On Sun, Mar 17, 2024 at 04:28:00PM -0700, Glenn Tenney via Postfix-users wrote:
> Are you saying that if I want "username1" at my local domain to be
> delivered to "user2" at my local domain, that that should be in the
> virtual table and not in aliases? That's a 1-to-1 rewrite, not a
> 1-to-many.
1-to-many includes 1-to-1 as a special case. And it does not matter
whether the domain is "local" or not, virtual(5) rewrites all recipient
addresses as each message is received.
https://www.postfix.org/OVERVIEW.html
https://www.postfix.org/ADDRESS_REWRITING_README.html
> I had thought that 1-to-many (e.g. email address "adiscussion" to be
> send to user a, user b, & user c) would be done in alises.
The virtual(5) table is an alias table, one that is used as messages
are received, before they enter the active queue, and are resolved
to a delivery transport. See:
https://www.postfix.org/ADDRESS_REWRITING_README.html
> But you're saying that 1-to-many should be done in virtual, but that
> "lists" would be in aliases. That's very very confusing to me as
> simple lists (without a listserver) would've seemed to be done via
> aliases.
No, only lists that need an owner-alias or use ":include:" syntax.
These are lists with a dynamic or large subscriber count, or that
forward out to remote recipients, and have a list owner-address, ...
> > Add "local.invalid local" to the transport(5) table, and rewrite
> > anything that needs local(8) delivery to mailbox@local.invalid.
>
> I honestly re-read the above sentence several times and have no clue
> what it means nor why to do it. "local.invalid" is not something I've
> come across.
It is a reserved domain name, (one of many) that you can use internally,
without clashing with *real domains*.
> In my reading previously, I had not come across "the transport(5)
> table" so, again, that'll take a while to understand.
See the OVERVIEW documentation, and read Patrick and Ralf's book.
The transport(5) table maps (mostly domains, but also optionally
user@domain) to a transport and optional nexthop.
> > The syntax of virtual(5) is documented in that manpage.
>
> There is NOTHING in there that I could find about how to say
> "user@somehosted.domain is to be rejected".
Precisely, so you can't use it to reject mail. That's what
access(5) is for, though transport(5) can also do that, by
mapping some addresses to the "error" transport, which will
also cause bounces when mail is submitted locally, while access(5) is
only used to reject SMTP recipients. See:
https://www.postfix.org/SMTPD_ACCESS_README.html
> Since that's what I've got
> in my sample "virtusertable" and in my comments, that is a specific
> need that I could not locate in postfix documentation of how to do it.
But you're looking at the problem from the wrong end, just asking for
magic recipes whose quality you cannot assess, because you've not
studied the available mechanisms. The more productive approach is
to take the time to understand all of
OVERVIEW
ADDRESS_REWRITING_README
VIRTUAL_README
> e.g. searching for the word "reject" or "error" is postfix.org is not
> helpful. Hence this query email. Once again, I thought that my
> situation and query was quite clear.
Start at: https://www.postfix.org/documentation.html
Read the various relevant tutorials.
> > This is not a rewrite, and so goes into the transport(5) table (also
> > see error(8)).
>
> It was not at all clear that "virtual" is used to rewrite only.
Linked from virtual(5):
The main applications of virtual aliasing are:
(https://www.postfix.org/ADDRESS_REWRITING_README.html#virtual)
o To redirect mail for one address to one or more addresses.
o To implement virtual alias domains where all addresses are
aliased to addresses in other domains.
> And as I said, there wasn't any clear "pointer" (i.e. no clue) of how
> in postfix to designate some email address to be rejected.
Start at documentation.html, then the sections under "SMTP Relay/access
control", and some of the ones that look relevant under "General
configuration" and any other sections.
> > See above, but transport and access(5) table entries don't use a leading
> > "@".
>
> My "comment" above from my virtusertable is: block all other email of
> a hosted domain, so again I thought that my query of what I wanted to
> do but did not know how to do it was clear...
See the access control docs, but also note that:
- In a virtual alias domain (if you configure any), all names not
mapped to some recipient in another domain are rejected.
- You can reject SMTP recipients via various restriction checks
that perform access(5) lookups against tables of your choice.
- You can route some recipients to the error(8) transport, and
this will also lead them to be rejected at SMTP time.
> If I have many lines in virtual mapping several email addresses for a
> hosted domain, then is it automatic that every other email address
> (not listed there) will be rejected?
Only for virtual alias domains, for other domains, you may need
a separate valid recipient table, see:
https://www.postfix.org/ADDRESS_CLASS_README.html
> > See above. Overall, read (and if unclear ask) about the functionality
> > and syntax of various Postfix features, rather than whether some random
> > Sendmail syntax does or does not translate directly to virtual(5).
>
> Honestly, when I wrote "send all email for a hosted domain to some
> other email somewhere", isn't that a clear question of "how do I do
> this"? I started this email with "I don't know how to do these things,
> but I've looked and looked and couldn't find how to do them".
Because you're looking to cargo-cult recipes, in lieu of understanding
the facilities at your disposal. The Sendmail virtuser table is an
amalgam of many features, which in Postfix are handled at different
layers, by separate tables. I am recommending understanding over
parroting. Perhaps someone else can help with parroting... :-(
> Is it roughly accurate to say that the LHS of a virtual entry will be
> rewritten to be the RHS of that virtual entry, AND THEN transport or
> access will process the rewritten recipient?
Almost, since access(5) happens first. The relevant components and
order of processing are explained in the OVERVIEW and
ADDRESS_REWRITING_README.
On Sun, Mar 17, 2024 at 07:52:46PM -0700, Glenn Tenney via Postfix-users wrote:
> > Once you what virtual(5) does (rewrite an input envelope recipient
> > address to one or more recipient addresses), your questions are
> > answered. Similar advice for transport(5), (various) access(5), ...
> > tables.
>
> I've read through the man pages for transport, access, and error and I
> do not see anything in any of them that would do anything that would
> take a recipient and reject it -- which is basically what all of the
> above comes down to.
The transport resolves a recipient to a delivery agent and nexthop.
The error(8) delivery agent is special, and recipients that route
there are also rejected during SMTP input, not just after queueing
(which would be a bounce). The access(5) table syntax is used in
various SMTP "restrictions", see:
https://www.postfix.org/SMTPD_ACCESS_README.html#lists
> TRANSPORT seems to allow only a domain name without a user@ portion on
> the LHS. This doesn't seem to apply to my query.
No, it also supports user@domain.
> ACCESS seems to allow only a domain name or IP (again, without a
> user@) on the LHS. This doesn't seem to apply to my query.
No, it also supports user@domain.
> As for ERROR, ok... it's a delivery agent that will return an error
> code (e.g. to bounce the incoming message), but.. how do I get
> "user@some.domain" to be delivered to the "error" agent?
By mapping a user to the error transport.
> In Postfix, how do I configure Postfix such that all email to
> "user@some.domain" will return an error code (e.g. 550 user unknown)
> to bounce that email????
Reject is always better than "bounce". The anwer is to use
"check_recipient_access" against a suitable access(5) table of your
choice. But, you can also bounce if the recipient is submitted locally
or results from a rewrite, and for that you need the error(8) transport.
But even better, is to not include the invalid recipient in either the
valid recipient list of the domain's address class or in the virtual(5)
alias table. More details are in the docs.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
