Loading ...
Sorry, an error occurred while loading the content.
 

Re: Local UNIX accounts, aliasing & rejecting mail to non-public UNIX accounts

Expand Messages
  • Viktor Dukhovni
    ... Notice the exact form of the above (IIRC that was my suggestion). ... Whoever said that does not know what they are talking about. With the default of
    Message 1 of 37 , Jun 22, 2013
      On Sat, Jun 22, 2013 at 12:13:16PM +0100, Craig R. Skinner wrote:

      > > >main.cf:
      > > >myorigin = $mydomain
      > > >mydestination = localhost.$mydomain

      Notice the exact form of the above (IIRC that was my suggestion).

      > > No. If the destination you use in virtual_alias_maps is @localhost,
      > > then THAT must be in mydestination.
      > > Postfix is quite literal.
      > >
      > > mydestination = localhost
      > > append_dot_mydomain = no

      Whoever said that does not know what they are talking about. With
      the default of "append_dot_mydomain = yes", Postfix will replace
      "user@localhost" with "user@localhost.$mydomain" before performing
      recursive lookups with virtual_alias_maps.

      > > Or, if you wish to follow Victor's advice, qualify all aliases with
      > > "@localhost.$mydomain" instead.

      No, that can't be done literally, one would have to replace
      "$mydomain" with the actual value. To quote Dr. Seuss: I meant
      what I said and I said what I meant.

      > Superbly simple config Jeroen, unfortunately it doesn't work for me -
      > yet.
      >
      > main.cf:
      > myorigin = $mydomain
      > mydestination = localhost

      mydestination = localhost.$mydomain

      > append_dot_mydomain = no

      append_dot_mydomain = yes

      > remote_header_rewrite_domain = sender.domain.incomplete

      remote_header_rewrite_domain = address.invalid

      The ".invalid" TLD is IANA reserved for invalid domain names.

      If these aliases are to be effective the RHS needs to be in a valid
      domain, your choices are "localhost" or "example.com". The former
      will perform local(8) delivery directly without generating a new
      queued message with the expanded recipients. The latter will do
      indirect (new queue file) delivery because example.com is not in
      mydestination.

      > virtual_alias_maps.map:
      > # accept mail for postmaster/abuse@[ip.add.ress.es]
      > postmaster postmaster

      Never leave RHS domain unset in virtual_alias_maps. Replace the
      RHS with postmaster@localhost (which punts the mail to local(8)
      for aliases(5) expansion) or with the full addresses of users
      receiving postmaster mail. The LHS can only be left unqualified
      if the virtual alias domain is equal to $myorigin. Otherwise,
      it too MUST be an FQDN.

      Thus, either:

      # Actual expansion in local(8) aliases(5). Not recommended.
      #
      postmaster@... postmaster@localhost

      or:

      # Actual expansion in local(8) aliases(5). Preferred:
      #
      postmaster@... user1@..., user2@..., ...

      > abuse postmaster

      Here:

      abuse@... postmaster@...


      > hostmaster@... hostmaster

      Same as postmaster!

      > sales@... acct145

      sales@... acct145@...

      > joe.bloggs@... jb4356

      joe.bloggs@... jb4356@localhost

      > jane.blossom@... jb8921

      jane.blossom@... jb8921@localhost

      Use virtual(5) for ALL address -> address mappings, with only
      addresses that represent final mailboxes listed as account@localhost.

      Use aliases(5) sparingly, only for "|command" aliases (try to avoid
      these anyway) or ":include:" lists.

      The aliases(5) file is a Sendmail compatibility feature, whose
      features are best remapped onto virtual(5) (address to address
      mappings controlled by the administrator) and .forward files (own
      address to address or command mappings possibly controlled by shell
      users).

      --
      Viktor.
    • Craig R. Skinner
      ... Viktor, you deleted/ignored the part where I stated that I d changed it: ... It s clear enough if you read what I wrote. ... That might be what you d like
      Message 37 of 37 , Jun 25, 2013
        On 2013-06-25 Tue 14:38 PM |, Viktor Dukhovni wrote:
        >
        > > Jun 25 14:04:08 server1 postfix/pickup[29023]: 51B8367E0: uid=7432 from=<admin-acct>
        > > Jun 25 14:04:08 server1 postfix/cleanup[154]: 51B8367E0: message-id=<20130625130408.51B8367E0@...>
        > > Jun 25 14:04:08 server1 postfix/qmgr[6613]: 51B8367E0: from=<server.admin@...>, size=389, nrcpt=1 (queue active)
        > > Jun 25 14:04:08 server1 postfix/trivial-rewrite[2958]: warning: do not list domain example.com in BOTH mydestination and virtual_alias_domains
        >
        > This configuration is not what you claim above, stop wasting the list's
        > time with misleading reports.

