On Tue Aug 17 17:25 , mouss sent: > Le 17/08/2010 15:03, Douglas Maus a écrit : >> How do the domains specified in "virtual_mailbox_domains" in main.cf >> and the "domain" parameter in an LDAP table configuration >> differ and interact? > >virtual_mailbox_domains is a postfix parameter that staes which domains >are to "virtual mailbox domains", that is: >- postfix accepts to relay to these domains from any client >- address validation uses virtual_mailbox_maps >- the default transport is "virtual"
(more below) but very quickly, as an example to help me understand: if virtual_mailbox_domain = abc.org and mail is presented with intended recipient 'j...@abc.org', then postfix will try address validation with virtual_mailbox_maps, correct? but if mail is presented with intended recipient 'j...@def.org', then postfix should _not_ even do a lookup against virtual_mailbox_maps? Is that the point of virtual_mailbox_domains - for postfix to say it might accept mail to users at these domains (depending further on virtual_mailbox_maps), but other domains that are not in this list are completely rejected, and virtual_mailbox_maps is not even attempted? Or am I missing some subtlety here? >parameters in the ldap config file are a completely different thing: >they specify how the ldap query should be performed. this doesn't say >anything about how the result will be used (postfix can use ldap for a >lot of different things, that have nothing to do with virtual mailboxes). > >> [snip] >> >> What I'd like to understand is the nuance of what >> the main.cf parameter "virtual_mailbox_domains" >> really means, and why it didn't restrict the domain >> for virtual lookups. > > >your last question is unclear. virtual_mailbox_domains doesn't restrict >anything. it specifies the list of domains that are to be delivered via >"virtual" (and by default, postfix will accept mail to these domains >from any client + postfix will use virtual_mailbox_maps to validate >addresses in such domains). > >relay control is performed by smtpd_recipient_restrictions. by default: >- postfix accepts relay from mynetworks (permit_mynetworks) >- postfix accepts mail to domains listed in: mydestination, >relay_domains, virtual_mailbox_domains and virtual_alias_domains >- mail to other domains is rejected (reject_unauth_destination) > > >Please take a look at the welcome message you got when you subscribed. >if you lost it, it talked about reading > http://www.postfix.org/DEBUG_README.html >and in particular: > http://www.postfix.org/DEBUG_README.html#mail >the goal of this isn't to annoy you. the goal is to maximize your >chances of getting help quickly and efficiently; as well as to enhance >the docs. Thank you for replying. I would like to understand - I gather that my post was unclear and did not conform to expected problem reports. I had hoped to strike a balance between concise and detailed. My apologies. I will try again. If I have omitted something important, please let me know specifically. So, trying to follow the guideline of http://www.postfix.org/DEBUG_README.html#mail My summary is: I intend to setup postfix to accept mail for non-UNIX mailboxes but with the same domain as my server, using LDAP for the account storage. The setup I have is correctly accepting mail to LDAP valid users at my domain, but is also accepting and trying to relay email where the username part matches a valid virtual username at my domain, but the domain is foreign. I will try to provide details of my setup and documentation of the problematic relaying. My server is www.example.org, I want to accept mail for dm...@example.org, where dmaus is not a UNIX account, but present in LDAP. I have tried to follow http://www.postfix.org/VIRTUAL_README.html#virtual_mailbox and really only changed/modified the 'virtual_mailbox_' parameters from their default (OpenBSD) settings. My main.cf - formatted using postconf -n: ----------------------------------- command_directory = /usr/local/sbin config_directory = /etc/postfix daemon_directory = /usr/local/libexec/postfix data_directory = /var/postfix debug_peer_level = 2 html_directory = /usr/local/share/doc/postfix/html inet_protocols = all mail_owner = _postfix mailq_path = /usr/local/sbin/mailq manpage_directory = /usr/local/man newaliases_path = /usr/local/sbin/newaliases queue_directory = /var/spool/postfix readme_directory = /usr/local/share/doc/postfix/readme sample_directory = /etc/postfix sendmail_path = /usr/local/sbin/sendmail setgid_group = _postdrop unknown_local_recipient_reject_code = 550 virtual_gid_maps = static:600 virtual_mailbox_base = /var/mail/virtual virtual_mailbox_domains = example.org virtual_mailbox_maps = ldap:/etc/postfix/vmailbox_ldap.cf virtual_minimum_uid = 600 virtual_uid_maps = static:600 ----------------------------------- postfinger output is: postfinger - postfix configuration on Tue Aug 17 23:35:06 EDT 2010 version: 1.30 Warning: postfinger output may show private configuration information, such as ip addresses and/or domain names which you do not want to show to the public. If this is the case it is your responsibility to modify the output to hide this private information. [Remove this warning with the --nowarn option.] --System Parameters-- mail_version = 2.6.5 hostname = www.example.org uname = OpenBSD www.example.org 4.7 GENERIC.MP#449 i386 --Packaging information-- --main.cf non-default parameters-- command_directory = /usr/local/sbin daemon_directory = /usr/local/libexec/postfix html_directory = /usr/local/share/doc/postfix/html inet_protocols = all mail_owner = _postfix mailq_path = /usr/local/sbin/mailq newaliases_path = /usr/local/sbin/newaliases readme_directory = /usr/local/share/doc/postfix/readme sendmail_path = /usr/local/sbin/sendmail setgid_group = _postdrop virtual_gid_maps = static:600 virtual_mailbox_base = /var/mail/virtual virtual_mailbox_domains = example.org virtual_mailbox_maps = ldap:/etc/postfix/vmailbox_ldap.cf virtual_minimum_uid = 600 virtual_uid_maps = static:600 --master.cf-- smtp inet n - - - - smtpd pickup fifo n - - 60 1 pickup cleanup unix n - - - 0 cleanup qmgr fifo n - - 300 1 qmgr tlsmgr unix - - - 1000? 