On 6/19/2013 1:37 PM, Craig R. Skinner wrote:
> On 2013-06-19 Wed 10:55 AM |, Stan Hoeppner wrote:
>>
>> I'm anything but an expert in this particular area of Postfix, but I
>> think the problem is that Craig is trying to use virtual_alias_maps when
>> he should probably just be using the local aliases file. His Postfix
>> hosts a single mail domain IIUC.
>
> To start with at least.
>
>> He's simply wanting to create alias
>> addresses presented to the public for each local UNIX mailbox address.
>
> Correct.
>
>> Additionally he wants to reject any inbound mail destined for the actual
>> local UNIX addresses, as well as system/role accounts.
>
> Correct again.
>
>> These last two are straightforward. For the first:
>>
>> /etc/postfix/reject-local-system
>>
>> jb4...@example.com reject Unknown User
>> jb8...@example.com reject Unknown User
>> s...@example.com reject Unknown User
>> na...@example.com reject Unknown User
>> dove...@example.com reject Unknown User
>> sq...@example.com reject Unknown User
>> post...@example.com reject Unknown User
>>
>> and use
>> smtpd_recipient_restrictions
Note this is an smptd restriction.
>> ...
>> check_recipient_access hash:/etc/postfix/reject-local-system
>> ...
Thus this only applies to mail arriving via smtpd, not pickup, not pipe,
etc.
> $ for account in $(cut -d: -f1 /etc/passwd | grep -v master$); \
> do \
> print "${account}@example.com reject Unknown User" >> \
> /etc/postfix/reject-local-system.map; \
> done
>
> $ postmap ....
>
> $ postmap -q s...@example.com reject-local-system.map
> reject Unknown User
>
> main.cf:
> smtpd_recipient_restrictions =
> reject_non_fqdn_hostname
> reject_invalid_hostname
> reject_non_fqdn_sender
> ....
> ...
> ...
> check_recipient_access btree:$config_directory/reject-local-system.map
> ...
> ..
>
>
>>
>> To satisfy the second:
>>
>> jb4...@server1.example.com --> reject as unknown
>> jb8...@server2.example.com --> reject as unknown
>>
>> Simply do not put "$myhostname, localhost.$mydomain" in mydestination,
>> assuming $myhostname is an FQDN equal to "serverX.example.com". In fact
>> there's likely no need to have anything in mydestination other than your
>> domain name.
>>
>
> main.cf:
> mydestination = $mydomain
> # no virtual_alias_* stuff
>
>
>
> restart postfix and then .... system accounts are still getting mail;-
>
> $ uptime | sendmail post...@example.com
Note you are injecting the mail in this test with the sendmail
compatibility command, which does not involve the smtpd service.
> Jun 19 19:12:16 server1 postfix/pickup[2654]: 0776A6753: uid=1097 from=<user1>
> Jun 19 19:12:16 server1 postfix/cleanup[8207]: 0776A6753:
> message-id=<20130619181216.0776a6...@server1.example.com>
> Jun 19 19:12:16 server1 postfix/qmgr[8538]: 0776A6753:
> from=<user.n...@example.com>, size=344, nrcpt=1 (queue active)
> Jun 19 19:12:16 server1 dovecot: lmtp(9851): Connect from local Jun 19
> 19:12:16 server1 dovecot: lmtp(9851, postfix): Error: user
> _postfix: Initialization failed: Namespace '': mkdir(/var/mail/postfix)
> failed: Permission denied (euid=507(postfix) egid=507(postfix) missing +w
> perm: /var/mail, dir owned by 0:0 mode=0755)
> Jun 19 19:12:16 server1 dovecot: lmtp(9851): Disconnect from local: Client
> quit (in reset)
As you can clearly see in the logging, your test message entered Postfix
via the pickup service, not via smtpd. You are not testing properly.
Send the msg into smtpd and it will be rejected, as long as
check_recipient_access precedes any other user lookups, such as
reject_unknown_user
> $ uptime | sendmail us...@example.com
> Jun 19 19:12:33 server1 postfix/pickup[2654]: C90DB6765: uid=1097 from=<user1>
> Jun 19 19:12:33 server1 postfix/cleanup[8207]: C90DB6765:
> message-id=<20130619181233.c90db6...@server1.example.com>
> Jun 19 19:12:33 server1 postfix/qmgr[8538]: C90DB6765:
> from=<user.n...@example.com>, size=344, nrcpt=1 (queue active)
> Jun 19 19:12:33 server1 dovecot: lmtp(9851): Connect from local
> Jun 19 19:12:33 server1 dovecot: lmtp(9851, user1): w9hyI0r0wVF7JgAANm01jw:
> sieve: msgid=<20130619181233.c90db6...@server1.example.com>: stored mail into
> mailbox 'INBOX'
Same thing. Improper test using pickup instead of smtpd.
If you really want to restrict locally generated mail messages to such
address formats, we can address that later, but such a thing is probably
not necessary.
> My next thought is to remove /etc/passwd from:
> local_recipient_maps = proxy:unix:passwd.byname $alias_maps
>
> Ideas?
First do a proper test of your check_client_access restriction via
smtpd. Then note Viktor's advice. He is one of the Postfix developers.
I'm guessing due to your trial and error methodology here that's you've
not read the Address Rewriting document:
http://www.postfix.org/ADDRESS_REWRITING_README.html
I'd read that thoroughly before any more trial/error, paying particular
attention to the virtual aliasing section. It may give you a better
understanding of this, and help eliminate guesswork.
--
Stan