        Viktor, you deleted/ignored the part where I stated that I'd changed it:

        On 2013-06-25 Tue 14:53 PM |, Craig R. Skinner wrote:
        >
        > However, alias expansion does occur when I do the NAUGHTY thing of
        > including $mydomain in $mydestination.

        It's clear enough if you read what I wrote.

        >
        > > Jun 25 14:04:08 server1 postfix/lmtp[30743]: 51B8367E0: to=<admin-acct@...>, orig_to=<daemon>, relay=server1.example.com[private/dovecot-lmtp], delay=0.07, delays=0.02/0/0.01/0.03, dsn=2.0.0, status=sent (250 2.0.0 <admin-acct@...> wCqpOjmVyVF/agAANm01jw Saved)
        >
        > Were example.com in virtual_alias_domains, this message would have bounced.
        >

        That might be what you'd like to happen. I don't see Postfix acting that way.

        Here in more detail (deliberately including mydomain in mydestination):

        $ postconf \
        config_directory \
        alias_database \
        alias_maps \
        mydomain \
        myorigin \
        mydestination \
        virtual_alias_domains \
        virtual_alias_maps \
        mailbox_transport \
        sender_canonical_maps \
        masquerade_domains \
        remote_header_rewrite_domain \
        local_recipient_maps \
        mail_spool_directory \
        append_dot_mydomain \
        local_transport

        config_directory = /etc/postfix
        alias_database = btree:$config_directory/aliases
        alias_maps = $alias_database
        mydomain = example.com
        myorigin = $mydomain
        mydestination = localhost, localhost.$mydomain, $mydomain
        virtual_alias_domains = example.com
        virtual_alias_maps = btree:$config_directory/virtual_alias_maps.map
        mailbox_transport = lmtp:unix:private/dovecot-lmtp
        sender_canonical_maps = btree:$config_directory/canonical.map
        masquerade_domains = $virtual_alias_domains
        remote_header_rewrite_domain = address.invalid
        local_recipient_maps = proxy:unix:passwd.byname $alias_maps
        mail_spool_directory = /var/mail/
        append_dot_mydomain = yes
        local_transport = local:$myhostname

        $ postmap -q daemon btree:/etc/postfix/aliases
        root

        $ postmap -q root btree:/etc/postfix/aliases
        admin-acct

        $ postmap -q daemon btree:/etc/postfix/virtual_alias_maps.map
        [nothing]

        $ postmap -q root btree:/etc/postfix/virtual_alias_maps.map
        [nothing]

        $ postmap -q server.admin btree:/etc/postfix/virtual_alias_maps.map
        admin-acct@localhost


        $ uname | mail -s uname daemon
        Jun 25 19:39:03 server1 postfix/pickup[23791]: 46C026764: uid=7432 from=<admin-acct>
        Jun 25 19:39:03 server1 postfix/cleanup[4734]: 46C026764: message-id=<20130625183903.46C026764@...>
        Jun 25 19:39:03 server1 postfix/qmgr[7589]: 46C026764: from=<server.admin@...>, size=328, nrcpt=1 (queue active)
        Jun 25 19:39:03 server1 postfix/trivial-rewrite[30793]: warning: do not list domain example.com in BOTH mydestination and virtual_alias_domains
        Jun 25 19:39:03 server1 postfix/trivial-rewrite[30793]: warning: do not list domain example.com in BOTH mydestination and virtual_alias_domains
        Jun 25 19:39:03 server1 postfix/trivial-rewrite[30793]: warning: do not list domain example.com in BOTH mydestination and virtual_alias_domains
        Jun 25 19:39:03 server1 dovecot: lmtp(23729): Connect from local
        Jun 25 19:39:03 server1 dovecot: lmtp(23729, admin-acct): 6epMMMfjyVGxXAAANm01jw: sieve: msgid=<20130625183903.46C026764@...>: stored mail into mailbox 'INBOX'
        Jun 25 19:39:04 server1 postfix/lmtp[19198]: 46C026764: to=<admin-acct@...>, orig_to=<daemon>, relay=server1.example.com[private/dovecot-lmtp], delay=0.78, delays=0.14/0.07/0.39/0.19, dsn=2.0.0, status=sent (250 2.0.0 <admin-acct@...> 6epMMMfjyVGxXAAANm01jw Saved)
        Jun 25 19:39:04 server1 dovecot: lmtp(23729): Disconnect from local: Client quit (in reset)
        Jun 25 19:39:04 server1 postfix/qmgr[7589]: 46C026764: removed


