Re: Problem with domain being listed in virtual domain and relay_domain

[/dev/rob0]

On Monday 21 November 2011 23:22:00 Alex wrote:
> I have a postfix-2.8 server running on fedora15 with a few virtual
> domains, and can't figure out how one of my domains is listed
> twice.
> 
> Nov 22 00:07:46 portal postfix/trivial-rewrite[26271]: warning: do
> not list domain example.com in BOTH virtual_alias_domains and
> relay_domains
> 
> I thought I could include my postfinger output here to try and
> troubleshoot this. I also have the following virtual map:
> 
> example.com       VIRTUALDOMAIN
> cyril.thorn...@example.com        thorntc
> brain.morris...@example.com     morrisb
> sharon.zap...@example.com zapatas
> diane.merr...@example.com merrald
> swapna.maree...@example.com       mareeds
> luis.co...@example.com    colonl

You're using the default setting of virtual_alias_domains = 
$virtual_alias_maps, so there you have defined example.com as a 
virtual alias domain.

You're also using unqualified addresses as the targets, therefore 
you're relying on $myorigin, for which you are using the default. 
Generally myorigin is too important. I always set it explicitly. And 
in maps I always use complete addresses, so there can be no surprises 
such as if $myorigin is changed.

  example.com       VIRTUALDOMAIN
  cyril.thorn...@example.com        thorntc@localhost
  ...

and then include "localhost,localhost.$mydomain" in mydestination.

> Is the solution to just remove $mydestination from $relay_domains?

If not using relay domains, unset it. "relay_domains = $mydestination" 
was an old compatibility hack. You don't need it.

> I also have the following transport:
> 
> example.com       local:
> .example.com      local:
> 
> Without it, there was an apparent mail loop.

My suggestion as shown above fixes this problem.

> postfinger - postfix configuration on Mon Nov 21 23:55:45 EST 2011
> version: 1.30
> 
> --System Parameters--
> mail_version = 2.8.5
> hostname = portal.example.com
> uname = Linux portal.example.com 2.6.41.1-1.fc15.x86_64 #1 SMP Fri
> Nov 11 21:36:28 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
> 
> --Packaging information--
> looks like this postfix comes from RPM package:
> postfix-2.8.5-1.fc15.x86_64
> 
> --main.cf non-default parameters--
> alias_database = hash:/etc/postfix/aliases
> alias_maps = hash:/etc/postfix/aliases
> allow_mail_to_files = alias,forward
> always_bcc = bcc-user
> biff = no
> body_checks = regexp:/etc/postfix/body_checks.pcre
> bounce_queue_lifetime = 2d
> content_filter = smtp-amavis:[127.0.0.1]:10024
> default_process_limit = 140
> delay_warning_time = 4h
> disable_vrfy_command = yes
> header_checks =
> pcre:/etc/postfix/header_checks.pcre  
pcre:/etc/postfix/header_checks-jimsun.pcre
> initial_destination_concurrency = 20
> mailbox_command = /usr/bin/procmail

Are you sure you want this? Take it out if not.

> mailbox_size_limit = 821200000
> manpage_directory = /usr/share/man
> maximal_queue_lifetime = 2d
> message_size_limit = 50240000
> mime_header_checks = pcre:/etc/postfix/mime_header_checks
> mydestination = $myhostname, localhost.$mydomain

myhostname isn't set? Why not? Linuxen sometimes have problems in 
figuring out their hostname, and a setting as important as that needs 
to be explicitly set.

> mynetworks = 127.0.0.0/8, 192.168.1.0/24, 68.XXX.YYY.40/29,
> 64.XXX.YYY.0/27, 66.XXX.YYY.96/28, 204.XXX.YYY.0/24
> postscreen_access_list = permit_mynetworks,
> cidr:/etc/postfix/postscreen_access.cidr
> postscreen_blacklist_action = enforce
> postscreen_dnsbl_action = enforce
> postscreen_dnsbl_sites = zen.spamhaus.org*2   bl.spamcop.net*1
> b.barracudacentral.org*1
> postscreen_dnsbl_threshold = 2
> postscreen_greet_action = enforce
> rbl_reply_maps = ${stress?hash:/etc/postfix/rbl_reply_maps}
> readme_directory = /usr/share/doc/postfix-2.8.5/README_FILES
> relay_domains = $mydestination, $transport_maps

This is dangerous, in the case that you eventually need (or think you 
need) a special transport to an external domain. Oops, that domain is 
now in your relay_domains! Just unset this.

