Re: Local UNIX accounts, aliasing & rejecting mail to non-public UNIX accounts

[Craig R. Skinner]

On 2013-06-21 Fri 22:08 PM |, Jeroen Geilman wrote:
> >
> >main.cf:
> >myorigin = $mydomain
> >mydestination = localhost.$mydomain
> 
> No. If the destination you use in virtual_alias_maps is @localhost,
> then THAT must be in mydestination.
> Postfix is quite literal.
> 
>     mydestination = localhost
>     append_dot_mydomain = no
> 
> Or, if you wish to follow Victor's advice, qualify all aliases with
> "@localhost.$mydomain" instead.
> But that's just more typing than I need.
> 
> >It seems the aliases file is not used.
> 
> Of course it is used, for any destinations in $mydestination.
> You did not put "localhost" in $mydestination.
> 

Superbly simple config Jeroen, unfortunately it doesn't work for me -
yet.

main.cf:
myorigin = $mydomain
mydestination = localhost
append_dot_mydomain = no
virtual_alias_domains = example.com
virtual_alias_maps = btree:$config_directory/virtual_alias_maps.map
sender_canonical_maps = btree:$config_directory/canonical.map
masquerade_domains = $mydomain, $virtual_alias_domains
remote_header_rewrite_domain = sender.domain.incomplete
alias_maps = btree:$config_directory/aliases
mail_spool_directory = /var/mail/
mailbox_transport = lmtp:unix:private/dovecot-lmtp


canonical.map:
jb4356          joe.blo...@example.com
jb8921          jane.blos...@example.com
...
...


virtual_alias_maps.map:
# accept mail for postmaster/abuse@[ip.add.ress.es]
postmaster                      postmaster
abuse                           postmaster
# (no effect) hostmaster        hostmaster
# example.com:
hostmas...@example.com          hostmaster
sa...@example.com               acct145
i...@example.com                acct267
supp...@example.com             acct267
...
...
joe.blo...@example.com          jb4356
jane.blos...@example.com        jb8921



aliases:
root:           admin-acct
MAILER-DAEMON:  postmaster
abuse:          postmaster
bin:            root
daemon:         root
named:          hostmaster
nobody:         root
...
...


NO mail is accepted UNLESS it is virtually aliased with @localhost:
*) the aliases file is totally ignored
*) without the virtual @localhost, it is:
        status=bounced (User unknown in virtual alias table)


$ uptime | mail -s uptime hostmaster (<--- this is a unix account)
Jun 22 11:15:21 server1 postfix/pickup[6298]: 12A1F6764: uid=7432 
from=<admin-acct>
Jun 22 11:15:21 server1 postfix/cleanup[8557]: 12A1F6764: 
message-id=<20130622101521.12a1f6...@server1.example.com>
Jun 22 11:15:21 server1 postfix/qmgr[13148]: 12A1F6764: 
from=<server-ad...@example.com>, size=393, nrcpt=1 (queue active)
Jun 22 11:15:21 server1 postfix/error[20137]: 12A1F6764: 
to=<hostmas...@example.com>, orig_to=<hostmaster>, relay=none, delay=0.03, 
delays=0.02/0/0/0.01, dsn=5.0.0, status=bounced (User unknown in virtual alias 
table)


$ uptime | mail -s uptime hostmas...@example.com
Jun 22 11:16:21 server1 postfix/pickup[6298]: 873CF6764: uid=7432 
from=<admin-acct>
Jun 22 11:16:21 server1 postfix/cleanup[8557]: 873CF6764: 
message-id=<20130622101621.873cf6...@server1.example.com>
Jun 22 11:16:21 server1 postfix/qmgr[13148]: 873CF6764: 
from=<server-ad...@example.com>, size=393, nrcpt=1 (queue active)
Jun 22 11:16:21 server1 postfix/error[20137]: 873CF6764: 
to=<hostmas...@example.com>, relay=none, delay=0.03, delays=0.02/0/0/0.01, 
dsn=5.0.0, status=bounced (User unknown in virtual alias table) 


$ uptime | mail -s uptime daemon (<--- this is in aliases, for root)
Jun 22 11:54:13 server1 postfix/pickup[24295]: 1EC8F67DC: uid=7432 
from=<admin-acct>
Jun 22 11:54:13 server1 postfix/cleanup[15996]: 1EC8F67DC: 
message-id=<20130622105413.1ec8f6...@server1.example.com>
Jun 22 11:54:13 server1 postfix/qmgr[7561]: 1EC8F67DC: 
from=<server-ad...@example.com>, size=389, nrcpt=1 (queue active)
Jun 22 11:54:13 server1 postfix/error[23896]: 1EC8F67DC: 
to=<dae...@example.com>, orig_to=<daemon>, relay=none, delay=0.26, 
delays=0.14/0.06/0/0.06, dsn=5.0.0, status=bounced (User unknown in virtual 
alias table)



It seems that if the machine's own domain is virtual
(with or without @localhost virtual aliases), aliases is ignored.

Therefore, for the machine's domain name to be virtual, everything in
alaises must be moved to the virtual alias map & appended with
unix-account@localhost. I don't want 'root, daemon, nobody,...' items
to be publicly route-able.

Stan's idea of a plain canonical domain & rejecting specific Unix
accounts via smtpd_recipient_restrictions check_recipient_access
reject_system_accounts.map works.

Thoughts welcome,
-- 
Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7