Loading ...
Sorry, an error occurred while loading the content.

Re: Local UNIX accounts, aliasing & rejecting mail to non-public UNIX accounts

Expand Messages
  • Craig R. Skinner
    ... Well, that s the theory - but I don t see that happening when adhering to the suggestions provided in this thread: myorigin = $mydomain mydestination =
    Message 1 of 37 , Jun 25, 2013
    • 0 Attachment
      On 2013-06-24 Mon 20:24 PM |, Wietse Venema wrote:
      > Craig R. Skinner:
      > > The default aliases file does not indicate that;-
      > >
      > > "The aliases(5) table provides a system-wide mechanism to redirect mail for LOCAL recipients."
      > >
      > > "Users can control delivery of their own mail by setting up .forward files in their home directory."
      >
      > Actually, it says:
      >
      > The aliases(5) table provides a system-wide mechanism to redirect mail
      > for local recipients. The redirections are processed by the Postfix
      > local(8) delivery agent.
      >
      > And hence, it is processed by the local(8) delivery agent, which
      > normally handles domains listed in mydestination.
      >

      Well, that's the theory - but I don't see that happening when adhering
      to the suggestions provided in this thread:

      myorigin = $mydomain
      mydestination = localhost, localhost.$mydomain
      virtual_alias_domains = example.com ($mydomain)
      mailbox_transport = lmtp:unix:private/dovecot-lmtp
      ...
      ...


      Various combinations of these with the above don't trigger aliases
      expansion:
      append_dot_mydomain = no
      local_transport = local:localhost

      If local(8) was handling domains listed in mydesti (localhost) then
      aliases should be parsed, but nope.


      From http://www.postfix.org/postconf.5.html#mailbox_transport
      The precedence of local(8) delivery features from high to low is:
      aliases, .forward files, mailbox_transport_maps, mailbox_transport, ....

      From the logs I posted earlier, $mailbox_transport is getting evaulated,
      but not aliases, which should come 1st.

      However, alias expansion does occur when I do the NAUGHTY thing of
      including $mydomain in $mydestination. Here notice that both aliases &
      Dovecot ($mailbox_transport) are invoked, where as in my earlier email
      that aliases where not, while Dovecot was for all items in
      $virtual_alias_maps:


      $ uptime | mail -s uptime daemon (<--- in aliases, not virtual_alias_maps)
      Jun 25 14:04:08 server1 postfix/pickup[29023]: 51B8367E0: uid=7432 from=<admin-acct>
      Jun 25 14:04:08 server1 postfix/cleanup[154]: 51B8367E0: message-id=<20130625130408.51B8367E0@...>
      Jun 25 14:04:08 server1 postfix/qmgr[6613]: 51B8367E0: from=<server.admin@...>, size=389, nrcpt=1 (queue active)
      Jun 25 14:04:08 server1 postfix/trivial-rewrite[2958]: warning: do not list domain example.com in BOTH mydestination and virtual_alias_domains
      Jun 25 14:04:08 server1 dovecot: lmtp(27263): Connect from local
      Jun 25 14:04:08 server1 dovecot: lmtp(27263, admin-acct): wCqpOjmVyVF/agAANm01jw: sieve: msgid=<20130625130408.51B8367E0@...>: stored mail into mailbox 'INBOX'
      Jun 25 14:04:08 server1 postfix/lmtp[30743]: 51B8367E0: to=<admin-acct@...>, orig_to=<daemon>, relay=server1.example.com[private/dovecot-lmtp], delay=0.07, delays=0.02/0/0.01/0.03, dsn=2.0.0, status=sent (250 2.0.0 <admin-acct@...> wCqpOjmVyVF/agAANm01jw Saved)
      Jun 25 14:04:08 server1 dovecot: lmtp(27263): Disconnect from local: Client quit (in reset)
      Jun 25 14:04:08 server1 postfix/qmgr[6613]: 51B8367E0: removed


      Could it be vaguely related to?:-

      Subject: Postfix stable release 2.10.1 and legacy releases 2.9.7, 2.8.15, 2.7.14

      * Bugfix (introduced: Postfix 2.0): when myhostname is not listed
      in mydestination, the trivial-rewrite resolver may log "do not
      list in both mydestination and ". The fix is to re-resolve a
      domain-less address after adding $myhostname as the surrogate
      domain, so that it pops out with the right address-class label.
      Reported by Quanah Gibson-Mount.


      As instructed, neither do I have myhostname listed in mydestination.

      Comments?