1 tlsmgr rewrite unix - - - - - trivial-rewrite bounce unix - - - - 0 bounce defer unix - - - - 0 bounce trace unix - - - - 0 bounce verify unix - - - - 1 verify flush unix n - - 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - - - - smtp relay unix - - - - - smtp -o smtp_fallback_relay= showq unix n - - - - showq error unix - - - - - error retry unix - - - - - error discard unix - - - - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - - - - lmtp anvil unix - - - - 1 anvil scache unix - - - - 1 scache -- end of postfinger output -- At this point, I would like to inquire about the warning in http://www.postfix.org/VIRTUAL_README.html "NEVER list a virtual MAILBOX domain name as a mydestination domain!" I am confused about the directionality of this instruction. Does this mean I am free to specify a virtual_mailbox_domain, but I should not then change the 'mydestination' from its default to include this same domain? How does this apply when I haven't changed 'mydestination' and it has just its default value? Or is it bidirectional: the same domain should never be in both lists? What does this mean when you are trying to setup virtual mailboxes where the localhost is "www.example.org" and the (non-UNIX) user is desired to be "dm...@example.org"? I suspect that mydestination includes example.org, so should I not put my domain again in virtual_mailbox_domain? The documentation at http://www.postfix.org/VIRTUAL_README.html does not treat this case - I guess it would be called "virtual mailbox, shared domains, non-UNIX accounts" What would be detrimental effect of having a localhost www.example.org and virtual_mailbox_domains = example.org ? moving on: my /etc/postfix/vmailbox_ldap.cf is (verbatim): ----------------------------------- server_host = localhost version = 3 bind = no search_base = ou=accounts,dc=example,dc=org query_filter = (&(objectClass=posixAccount)(uid=%u)) result_attribute = uid result_format = %s/mail/inbox ----------------------------------- Testing with #postmap -q "dm...@example.org" ldap:/etc/postfix/vmailbox_ldap.cf yields: dmaus/mail/inbox Now, further testing: something I didn't expect is #postmap -q "dm...@another.org" ldap:/etc/postfix/vmailbox_ldap.cf also yields: dmaus/mail/inbox I supposed this just reflects that the postmap lookup uses a query_filter which does not say anything about domain, just the username portion (%u), so it matches the 'dmaus'. But I still hoped that main.cf virtual_mailbox_domains = example.org would tell Postfix to reject any mail for recipients with domain _other_ than example.org Further testing: when I connected to Postfix SMTP -------------------------------- $ telnet www.example.org 25 Trying 216.254.76.100... Connected to www.example.org. Escape character is '^]'. 220 www.example.org ESMTP Postfix HELO speakeasy.net 250 www.example.org MAIL FROM: r...@another.org 250 2.1.0 Ok RCPT TO: dm...@another.org 250 2.1.5 Ok DATA 354 End data with <CR><LF>.<CR><LF> From: r...@another.org To: dm...@another.org Subject: Testing This is a test message. . 250 2.0.0 Ok: queued as A220546F8C9 QUIT 221 2.0.0 Bye Connection closed by foreign host. ---------------------------------- Postfix seemed to accept the email to dm...@another.org and the maillog shows it trying to relay it to another.org ----------------------------------- Aug 17 23:02:33 www postfix/smtpd[23997]: connect from dsl254-076-015.nyc1.dsl.speakeasy.net[216.254.76.15] Aug 17 23:03:03 www postfix/smtpd[23997]: A220546F8C9: client=dsl254-076-015.nyc1.dsl.speakeasy.net[216.254.76.15] Aug 17 23:03:36 www postfix/cleanup[14440]: A220546F8C9: message-id=<> Aug 17 23:03:36 www postfix/qmgr[24284]: A220546F8C9: from=<r...@another.org>, size=305, nrcpt=1 (queue active) Aug 17 23:03:36 www postfix/smtp[26470]: connect to another.org[2620:0:2d0:200::10]:25: No route to host Aug 17 23:03:37 www postfix/smtpd[23997]: disconnect from dsl254-076-015.nyc1.dsl.speakeasy.net[216.254.76.15] Aug 17 23:03:54 www postfix/smtp[26470]: connect to another.org[192.0.32.10]:25: Connection refused Aug 17 23:03:54 www postfix/smtp[26470]: A220546F8C9: to=<dm...@another.org>, relay=none, delay=61, delays=43/0.02/18/0, dsn=4.4.1, status=deferred (connect to another.org[192.0.32.10]:25: Connection refused) ----------------------------------- >From my limited understanding, the possible problems I can guess at are: 1. I am still not understanding what virtual_mailbox_domains does 2. My LDAP query is unusual in only using %u, or some other aspect or some other error I am not seeing. Thank you for your attention. Sincerely.
