Loading ...
Sorry, an error occurred while loading the content.

smtpd access checks without checking virtual_alias_maps - howto ?

Expand Messages
  • uffe
    Hi, I m trying to configure postfix to perform smtpd access checks - specifically recipient check/restrictions - but without having it consult its
    Message 1 of 7 , Jun 17, 2014
    • 0 Attachment
      Hi,

      I'm trying to configure postfix to perform smtpd access checks -
      specifically recipient check/restrictions - but without having it consult
      its virtual_alias_maps.

      I'm heavily depending on catchall constructions in virtual_aliases for
      further "virtual routing"
      The catchall constructs in my virtual_alias_maps seem to break all recipient
      checks/restriction for me.

      Can anyone come up with a way (configurtion) for smtpd to check for valid
      recipients in a map - and keep it away from looking into virtual_alias_maps
      while performing recipient validation ?

      BTW I really miss a doc/drawing - explaining the order of smtpd access
      checks in respect to virtual_alias_maps lookups - any pointers ?

      Thanks in advance

      /Uffe




      --
      View this message in context: http://postfix.1071664.n5.nabble.com/smtpd-access-checks-without-checking-virtual-alias-maps-howto-tp68634.html
      Sent from the Postfix Users mailing list archive at Nabble.com.
    • Noel Jones
      ... Yes, this is a known limitation of catchalls, and a very good reason to avoid them. ... You can use a check_recipient_access map and then reject any local
      Message 2 of 7 , Jun 17, 2014
      • 0 Attachment
        On 6/17/2014 3:48 PM, uffe wrote:
        > Hi,
        >
        > I'm trying to configure postfix to perform smtpd access checks -
        > specifically recipient check/restrictions - but without having it consult
        > its virtual_alias_maps.
        >
        > I'm heavily depending on catchall constructions in virtual_aliases for
        > further "virtual routing"
        > The catchall constructs in my virtual_alias_maps seem to break all recipient
        > checks/restriction for me.

        Yes, this is a known limitation of catchalls, and a very good reason
        to avoid them.

        >
        > Can anyone come up with a way (configurtion) for smtpd to check for valid
        > recipients in a map - and keep it away from looking into virtual_alias_maps
        > while performing recipient validation ?

        You can use a check_recipient_access map and then reject any local
        recipient not listed in the map. But if you already have a map,
        seems like you could eliminate the troublesome catchall without
        resorting to oddball hacks.

        Something like:
        main.cf:
        ## do this in sender checks to not become an open relay
        smtpd_sender_restrictions =
        check_recipient_access hash:/etc/postfix/valid_recipients
        check_recipient_access regexp:/etc/postfix/reject_all_local.regexp

        # valid_recipients
        ## list all valid recipients here
        user1@... OK
        user2@... OK
        ...

        # reject_all_local.regexp
        ## valid recipients already permitted, so only invalid are left.
        /@example\.com$/ REJECT unknown recipient


        If there aren't too many valid recipients, you can do the whole
        thing in a single regexp file with the last entry as the default
        REJECT, but the syntax and scaling is easier with indexed tables.


        >
        > BTW I really miss a doc/drawing - explaining the order of smtpd access
        > checks in respect to virtual_alias_maps lookups - any pointers ?

        http://www.postfix.org/OVERVIEW.html




        -- Noel Jones
      • Viktor Dukhovni
        ... Sorry, that s not possible. The SMTP server will use whatever virtual(5) aliases it is configured with to validate input recipients. ... Define virtual
        Message 3 of 7 , Jun 17, 2014
        • 0 Attachment
          On Tue, Jun 17, 2014 at 01:48:49PM -0700, uffe wrote:

          > I'm trying to configure postfix to perform smtpd access checks -
          > specifically recipient check/restrictions - but without having it consult
          > its virtual_alias_maps.

          Sorry, that's not possible. The SMTP server will use whatever
          virtual(5) aliases it is configured with to validate input recipients.

          > Can anyone come up with a way (configurtion) for smtpd to check for valid
          > recipients in a map - and keep it away from looking into virtual_alias_maps
          > while performing recipient validation ?

          Define virtual alias maps for smtpd(8) to look at a different set of
          tables than cleanup(8).


          > BTW I really miss a doc/drawing - explaining the order of smtpd access
          > checks in respect to virtual_alias_maps lookups - any pointers ?

          http://www.postfix.org/postconf.5.html#smtpd_reject_unlisted_recipient
          http://www.postfix.org/postconf.5.html#reject_unlisted_recipient

          --
          Viktor.
        • Uffe Jakobsen
          ... damn it would be nice with another (new) set of virtual_route_aliases that would not be considered before the email was accepted by smtpd. ... Ok will need
          Message 4 of 7 , Jun 17, 2014
          • 0 Attachment
            On 2014-06-17 23:18, Noel Jones wrote:
            > On 6/17/2014 3:48 PM, uffe wrote:
            >> Hi,
            >>
            >> I'm trying to configure postfix to perform smtpd access checks -
            >> specifically recipient check/restrictions - but without having it consult
            >> its virtual_alias_maps.
            >>
            >> I'm heavily depending on catchall constructions in virtual_aliases for
            >> further "virtual routing"
            >> The catchall constructs in my virtual_alias_maps seem to break all recipient
            >> checks/restriction for me.
            >
            > Yes, this is a known limitation of catchalls, and a very good reason
            > to avoid them.

            damn it would be nice with another (new) set of virtual_route_aliases
            that would not be considered before the email was accepted by smtpd.