      Cheers,
      --
      Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
    • Craig R. Skinner
      ... Viktor, you deleted/ignored the part where I stated that I d changed it: ... It s clear enough if you read what I wrote. ... That might be what you d like
      Message 37 of 37 , Jun 25, 2013
      • 0 Attachment
        On 2013-06-25 Tue 14:38 PM |, Viktor Dukhovni wrote:
        >
        > > Jun 25 14:04:08 server1 postfix/pickup[29023]: 51B8367E0: uid=7432 from=<admin-acct>
        > > Jun 25 14:04:08 server1 postfix/cleanup[154]: 51B8367E0: message-id=<20130625130408.51B8367E0@...>
        > > Jun 25 14:04:08 server1 postfix/qmgr[6613]: 51B8367E0: from=<server.admin@...>, size=389, nrcpt=1 (queue active)
        > > Jun 25 14:04:08 server1 postfix/trivial-rewrite[2958]: warning: do not list domain example.com in BOTH mydestination and virtual_alias_domains
        >
        > This configuration is not what you claim above, stop wasting the list's
        > time with misleading reports.

        Viktor, you deleted/ignored the part where I stated that I'd changed it:

        On 2013-06-25 Tue 14:53 PM |, Craig R. Skinner wrote:
        >
        > However, alias expansion does occur when I do the NAUGHTY thing of
        > including $mydomain in $mydestination.

        It's clear enough if you read what I wrote.

        >
        > > Jun 25 14:04:08 server1 postfix/lmtp[30743]: 51B8367E0: to=<admin-acct@...>, orig_to=<daemon>, relay=server1.example.com[private/dovecot-lmtp], delay=0.07, delays=0.02/0/0.01/0.03, dsn=2.0.0, status=sent (250 2.0.0 <admin-acct@...> wCqpOjmVyVF/agAANm01jw Saved)
        >
        > Were example.com in virtual_alias_domains, this message would have bounced.
        >

        That might be what you'd like to happen. I don't see Postfix acting that way.

        Here in more detail (deliberately including mydomain in mydestination):

        $ postconf \
        config_directory \
        alias_database \
        alias_maps \
        mydomain \
        myorigin \
        mydestination \
        virtual_alias_domains \
        virtual_alias_maps \
        mailbox_transport \
        sender_canonical_maps \
        masquerade_domains \
        remote_header_rewrite_domain \
        local_recipient_maps \
        mail_spool_directory \
        append_dot_mydomain \
        local_transport

        config_directory = /etc/postfix
        alias_database = btree:$config_directory/aliases
        alias_maps = $alias_database
        mydomain = example.com
        myorigin = $mydomain
        mydestination = localhost, localhost.$mydomain, $mydomain
        virtual_alias_domains = example.com
        virtual_alias_maps = btree:$config_directory/virtual_alias_maps.map
        mailbox_transport = lmtp:unix:private/dovecot-lmtp
        sender_canonical_maps = btree:$config_directory/canonical.map
        masquerade_domains = $virtual_alias_domains
        remote_header_rewrite_domain = address.invalid
        local_recipient_maps = proxy:unix:passwd.byname $alias_maps
        mail_spool_directory = /var/mail/
        append_dot_mydomain = yes
        local_transport = local:$myhostname

        $ postmap -q daemon btree:/etc/postfix/aliases
        root

        $ postmap -q root btree:/etc/postfix/aliases
        admin-acct

        $ postmap -q daemon btree:/etc/postfix/virtual_alias_maps.map
        [nothing]

        $ postmap -q root btree:/etc/postfix/virtual_alias_maps.map
        [nothing]

        $ postmap -q server.admin btree:/etc/postfix/virtual_alias_maps.map
        admin-acct@localhost


