0 Attachment
            Fri, 05 Apr 2013 08:49:39 -0400 skrev Brian Evans
            <grknight@...>:

            > > Thank you for the link, it was very informative, but didn't solve
            > > the problem. I also tried making a virtual_mailbox_maps MySQL query
            > > that always returned false, but Postfix still accepted all mail,
            > > and then bounced it after Dovecot rejected it.
            >
            > You say you return "false"?
            > Postfix expects to receive no results (a.k.a. 0 rows) if a
            > virtual_mailbox_maps address in mysql does not exist.
            > Do not return "false", empty string, null, or any other value if it
            > does not exist.

            False may be the wrong word, and I'm sorry if it is. What I mean is,
            virtual_mailbox_maps always returns nothing from MySQL, like so:

            titanus@ntdata:/etc/postfix$ sudo postmap -q test@...
            mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
            titanus@ntdata:/etc/postfix$ echo $?
            1
            (this user exists)

            titanus@ntdata:/etc/postfix$ sudo postmap -q non_existent@...
            mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
            titanus@ntdata:/etc/postfix$ echo $?
            1
            (this user does not)

            I did this because I had some trouble constructing the query-string
            Wietse recommended, and thought this would be a simple and easy way to
            test if virtual_mailbox_maps was the problem.

            When trying the syntax within the MySQL CLI, a "Empty set" is returned
            when querying for a non-existent user

            mysql> SELECT username FROM mailbox
            -> WHERE username = 'non_existent@...';
            Empty set (0.00 sec)


            I hope this better explains what I meant
            Cheers
          • Titanus Eramius
            Solved it :-) When sending to unknown users, Postfix now rejects the mail with User unknown in virtual mailbox table , and it does so for hosted (that is,
            Message 5 of 28 , Apr 6, 2013
            • 0 Attachment
              Solved it :-)

              When sending to unknown users, Postfix now rejects the mail with "User
              unknown in virtual mailbox table", and it does so for hosted (that is,
              virtual mailbox domains) domains as well.

              It seems the SRS-daemon* I have been using with the main.cf parameters
              recipient_canonical_maps
              recipient_canonical_classes
              sender_canonical_maps
              sender_canonical_classes

              was the root of the problem. I have just commented them out to solve
              it. Reading through the documentation for those four parameters, does
              not seem to indicate why they would mess with Postfix' ability to use
              virtual_mailbox_maps.

              But I guess my lack of understanding about Postfix internals is a
              problem as well. I am sorry for the wasted time, and would like to
              thank all who helped out.

              Have a nice weekend


              * https://github.com/Fruneau/pfixtools
            Your message has been successfully submitted and would be delivered to recipients shortly.