> sample_directory = /usr/share/doc/postfix-2.8.5/samples
> smtpd_authorized_xforward_hosts = $mynetworks
> smtpd_client_restrictions = check_client_access
> cidr:/etc/postfix/sinokorea.cidr, check_client_access
> cidr:/etc/postfix/asian-ip5.txt
> smtpd_recipient_restrictions = reject_non_fqdn_recipient,
> check_client_access hash:/etc/postfix/client_checks_special,
> check_sender_access hash:/etc/postfix/sender_checks_special,

Access lookups here before reject_unauth_destination are dangerous, 
because an OK/permit result allows relaying.

http://www.postfix.org/SMTPD_ACCESS_README.html#danger

> reject_non_fqdn_sender, permit_mynetworks,
> permit_sasl_authenticated, reject_unauth_destination,
> reject_unknown_sender_domain,
> reject_unknown_recipient_domain,
> reject_invalid_helo_hostname, check_recipient_access
> pcre:/etc/postfix/relay_recips_ecartis, check_client_access
> hash:/etc/postfix/client_checks, check_sender_access
> hash:/etc/postfix/sender_checks, check_recipient_access
> pcre:/etc/postfix/relay_recips_access, reject_rbl_client
> zen.spamhaus.org,     reject_rbl_client psbl.surriel.com, permit
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_authenticated_header = yes
> smtpd_sasl_local_domain = $myhostname
> smtpd_sasl_path = private/auth
> smtpd_sasl_security_options = noanonymous, noplaintext
> smtpd_sasl_tls_security_options = noanonymous
> smtpd_sasl_type = dovecot
> smtpd_tls_auth_only = yes
> smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
> smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
> smtpd_tls_received_header = yes
> smtpd_tls_security_level = may
> smtpd_tls_session_cache_database =
> btree:/var/lib/postfix/smtpd_tls_session_cache
> smtp_send_xforward_command = yes

Why is this here? Generally this should only be set as an -o override 
setting in master.cf for a special smtp(8) transport(5), such as you 
did below for smtp-amavis. Take it out.


> smtp_tls_CAfile = /etc/pki/tls/cacert.pem
> smtp_use_tls = yes
> transport_maps = hash:/etc/postfix/transport

Again, you won't need this, take it out. This was what put your domain 
in relay_domains, and my solution of using user@localhost as virtual 
alias targets makes your transport hack unnecessary.

> virtual_alias_maps = hash:/etc/postfix/virtual
> 
> --master.cf--
> submission inet n       -       n       -       -       smtpd
>   -o smtpd_tls_security_level=encrypt
>   -o smtpd_sasl_auth_enable=yes
>   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>   -o milter_macro_daemon_name=ORIGINATING
> dovecot   unix  -       n       n       -       -       pipe
>   flags=DRhu user=dovecot:dovecot argv=/usr/libexec/dovecot/deliver
> -f ${sender} -d ${recipient} -a "${RECIPIENT}"
> pickup    fifo  n       -       n       60      1       pickup
> cleanup   unix  n       -       n       -       0       cleanup
> qmgr      fifo  n       -       n       300     1       qmgr
> tlsmgr    unix  -       -       n       1000?   1       tlsmgr
> rewrite   unix  -       -       n       -       -      
> trivial-rewrite bounce    unix  -       -       n       -       0 
>      bounce defer     unix  -       -       n       -       0     
>  bounce trace     unix  -       -       n       -       0      
> bounce verify    unix  -       -       n       -       1      
> verify flush     unix  n       -       n       1000?   0      
> flush proxymap  unix  -       -       n       -       -      
> proxymap proxywrite unix -       -       n       -       1      
> proxymap
> smtp      unix  -       -       n       -       -       smtp
> relay     unix  -       -       n       -       -       smtp
> -o smtp_fallback_relay=
> showq     unix  n       -       n       -       -       showq
> error     unix  -       -       n       -       -       error
> retry     unix  -       -       n       -       -       error
> discard   unix  -       -       n       -       -       discard
> local     unix  -       n       n       -       -       local
> virtual   unix  -       n       n       -       -       virtual
> lmtp      unix  -       -       n       -       -       lmtp
> anvil     unix  -       -       n       -       1       anvil
> scache    unix  -       -       n       -       1       scache
> smtp-amavis unix    -       -       n       -       2     smtp
>     -o smtp_data_done_timeout=1200
>     -o smtp_send_xforward_command=yes
>     -o disable_dns_lookups=yes
>     -o max_use=20
> 127.0.0.1:10025 inet n    -       n       -       -     smtpd
>     -o content_filter=
>     -o smtpd_delay_reject=no
>     -o smtpd_client_restrictions=permit_mynetworks,reject
>     -o smtpd_helo_restrictions=
>     -o smtpd_sender_restrictions=
>     -o smtpd_recipient_restrictions=permit_mynetworks,reject
>     -o smtpd_data_restrictions=reject_unauth_pipelining
>     -o smtpd_end_of_data_restrictions=
>     -o smtpd_restriction_classes=
>     -o mynetworks=127.0.0.0/8
>     -o smtpd_error_sleep_time=0
>     -o smtpd_soft_error_limit=1001
>     -o smtpd_hard_error_limit=1000
>     -o smtpd_client_connection_count_limit=0
>     -o smtpd_client_connection_rate_limit=0
>     -o
> receive_override_options=no_header_body_checks,no_unknown_recipien
> t_checks,no_milters -o local_header_rewrite_clients=
> smtp      inet  n       -       n       -       1       postscreen
> smtpd     pass  -       -       n       -       -       smtpd
>       -o receive_override_options=no_address_mappings
> dnsblog   unix  -       -       n       -       0       dnsblog
> tlsproxy  unix  -       -       n       -       0       tlsproxy
> 
> -- end of postfinger output --

-- 
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header