On Fri, Nov 21, 2008 at 12:06:17PM -0800, Quanah Gibson-Mount wrote:
> [EMAIL PROTECTED] conf]$ grep ldap main.cf
> sender_canonical_maps = proxy:ldap:/opt/zimbra/conf/ldap-scm.cf
Don't use sender_canonical_maps. Use either canonical_maps or
smtp_generic_maps as appropriate. Header recipients become "senders"
(really addresses to reply-to) when Reply-All is used, so you really
need to rewrite all addresses (sender and recipient) uniformly.
> virtual_alias_domains = proxy:ldap:/opt/zimbra/conf/ldap-vad.cf
> virtual_alias_maps = proxy:ldap:/opt/zimbra/conf/ldap-vam.cf
> virtual_mailbox_domains = proxy:ldap:/opt/zimbra/conf/ldap-vmd.cf
> virtual_mailbox_maps = proxy:ldap:/opt/zimbra/conf/ldap-vmm.cf
> transport_maps = proxy:ldap:/opt/zimbra/conf/ldap-transport.cf
>
> The problem description I've been given is:
>
> We need a milter that validates RCPT To: content specifically for alias
> domains. Currently we automatically accept email for alias domains and
> then generate a bounce.
What is an "alias domain"? Do you have wildcard aliases in the
virtual_alias_maps tables? DO NOT use these. They break recipient
validation.
> This has the potential for backscatter abuse and
> we'd like to close this hole for hosed and still be able to offer alias
> domains without adding aliases to each account.
Add aliases to each account.
> The problem with alias
> domains is we define them as a catchall domain @aliasdomain.com so it
> automatically accepts the email for that domain and then does the rewrite
> to [EMAIL PROTECTED], if that user doesn't exist it bounces.
Add aliases to each account. Or define a set of domains that share the
same namespace a single representative domain and use:
domain = list of alias domains
query = [EMAIL PROTECTED]
> We want the
> milter to reject at rcpt_to time instead of allowing the bounce. My guess
> is you'll have to insert it on smtp_recipient_restrictions as opposed to
> using the normal milter rules, which normally work on queued mail.
Why use a complex multi-threaded milter when a much simpler policy
service will do? But, better yet, don't break recipient validation.
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[EMAIL PROTECTED]>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