        $ uname | mail -s uname daemon
        Jun 25 19:39:03 server1 postfix/pickup[23791]: 46C026764: uid=7432 from=<admin-acct>
        Jun 25 19:39:03 server1 postfix/cleanup[4734]: 46C026764: message-id=<20130625183903.46C026764@...>
        Jun 25 19:39:03 server1 postfix/qmgr[7589]: 46C026764: from=<server.admin@...>, size=328, nrcpt=1 (queue active)
        Jun 25 19:39:03 server1 postfix/trivial-rewrite[30793]: warning: do not list domain example.com in BOTH mydestination and virtual_alias_domains
        Jun 25 19:39:03 server1 postfix/trivial-rewrite[30793]: warning: do not list domain example.com in BOTH mydestination and virtual_alias_domains
        Jun 25 19:39:03 server1 postfix/trivial-rewrite[30793]: warning: do not list domain example.com in BOTH mydestination and virtual_alias_domains
        Jun 25 19:39:03 server1 dovecot: lmtp(23729): Connect from local
        Jun 25 19:39:03 server1 dovecot: lmtp(23729, admin-acct): 6epMMMfjyVGxXAAANm01jw: sieve: msgid=<20130625183903.46C026764@...>: stored mail into mailbox 'INBOX'
        Jun 25 19:39:04 server1 postfix/lmtp[19198]: 46C026764: to=<admin-acct@...>, orig_to=<daemon>, relay=server1.example.com[private/dovecot-lmtp], delay=0.78, delays=0.14/0.07/0.39/0.19, dsn=2.0.0, status=sent (250 2.0.0 <admin-acct@...> 6epMMMfjyVGxXAAANm01jw Saved)
        Jun 25 19:39:04 server1 dovecot: lmtp(23729): Disconnect from local: Client quit (in reset)
        Jun 25 19:39:04 server1 postfix/qmgr[7589]: 46C026764: removed


        Log evidence of no bounce when the mydomain is both in mydestination &
        virtual_alias_domains. Also log evidence of aliases being parsed.


        > > Comments?
        >
        > 0. All address -> address mappings in virtual(5).
        >
        > 1. No address-> address mappings in aliases(5).
        >
        > 2. localhost and localhost.$mydomain only in mydestionation.
        >
        > 3. Your domain in virtual_alias_domains and myorigin.
        >
        > 4. In virtual(5) the LHS and RHS of all lookup keys include @domain:
        >
        > alias@... user@..., otheruser@...
        > user@... useracct@localhost
        > otheruser@... otheracct@localhost
        >
        > 5. Nothing in aliases(5) except aliases whose RHS is a ":include:" file
        > if you need that feature (mailing list manager integration).

        This is what I stated worked for me an earlier mail:

        On 2013-06-21 Fri 20:57 PM |, Craig R. Skinner wrote:
        >
        > Thanks Viktor, this set up works with making the machines domain name
        > virtual for Postfix, accepting mail for pretty addresses & rejecting
        > remote mail for MOST Unix accounts, while accepting local mail to Unix
        > accounts, IF listed as virtual aliases (mutt, sendmail, cron,....):
        >
        ..
        ..
        ..
        >
        > It seems the aliases file is not used. I've got root, postmaster,
        > abuse, hostmaster, etc. in virtual_alias_maps.map. Should the other
        > traditional aliases of MAILER-DAEMON, bin, dumper, etc. be in there
        > too?
        >

        On 2013-06-21 Fri 22:08 PM |, Jeroen Geilman wrote:
        > >It seems the aliases file is not used.
        >
        > Of course it is used, for any destinations in $mydestination.
        >

        On 2013-06-24 Mon 15:12 PM |, Craig R. Skinner wrote:
        >
        > Thanks winning team (& Dr. Seuss too) for the quality education.
        >
        > I'm about getting it now.
        >
        > This set up works:-
        >
        ...
        ...
        >
        > aliases:
        > [empty]
        >
        > virtual_alias_maps.map:
        > # example.com: ($myorigin)
        > # Re-mapped from aliases(5): # Are they all needed these days???
        > postmaster postmaster@localhost
        > abuse postmaster@...
        > root admin-acct@localhost
        > MAILER-DAEMON postmaster@...
        > bin root@...
        > daemon root@...
        > named hostmaster@...
        ...
        ...



        However, Wietse replied to a later email with:

        On 2013-06-22 Sat 17:10 PM |, Wietse Venema wrote:
        > I agree with Viktor's description:
        >
        ...
        ...
        >
        > # Legacy sendmail-style aliases:
        > /etc/aliases:
        > # Here, no @domain in LHS or RHS.
        > postmaster: unixaccount
        > abuse: unixaccount
        >

        Therefore I tried moving some 'traditional' aliases back from
        virtual_alias_maps into aliases to test -
        and that's where it all fell apart:-

        The summary I hear from Viktor: is 'put it all in virtual'
        And from Wietse effectively: 'plain aliases will still work'

        I'm confused because both situations do not work, unless
        mydomain is in mydestination, which Postfix complains about.

        I've accurately followed the mixed instructions & tested each.

        >
        > 6. Handle "| command" aliases via .forward files of a designated
        > account, rather than in the system aliases file.
        >
        > 7. Did I mention no address to address (or if you like account to
        > account, address to account, account to address, ...) mappings in
        > aliases(5)? Plase all of these in virtual(5).
        >

        Yes, see above.