        Log evidence of no bounce when the mydomain is both in mydestination &
        virtual_alias_domains. Also log evidence of aliases being parsed.


        > > Comments?
        >
        > 0. All address -> address mappings in virtual(5).
        >
        > 1. No address-> address mappings in aliases(5).
        >
        > 2. localhost and localhost.$mydomain only in mydestionation.
        >
        > 3. Your domain in virtual_alias_domains and myorigin.
        >
        > 4. In virtual(5) the LHS and RHS of all lookup keys include @domain:
        >
        > alias@... user@..., otheruser@...
        > user@... useracct@localhost
        > otheruser@... otheracct@localhost
        >
        > 5. Nothing in aliases(5) except aliases whose RHS is a ":include:" file
        > if you need that feature (mailing list manager integration).

        This is what I stated worked for me an earlier mail:

        On 2013-06-21 Fri 20:57 PM |, Craig R. Skinner wrote:
        >
        > Thanks Viktor, this set up works with making the machines domain name
        > virtual for Postfix, accepting mail for pretty addresses & rejecting
        > remote mail for MOST Unix accounts, while accepting local mail to Unix
        > accounts, IF listed as virtual aliases (mutt, sendmail, cron,....):
        >
        ..
        ..
        ..
        >
        > It seems the aliases file is not used. I've got root, postmaster,
        > abuse, hostmaster, etc. in virtual_alias_maps.map. Should the other
        > traditional aliases of MAILER-DAEMON, bin, dumper, etc. be in there
        > too?
        >

        On 2013-06-21 Fri 22:08 PM |, Jeroen Geilman wrote:
        > >It seems the aliases file is not used.
        >
        > Of course it is used, for any destinations in $mydestination.
        >

        On 2013-06-24 Mon 15:12 PM |, Craig R. Skinner wrote:
        >
        > Thanks winning team (& Dr. Seuss too) for the quality education.
        >
        > I'm about getting it now.
        >
        > This set up works:-
        >
        ...
        ...
        >
        > aliases:
        > [empty]
        >
        > virtual_alias_maps.map:
        > # example.com: ($myorigin)
        > # Re-mapped from aliases(5): # Are they all needed these days???
        > postmaster postmaster@localhost
        > abuse postmaster@...
        > root admin-acct@localhost
        > MAILER-DAEMON postmaster@...
        > bin root@...
        > daemon root@...
        > named hostmaster@...
        ...
        ...



        However, Wietse replied to a later email with:

        On 2013-06-22 Sat 17:10 PM |, Wietse Venema wrote:
        > I agree with Viktor's description:
        >
        ...
        ...
        >
        > # Legacy sendmail-style aliases:
        > /etc/aliases:
        > # Here, no @domain in LHS or RHS.
        > postmaster: unixaccount
        > abuse: unixaccount
        >

        Therefore I tried moving some 'traditional' aliases back from
        virtual_alias_maps into aliases to test -
        and that's where it all fell apart:-

        The summary I hear from Viktor: is 'put it all in virtual'
        And from Wietse effectively: 'plain aliases will still work'

        I'm confused because both situations do not work, unless
        mydomain is in mydestination, which Postfix complains about.

        I've accurately followed the mixed instructions & tested each.

        >
        > 6. Handle "| command" aliases via .forward files of a designated
        > account, rather than in the system aliases file.
        >
        > 7. Did I mention no address to address (or if you like account to
        > account, address to account, account to address, ...) mappings in
        > aliases(5)? Plase all of these in virtual(5).
        >

        Yes, see above.

        > 8. When testing, stop Postfix, check the configuration is what you want
        > to test and save "postconf -n" output. Start Postfix and run your
        > tests. Then report log entries that postdate the most recent Postfix
        > stop/start.
        >
        > 9. Don't tinker with the configuration mid-test and report logs that
        > don't match the reported configuration.
        >
        > 11. Yes local aliases(5) will still work when useracct@localhost is
        > processed by local(8), but best practice is to avoid user accounts as
        > lookup keys in /etc/aliases.

