Hello,
I have been setting up a new mail server for our organization which has
different mailservers, one for each subdomain. The new server, will take
over the whole organization using LDAP and Postfix/Dovecot and things up
to now are looking (almost) nice.
However, I have this problem:
Currently, I have activated the new mailserver (by configuring our
incoming mail gateway which filters for spam/viruses) to receive mail
ONLY for the base domain: *domain.com* AND *NOT *for the subdomains
*a.domain.com, b.domain.com* (but we are planning to gradually migrate
all of the subdomains too, by simply adding the subdomains to
virtual_mailbox_domains directive and configuring our mail gateway -
which is our MX for the mail domain and all subdomains - to deliver to
the new server rather that to the current mail servers of the
subdomains). But, although I have tried hard and read many articles, _*I
cannot stop Postfix in the new server from receiving email for the
subdomains*_ as well. Of course the problem occurs *when the mail is
leaving from the new domain.com mail server * - otherwise, when email
comes from our only point of entrance (our antispam-antivirus gateway),
emails reach the correct subdomain servers without problems (which is
natural).
I have even set the "/parent_domain_matches_subdomains =/" directive to
an empty value to avoid receiving for subdomains, but it didn't solve
the issue.
I have come to the conclusion that the problem is caused by aliases. So,
for example, I have defined in LDAP alias tables (ldap-aliases.cf), that
userx (matched by %u) should be translated to uid userx (found by
ldap-users.cf) whose mail is both: us...@domain.com AND
us...@a.domain.com (this has been done in anticipation of subdomain
consolidation to the same server, where both email addresses will work
in parallel and lead to the same mailbox). So, when I send mail to
us...@a.domain.com, this is matched in aliases tables with userx which
in turn is then matched to us...@domain.com (I can see in the logs:
"to=<us...@domain.com>, *orig_to*=<us...@a.domain.com>, relay=virtual")
and is delivered locally. Instead, *Postfix Server should have
understood from the very beginning that it is not responsible for
a.domain.com* and should have relayed the email to the MX of
*a.subdomain.com* (whatever it is), *without any processing whatsoever
*(that is, before alias or other processing).
The MX for destination (as seen by Postfix machine) is correct (real IPs
- all are public - and domain names are changed for obvious reasons):
# nslookup -q=MX a.domain.com
Server: 10.10.11.10
Address: 10.10.11.10#53
a.domain.com mail exchanger = 50 mail.a.domain.com.
a.domain.com mail exchanger = 10 mailgw.a.domain.com.
...and reachable:
# telnet mailgw.a.domain.com 25
Trying 10.10.11.12...
Connected to mailgw.a.domain.com (10.10.11.12).
Escape character is '^]'.
220 mailgw.a.domain.com ESMTP
*So, what am I doing wrong? Or may it be a bug?*
My installation is package: postfix-2.3.3-2.1.el5_2 on CentOS 5.5
Follow my configuration files (I have changed real domain names, for
obvious reasons):
# postconf -n
alias_database = hash:/etc/postfix/aliases,
hash:/etc/postfix/aliases.d/virtual_aliases,
hash:/etc/postfix/aliases.d/sympa_aliases
broken_sasl_auth_clients = no
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
local_header_rewrite_clients = static:all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = domain.com
myhostname = mailer.domain.com
mynetworks = 10.10.10.0/24, 10.10.11.0/24, 10.10.12.0/24
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
parent_domain_matches_subdomains =
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
relay_domains = $mydestination
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_client_restrictions =
permit_mynetworks,permit_sasl_authenticated,reject
smtpd_delay_reject = yes
smtpd_recipient_restrictions =
permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = /var/spool/postfix/private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/pki/tls/certs/chain.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/cert.pem
smtpd_tls_key_file = /etc/pki/tls/private/mykey.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/aliases,
hash:/etc/postfix/aliases.d/virtual_aliases,
hash:/etc/postfix/aliases.d/sympa_aliases,
ldap:/etc/postfix/ldap-aliases.cf
virtual_gid_maps = static:500
virtual_mailbox_base = /home/vmail/
virtual_mailbox_domains = $mydomain
virtual_mailbox_maps = ldap:/etc/postfix/ldap-users.cf
virtual_uid_maps = static:500
# cat ldap-aliases.cf
server_host = ldaps://orgldap.domain.com
search_base = ou=Aliases, dc=domain, dc=com
version = 3
scope = sub
query_filter =
(|(mailacceptinggeneralid=%u)(&(objectClass=nisMailAlias)(cn=%u)))
result_attribute = maildrop, uid
bind = yes
bind_dn = uid=systemuser,ou=System,dc=domain,dc=com
bind_pw = ***************
# cat ldap-users.cf
server_host = ldap://orgldap.domain.com
search_base = ou=people,dc=domain,dc=com
version = 3
query_filter = (mail=%s)
result_attribute = uid
result_format = %s/Maildir/
bind = yes
bind_dn = uid=systemuser,ou=System,dc=domain,dc=com
bind_pw = ***************
Thanks in advance for your help.
Nick Milas
Athens, Greece