        > 8. When testing, stop Postfix, check the configuration is what you want
        > to test and save "postconf -n" output. Start Postfix and run your
        > tests. Then report log entries that postdate the most recent Postfix
        > stop/start.
        >
        > 9. Don't tinker with the configuration mid-test and report logs that
        > don't match the reported configuration.
        >
        > 11. Yes local aliases(5) will still work when useracct@localhost is
        > processed by local(8), but best practice is to avoid user accounts as
        > lookup keys in /etc/aliases.

        OK. I'll forget that as useracct@localhost is rather unlikely.
        Either of these is more common day to day:
        *) useracct (from local processes)
        *) user.acct@... (via smtpd)

        >
        > 12. Local aliases(5) are not consulted when an address is missing
        > from virtual(5). If you send email to "missing@..." with
        > missing@... not listed in virtual(5), then having an entry of
        > the form "missing: user" in aliases(5) will not help. You must
        > include:
        >
        > missing@... missing@localhost
        >
        > for missing to then be looked up in aliases(5), but if
        > missing needs to be sent to a different user, you should
        > use virtual(5) for that! See 1 and 7 above. Basically,
        > in most cases aliases(5) can and should be empty.

        As I had before:

        On 2013-06-24 Mon 15:12 PM |, Craig R. Skinner wrote:
        >
        > aliases:
        > [empty]
        >



        >
        > 13. You can even set:
        >
        > alias_database =
        > alias_maps =
        >
        > and the question of whether aliases(5) lookups works becomes moot.
        > You'll only need aliases(5) for mailing list manager support, with
        > aliases(5) files that belong to the list manager account, so that
        > pipe commands there run under the correct account.
        >

        OK, that's all clear now.

        $ postmap -q daemon btree:/etc/postfix/aliases
        [nothing]
        $ postmap -q root btree:/etc/postfix/aliases
        [nothing]


        $ postmap -q daemon btree:/etc/postfix/virtual_alias_maps.map
        root@...

        $ postmap -q root btree:/etc/postfix/virtual_alias_maps.map
        admin-acct@localhost

        $ postconf \
        config_directory \
        alias_database \
        alias_maps \
        mydomain \
        myorigin \
        mydestination \
        virtual_alias_domains \
        virtual_alias_maps \
        mailbox_transport \
        sender_canonical_maps \
        masquerade_domains \
        remote_header_rewrite_domain \
        local_recipient_maps \
        mail_spool_directory \
        append_dot_mydomain \
        local_transport

        config_directory = /etc/postfix
        alias_database =
        alias_maps =
        mydomain = example.com
        myorigin = $mydomain
        mydestination = localhost, localhost.$mydomain
        virtual_alias_domains = example.com
        virtual_alias_maps = btree:$config_directory/virtual_alias_maps.map
        mailbox_transport = lmtp:unix:private/dovecot-lmtp
        sender_canonical_maps = btree:$config_directory/canonical.map
        masquerade_domains = $virtual_alias_domains
        remote_header_rewrite_domain = address.invalid
        local_recipient_maps = proxy:unix:passwd.byname $alias_maps
        mail_spool_directory = /var/mail/
        append_dot_mydomain = yes
        local_transport = local:$myhostname


        $ uname | mail -s uname daemon
        Jun 25 20:30:49 server1 postfix/pickup[9331]: B347067D2: uid=7432 from=<admin-acct>
        Jun 25 20:30:49 server1 postfix/cleanup[12470]: B347067D2: message-id=<20130625193049.B347067D2@...>
        Jun 25 20:30:49 server1 postfix/qmgr[27612]: B347067D2: from=<server.admin@...>, size=328, nrcpt=1 (queue active)
        Jun 25 20:30:50 server1 dovecot: lmtp(32687): Connect from local
        Jun 25 20:30:50 server1 dovecot: lmtp(32687, admin-acct): hheEDurvyVGvfwAANm01jw: sieve: msgid=<20130625193049.B347067D2@...>: stored mail into mailbox 'INBOX'
        Jun 25 20:30:50 server1 postfix/lmtp[8423]: B347067D2: to=<admin-acct@...>, orig_to=<daemon>, relay=server1.example.com[private/dovecot-lmtp], delay=0.78, delays=0.15/0.06/0.38/0.19, dsn=2.0.0, status=sent (250 2.0.0 <admin-acct@...> hheEDurvyVGvfwAANm01jw Saved)
        Jun 25 20:30:50 server1 dovecot: lmtp(32687): Disconnect from local: Client quit (in reset)
        Jun 25 20:30:50 server1 postfix/qmgr[27612]: B347067D2: removed