        OK. I'll forget that as useracct@localhost is rather unlikely.
        Either of these is more common day to day:
        *) useracct (from local processes)
        *) user.acct@... (via smtpd)

        >
        > 12. Local aliases(5) are not consulted when an address is missing
        > from virtual(5). If you send email to "missing@..." with
        > missing@... not listed in virtual(5), then having an entry of
        > the form "missing: user" in aliases(5) will not help. You must
        > include:
        >
        > missing@... missing@localhost
        >
        > for missing to then be looked up in aliases(5), but if
        > missing needs to be sent to a different user, you should
        > use virtual(5) for that! See 1 and 7 above. Basically,
        > in most cases aliases(5) can and should be empty.

        As I had before:

        On 2013-06-24 Mon 15:12 PM |, Craig R. Skinner wrote:
        >
        > aliases:
        > [empty]
        >



        >
        > 13. You can even set:
        >
        > alias_database =
        > alias_maps =
        >
        > and the question of whether aliases(5) lookups works becomes moot.
        > You'll only need aliases(5) for mailing list manager support, with
        > aliases(5) files that belong to the list manager account, so that
        > pipe commands there run under the correct account.
        >

        OK, that's all clear now.

        $ postmap -q daemon btree:/etc/postfix/aliases
        [nothing]
        $ postmap -q root btree:/etc/postfix/aliases
        [nothing]


        $ postmap -q daemon btree:/etc/postfix/virtual_alias_maps.map
        root@...

        $ postmap -q root btree:/etc/postfix/virtual_alias_maps.map
        admin-acct@localhost

        $ postconf \
        config_directory \
        alias_database \
        alias_maps \
        mydomain \
        myorigin \
        mydestination \
        virtual_alias_domains \
        virtual_alias_maps \
        mailbox_transport \
        sender_canonical_maps \
        masquerade_domains \
        remote_header_rewrite_domain \
        local_recipient_maps \
        mail_spool_directory \
        append_dot_mydomain \
        local_transport

        config_directory = /etc/postfix
        alias_database =
        alias_maps =
        mydomain = example.com
        myorigin = $mydomain
        mydestination = localhost, localhost.$mydomain
        virtual_alias_domains = example.com
        virtual_alias_maps = btree:$config_directory/virtual_alias_maps.map
        mailbox_transport = lmtp:unix:private/dovecot-lmtp
        sender_canonical_maps = btree:$config_directory/canonical.map
        masquerade_domains = $virtual_alias_domains
        remote_header_rewrite_domain = address.invalid
        local_recipient_maps = proxy:unix:passwd.byname $alias_maps
        mail_spool_directory = /var/mail/
        append_dot_mydomain = yes
        local_transport = local:$myhostname


        $ uname | mail -s uname daemon
        Jun 25 20:30:49 server1 postfix/pickup[9331]: B347067D2: uid=7432 from=<admin-acct>
        Jun 25 20:30:49 server1 postfix/cleanup[12470]: B347067D2: message-id=<20130625193049.B347067D2@...>
        Jun 25 20:30:49 server1 postfix/qmgr[27612]: B347067D2: from=<server.admin@...>, size=328, nrcpt=1 (queue active)
        Jun 25 20:30:50 server1 dovecot: lmtp(32687): Connect from local
        Jun 25 20:30:50 server1 dovecot: lmtp(32687, admin-acct): hheEDurvyVGvfwAANm01jw: sieve: msgid=<20130625193049.B347067D2@...>: stored mail into mailbox 'INBOX'
        Jun 25 20:30:50 server1 postfix/lmtp[8423]: B347067D2: to=<admin-acct@...>, orig_to=<daemon>, relay=server1.example.com[private/dovecot-lmtp], delay=0.78, delays=0.15/0.06/0.38/0.19, dsn=2.0.0, status=sent (250 2.0.0 <admin-acct@...> hheEDurvyVGvfwAANm01jw Saved)
        Jun 25 20:30:50 server1 dovecot: lmtp(32687): Disconnect from local: Client quit (in reset)
        Jun 25 20:30:50 server1 postfix/qmgr[27612]: B347067D2: removed

