On 8/27/2014 1:16 PM, Andreas Pauli wrote:
> Hi,
>
> i have got a strange problem. In short: there is a general mapping
> from @example.com to @example.net in the virtual_alias_map.
> Both example.{com,net} are virtual mailbox domains.
> Virtual_transport is lmtp to a mailbox server, and mailboxes exist
> only @example.net.
Wildcard mappings break the built-in recipient validation.
Rather than a wildcard, use 1-1 mapping listing only valid
recipients, or use a *SQL query structured to fail lookups for
unknown recipients.
In some cases you might be able to use reject_unverified_recipient.
Whether that will work or not depends on your local setup.
-- Noel Jones
>
> When there are mailboxes a...@example.net and x...@example.net and
> no other valid mailboxes i would expect that an email to
> 1...@example.com was rejected, because 1...@example.com gets mapped
> to 1...@example.net and 1...@example.net is not a valid virtual
> mailbox.
>
> More generally: the desirable behaviour would be to reject a recipient
> address if, after mapping it to all the final recipients, no valid
> local or virtual final recipient exists and also no other transport to
> external mail servers is involved.
>
> I have tested this with Postfix versions 2.3.8, 2.5.5, 2.7.1 and 2.9.6
> from Debian Etch, Lenny, Squeeze and Wheezy resp. and finally with
> 2.10.1 from CentOS 7.0.
>
> Emails for invalid recipients in example.com are accepted and bounced
> later instead of rejected immediately. None of the documentation
> gives a clue as to why this happens.
>
> Emails for invalid addresses in example.net do get rejected.
>
> This is the minimum setup for virtual email domains to see the problem:
>
> main.cf (see below for a complete listing):
> --->
> virtual_transport = lmtp:imap.example.org:2500
> virtual_mailbox_domains = /etc/postfix/vdomains
> virtual_mailbox_maps = hash:/etc/postfix/vmailboxes
> virtual_alias_maps = hash:/etc/postfix/virtual
> <---
>
> vdomains contents:
> --->
> example.com
> example.net
> <---
>
> vmailboxes contents:
> --->
> a...@example.net
> x...@example.net
> <---
>
> virtual contents:
> --->
> @example.com @example.net
> <---
>
> Transcript of a smtp dialog:
> --->
> ~$ telnet mx.example.org 25
> Trying 10.0.0.25...
> Connected to mx.example.org.
> Escape character is '^]'.
> 220 mx.example.org ESMTP Postfix (Debian/GNU)
> helo test
> 250 mx.example.org
> mail from:<hostmas...@example.org>
> 250 2.1.0 Ok
> rcpt to:<1...@example.com>
> 250 2.1.5 Ok
> quit
> 221 2.0.0 Bye
> Connection closed by foreign host.
> <---
>
> Since this is cleary not what you want after you have told Postfix
> *everything* it needs to reject these addresses i am bit confused -
> and it seems to me that the man pages give the impression that this is
> erronous bahaviour...
>
> When i use the address verification mechanism invalid addresses in
> example.com get rejected. "verify" correctly probes the
> virtual_transport lmtp server for the final recipient(s) and decides
> correctly to reject the email if and only if all final recipients do
> not exist. Mails get accepted as soon as one valid final recipient
> shows up.
>
> So i think that smtpd probably needs some extra configuration - because
> it has access to all the information that verify has, so that smtpd
> could reject itself in this situation.
>
> Thanks for any advice. Avoiding backscatter here would be a great
> achievement.
>
> Andreas
>
> Complete main.cf:
> -------------8<-----------------------------------------------
> smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
> biff = no
> append_dot_mydomain = no
> readme_directory = no
> smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
> smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
> smtpd_use_tls=yes
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> myhostname = mx.example.org
> alias_maps = hash:/etc/aliases
> alias_database = hash:/etc/aliases
> myorigin = /etc/mailname
> mydestination = mx.example.org, localhost.example.org, localhost
> relayhost =
> mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
> mailbox_command = procmail -a "$EXTENSION"
> mailbox_size_limit = 0
> recipient_delimiter = +
> inet_interfaces = all
> smtpd_recipient_restrictions =
> reject_invalid_helo_hostname,
> reject_unauth_pipelining,
> reject_unknown_sender_domain,
> reject_unknown_recipient_domain,
> reject_unlisted_recipient,
> permit_mynetworks,
> reject_non_fqdn_sender,
> reject_non_fqdn_recipient,
> reject_unauth_destination
> virtual_transport = lmtp:imap.example.org:2500
> virtual_mailbox_domains = /etc/postfix/vdomains
> virtual_mailbox_maps = hash:/etc/postfix/vmailbox
> virtual_alias_maps = hash:/etc/postfix/virtual
>
