[pfx] Re: Postfix interaction between access map, .forward and aliases

Thu, 05 Jun 2025 22:10:16 -0700 

On Thu, Jun 05, 2025 at 03:57:12PM -0400, Paul Raines via Postfix-users wrote:

> As a quick fix for (1) I have changed the access map to use
> olduser@primary.domain instead of just olduser@ but that only works for that
> primary.domain. We have several secondary domains and I would have to list
> each one in the access map for each user which is less than ideal.
> I have no fix for (2) or (3)
> 
> In Postfix, what is the normal proper way to get any email sent to
> olduser@(any domain in mydestination) rejected including if it is in an
> alias or in a user ~/.forward

There is no general mechanism to recursively expand aliases before
access(5) rules are applied.  smtpd(8) access(5) checks are applied to
the original address received from the remote client.

When multiple varying over time aliases resolve (exclusively) to an
underlying undeliverable address, each would have to blocked explicitly.
The solution is to simply *delete* the dead aliases, and if desired for
some or all of the aliases and underlying user name add entries to the
relocated(5) table:

    main.cf:
        indexed = ${default_database_type}:${config_directory}/
        relocated_maps = ${indexed}relocated

    relocated:
        moe     an unknown forwarding address
        larry   an unknown forwarding address
        curly   an unknown forwarding address

Just deleting the alias will lead to a generic unknown address error.
For users still listed in /etc/passwd you need an explicit entry to
reject mail that would otherwise be delivered.

The relocated(5) table is searched by bare username precisely for
local domains:

    TABLE SEARCH ORDER
       With lookups from indexed files such as DB or DBM, or from
       networked tables such as NIS, LDAP or SQL, patterns are tried
       in the order as listed below:

       user@domain
              Matches user@domain. This form has precedence over all other
              forms.

       user   Matches user@site when site is $myorigin, when site is listed in
              $mydestination, or when site is listed in $inet_interfaces or
              $proxy_interfaces.

       @domain
              Matches other addresses in domain.  This form has the lowest
              precedence.

The enhanced message will be:

    5.1.6 User has moved to an unknown forwarding address

-- 
    Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to