        $ uname | mail -s uname server.admin
        Jun 25 20:31:57 server1 postfix/pickup[9331]: 4FDA567D2: uid=7432 from=<admin-acct>
        Jun 25 20:31:57 server1 postfix/cleanup[12470]: 4FDA567D2: message-id=<20130625193157.4FDA567D2@...>
        Jun 25 20:31:57 server1 postfix/qmgr[27612]: 4FDA567D2: from=<server.admin@...>, size=329, nrcpt=1 (queue active)
        Jun 25 20:31:57 server1 dovecot: lmtp(15765): Connect from local
        Jun 25 20:31:57 server1 dovecot: lmtp(15765, admin-acct): qYkuGC3wyVGVPQAANm01jw: sieve: msgid=<20130625193157.4FDA567D2@...>: stored mail into mailbox 'INBOX'
        Jun 25 20:31:57 server1 postfix/lmtp[8423]: 4FDA567D2: to=<admin-acct@...>, orig_to=<server.admin>, relay=server1.example.com[private/dovecot-lmtp], delay=0.22, delays=0.02/0/0.06/0.13, dsn=2.0.0, status=sent (250 2.0.0 <admin-acct@...> qYkuGC3wyVGVPQAANm01jw Saved)
        Jun 25 20:31:57 server1 dovecot: lmtp(15765): Disconnect from local: Client quit (in reset)
        Jun 25 20:31:57 server1 postfix/qmgr[27612]: 4FDA567D2: removed


        $ uname | mail -s uname server.admin@...
        Jun 25 20:33:23 server1 postfix/pickup[9331]: 10DBA67D2: uid=7432 from=<admin-acct>
        Jun 25 20:33:23 server1 postfix/cleanup[12470]: 10DBA67D2: message-id=<20130625193323.10DBA67D2@...>
        Jun 25 20:33:23 server1 postfix/qmgr[27612]: 10DBA67D2: from=<server.admin@...>, size=329, nrcpt=1 (queue active)
        Jun 25 20:33:23 server1 dovecot: lmtp(9968): Connect from local
        Jun 25 20:33:23 server1 dovecot: lmtp(9968, admin-acct): 86tLCYPwyVHwJgAANm01jw: sieve: msgid=<20130625193323.10DBA67D2@...>: stored mail into mailbox 'INBOX'
        Jun 25 20:33:23 server1 postfix/lmtp[8423]: 10DBA67D2: to=<admin-acct@...>, orig_to=<server.admin@...>, relay=server1.example.com[private/dovecot-lmtp], delay=0.23, delays=0.03/0.01/0.07/0.13, dsn=2.0.0, status=sent (250 2.0.0 <admin-acct@...> 86tLCYPwyVHwJgAANm01jw Saved)
        Jun 25 20:33:23 server1 dovecot: lmtp(9968): Disconnect from local: Client quit (in reset)
        Jun 25 20:33:23 server1 postfix/qmgr[27612]: 10DBA67D2: removed

        It doesn't work with local mail to unix accounts, which I want.

        $ uname | mail -s uname admin-acct
        Jun 25 20:34:37 server1 postfix/pickup[9331]: DC92C67D2: uid=7432 from=<admin-acct>
        Jun 25 20:34:37 server1 postfix/cleanup[12470]: DC92C67D2: message-id=<20130625193437.DC92C67D2@...>
        Jun 25 20:34:37 server1 postfix/qmgr[27612]: DC92C67D2: from=<server.admin@...>, size=337, nrcpt=1 (queue active)
        Jun 25 20:34:38 server1 postfix/error[14142]: DC92C67D2: to=<admin-acct@...>, orig_to=<admin-acct>, relay=none, delay=0.17, delays=0.03/0.07/0/0.07, dsn=5.0.0, status=bounced (User unknown in virtual alias table)

        To solve that problem, I can replace
        sender_canonical_maps = btree:$config_directory/canonical.map
        with:
        canonical_maps = btree:$config_directory/canonical.map

        But then (naturally) smtpd also accepts remote mail for
        admin-acct@..., rather than just for server.admin@...

        Which can be controlled with Stan's idea of rejecting specific Unix
        accounts via smtpd_recipient_restrictions check_recipient_access
        reject_system_accounts.map.


        Thanks everyone for all your combined help,
        --
        Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
      Your message has been successfully submitted and would be delivered to recipients shortly.