            >
            >>
            >> Can anyone come up with a way (configurtion) for smtpd to check for valid
            >> recipients in a map - and keep it away from looking into virtual_alias_maps
            >> while performing recipient validation ?
            >
            > You can use a check_recipient_access map and then reject any local
            > recipient not listed in the map. But if you already have a map,
            > seems like you could eliminate the troublesome catchall without
            > resorting to oddball hacks.
            >
            > Something like:
            > main.cf:
            > ## do this in sender checks to not become an open relay
            > smtpd_sender_restrictions =
            > check_recipient_access hash:/etc/postfix/valid_recipients
            > check_recipient_access regexp:/etc/postfix/reject_all_local.regexp
            >
            > # valid_recipients
            > ## list all valid recipients here
            > user1@... OK
            > user2@... OK
            > ...
            >
            > # reject_all_local.regexp
            > ## valid recipients already permitted, so only invalid are left.
            > /@example\.com$/ REJECT unknown recipient
            >
            >
            > If there aren't too many valid recipients, you can do the whole
            > thing in a single regexp file with the last entry as the default
            > REJECT, but the syntax and scaling is easier with indexed tables.
            >
            >

            Ok will need to do some testing - unfortunately my setup is not straight
            forward simple - lots of domains etc.

            Thanks

            /Uffe
          • Uffe Jakobsen
            ... damn, qmail could do this stuff out-of-the-box. To me it would make sense to have virtual_routing_alias_maps that would be evaluated after smtpd checks.
            Message 5 of 7 , Jun 17, 2014
            • 0 Attachment
              On 2014-06-17 23:21, Viktor Dukhovni wrote:
              > On Tue, Jun 17, 2014 at 01:48:49PM -0700, uffe wrote:
              >
              >> I'm trying to configure postfix to perform smtpd access checks -
              >> specifically recipient check/restrictions - but without having it consult
              >> its virtual_alias_maps.
              >
              > Sorry, that's not possible. The SMTP server will use whatever
              > virtual(5) aliases it is configured with to validate input recipients.
              >

              damn, qmail could do this stuff out-of-the-box.

              To me it would make sense to have virtual_routing_alias_maps that would
              be evaluated after smtpd checks.

              >> Can anyone come up with a way (configurtion) for smtpd to check for valid
              >> recipients in a map - and keep it away from looking into virtual_alias_maps
              >> while performing recipient validation ?
              >
              > Define virtual alias maps for smtpd(8) to look at a different set of
              > tables than cleanup(8).
              >

              By this I guess you mean compiling a home made postfix with the above
              changes ?


              Thanks for your feedback

              /Uffe
            • Viktor Dukhovni
              ... No, see below. ... No, I mean a master.cf override: main.cf: smtpd_valias_maps = ... master.cf: smtp inet ... smtpd -o
              Message 6 of 7 , Jun 17, 2014
              • 0 Attachment
                On Wed, Jun 18, 2014 at 12:00:03AM +0200, Uffe Jakobsen wrote:

                > >Sorry, that's not possible. The SMTP server will use whatever
                > >virtual(5) aliases it is configured with to validate input recipients.
                >
                > damn, qmail could do this stuff out-of-the-box.
                >
                > To me it would make sense to have virtual_routing_alias_maps that would be
                > evaluated after smtpd checks.

                No, see below.

                > >>Can anyone come up with a way (configurtion) for smtpd to check for valid
                > >>recipients in a map - and keep it away from looking into virtual_alias_maps
                > >>while performing recipient validation ?
                > >
                > >Define virtual alias maps for smtpd(8) to look at a different set of
                > >tables than cleanup(8).
                >
                > By this I guess you mean compiling a home made postfix with the above
                > changes ?

                No, I mean a master.cf override:

                main.cf:
                smtpd_valias_maps = ...

                master.cf:
                smtp inet ... smtpd
                -o virtual_alias_maps=$smtpd_valias_maps

                Actual rewriting is done by cleanup(8). At this time, the Postfix
                SMTP server (aka smtpd(8)) *only* uses virtual_alias_maps for
                recipient validation, not for rewriting. Note this may change in
                some future release.

                --
                Viktor.
              • Uffe Jakobsen
                ... Aha I see - what fantastic suggestion !!! I just implemented a setup similar to your suggestion - and now postfix works just the way that I was looking
                Message 7 of 7 , Jun 17, 2014
                • 0 Attachment
                  On 2014-06-18 00:08, Viktor Dukhovni wrote:
                  > On Wed, Jun 18, 2014 at 12:00:03AM +0200, Uffe Jakobsen wrote:
                  >
                  >>>> Can anyone come up with a way (configurtion) for smtpd to check for valid
                  >>>> recipients in a map - and keep it away from looking into virtual_alias_maps
                  >>>> while performing recipient validation ?
                  >>>
                  >>> Define virtual alias maps for smtpd(8) to look at a different set of
                  >>> tables than cleanup(8).
                  >>
                  >> By this I guess you mean compiling a home made postfix with the above
                  >> changes ?
                  >
                  > No, I mean a master.cf override:
                  >
                  > main.cf:
                  > smtpd_valias_maps = ...
                  >
                  > master.cf:
                  > smtp inet ... smtpd
                  > -o virtual_alias_maps=$smtpd_valias_maps
                  >
                  > Actual rewriting is done by cleanup(8). At this time, the Postfix
                  > SMTP server (aka smtpd(8)) *only* uses virtual_alias_maps for
                  > recipient validation, not for rewriting. Note this may change in
                  > some future release.
                  >

                  Aha I see - what fantastic suggestion !!!

                  I just implemented a setup similar to your suggestion - and now postfix
                  works just the way that I was looking for.

                  Viktor - you just saved my day - and I just learned a little more about
                  postfix :-)

                  Thanks :-)

                  /Uffe
                Your message has been successfully submitted and would be delivered to recipients shortly.