        $ uname | mail -s uname server.admin
        Jun 25 20:31:57 server1 postfix/pickup[9331]: 4FDA567D2: uid=7432 from=<admin-acct>
        Jun 25 20:31:57 server1 postfix/cleanup[12470]: 4FDA567D2: message-id=<20130625193157.4FDA567D2@...>
        Jun 25 20:31:57 server1 postfix/qmgr[27612]: 4FDA567D2: from=<server.admin@...>, size=329, nrcpt=1 (queue active)
        Jun 25 20:31:57 server1 dovecot: lmtp(15765): Connect from local
        Jun 25 20:31:57 server1 dovecot: lmtp(15765, admin-acct): qYkuGC3wyVGVPQAANm01jw: sieve: msgid=<20130625193157.4FDA567D2@...>: stored mail into mailbox 'INBOX'
        Jun 25 20:31:57 server1 postfix/lmtp[8423]: 4FDA567D2: to=<admin-acct@...>, orig_to=<server.admin>, relay=server1.example.com[private/dovecot-lmtp], delay=0.22, delays=0.02/0/0.06/0.13, dsn=2.0.0, status=sent (250 2.0.0 <admin-acct@...> qYkuGC3wyVGVPQAANm01jw Saved)
        Jun 25 20:31:57 server1 dovecot: lmtp(15765): Disconnect from local: Client quit (in reset)
        Jun 25 20:31:57 server1 postfix/qmgr[27612]: 4FDA567D2: removed


        $ uname | mail -s uname server.admin@...
        Jun 25 20:33:23 server1 postfix/pickup[9331]: 10DBA67D2: uid=7432 from=<admin-acct>
        Jun 25 20:33:23 server1 postfix/cleanup[12470]: 10DBA67D2: message-id=<20130625193323.10DBA67D2@...>
        Jun 25 20:33:23 server1 postfix/qmgr[27612]: 10DBA67D2: from=<server.admin@...>, size=329, nrcpt=1 (queue active)
        Jun 25 20:33:23 server1 dovecot: lmtp(9968): Connect from local
        Jun 25 20:33:23 server1 dovecot: lmtp(9968, admin-acct): 86tLCYPwyVHwJgAANm01jw: sieve: msgid=<20130625193323.10DBA67D2@...>: stored mail into mailbox 'INBOX'
        Jun 25 20:33:23 server1 postfix/lmtp[8423]: 10DBA67D2: to=<admin-acct@...>, orig_to=<server.admin@...>, relay=server1.example.com[private/dovecot-lmtp], delay=0.23, delays=0.03/0.01/0.07/0.13, dsn=2.0.0, status=sent (250 2.0.0 <admin-acct@...> 86tLCYPwyVHwJgAANm01jw Saved)
        Jun 25 20:33:23 server1 dovecot: lmtp(9968): Disconnect from local: Client quit (in reset)
        Jun 25 20:33:23 server1 postfix/qmgr[27612]: 10DBA67D2: removed

        It doesn't work with local mail to unix accounts, which I want.

        $ uname | mail -s uname admin-acct
        Jun 25 20:34:37 server1 postfix/pickup[9331]: DC92C67D2: uid=7432 from=<admin-acct>
        Jun 25 20:34:37 server1 postfix/cleanup[12470]: DC92C67D2: message-id=<20130625193437.DC92C67D2@...>
        Jun 25 20:34:37 server1 postfix/qmgr[27612]: DC92C67D2: from=<server.admin@...>, size=337, nrcpt=1 (queue active)
        Jun 25 20:34:38 server1 postfix/error[14142]: DC92C67D2: to=<admin-acct@...>, orig_to=<admin-acct>, relay=none, delay=0.17, delays=0.03/0.07/0/0.07, dsn=5.0.0, status=bounced (User unknown in virtual alias table)

        To solve that problem, I can replace
        sender_canonical_maps = btree:$config_directory/canonical.map
        with:
        canonical_maps = btree:$config_directory/canonical.map

        But then (naturally) smtpd also accepts remote mail for
        admin-acct@..., rather than just for server.admin@...

        Which can be controlled with Stan's idea of rejecting specific Unix
        accounts via smtpd_recipient_restrictions check_recipient_access
        reject_system_accounts.map.


        Thanks everyone for all your combined help,
        --
        Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
      Your message has been successfully submitted and would be delivered to recipients shortly.