Hi again,
On Wed, Apr 29, 2015 at 12:34:35AM +0000, Viktor Dukhovni wrote:
>
> Replace this (on Server1) with a rewriting configuration:
>
> virtual:
> newu...@example.com newu...@backend2.example.com
>
> transport:
> example.com relay:[backend1.example.com]
> backend1.example.com relay
> backend2.example.com relay
>
> > In particular we want that messages from "newu...@example.com" (migrated
> > to Backend2) to "any...@example.com" (not migrated yet from Backend1 to
> > Backend2) still pass through Server1. In fact, even a message from
> > "newu...@example.com" to "newu...@example.com" should still pass through
> > Server1.
> >
> > Unfortunately Postfix on Backend2 tries to deliver such messages
> > locally, instead of forwarding them to Server1 first.
>
> On "Backend2":
>
> main.cf:
> mydomain = example.com
> myorigin = $mydomain
> relayhost = [server1.example.com]
>
> # Uncomment one of the below. Set the other to what remains
> # after removing $myhostname:
> #
> # mydestination = $myhostname, localhost, localhost.$mydomain
> # virtual_mailbox_domains = $myhostname
>
> Mail to the domain goes to the smarthost, and from there dispatched
> to the right account (via rewriting).
I've tried several combinations of your suggestions, but now
unfortunately delivery doesn't work anymore (it used to, as explained
previously) : newu...@backend2.example.com is always rejected as unknown
in local recipient table.
This is because the real email address is newu...@example.com and not
newu...@backend2.example.com
In my original message, to simplify my question I didn't mention that
Backend2 also hosts 3 subdomains of example.com, and that the
virtual_mailbox_maps is computed with an LDAP query, so of course
newu...@backend2.example.com is not found in our LDAP directory...
Now I understand I shouldn't have tried to simplify the original
question because probably there were missing informations in it, sorry
for this...
So we're back to the drawing board, here's my actual configuration
(before your suggestions), as-is (only domain names changed) :
Server1's transport :
--- CUT ---
# Not migrated yet :
sub1.example.com relay:[backend1.example.com]
sub2.example.com relay:[backend1.example.com]
sub3.example.com relay:[backend1.example.com]
example.com relay:[backend1.example.com]
# Migrated mailboxes :
newus...@sub1.example.com relay:[backend2.example.com]
newus...@sub2.example.com relay:[backend2.example.com]
newus...@sub3.example.com relay:[backend2.example.com]
newu...@example.com relay:[backend2.example.com]
--- CUT ---
Server1's virtual has not been modified at all.
Backend2's virtual
--- CUT ---
... empty ...
--- CUT ---
Backend2's transport
--- CUT ---
... empty ...
--- CUT ---
Backend2's virtual-ldap.cf
--- CUT ---
server_host = ldaps://ldap.example.com:636/
server_port = 636
search_base = ou=people,dc=example,dc=com
start_tls = no
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
tls_require_cert = yes
query_filter = (&(objectClass=posixAccount)(mail=%s))
domain = sub1.example.com, sub2.example.com, sub3.example.com, example.com
result_attribute = uid
--- CUT ---
Backend2's virtual-mailbox-maps-ldap.cf
--- CUT ---
server_host = ldaps://ldap.example.com:636/
server_port = 636
search_base = ou=people,dc=example,dc=com
start_tls = no
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
tls_require_cert = yes
query_filter = (&(objectClass=posixAccount)(mail=%s))
domain = sub1.example.com, sub2.example.com, sub3.example.com, example.com
result_attribute = homeDirectory
--- CUT ---
Backend2's sender-canonical-maps-ldap.cf
--- CUT ---
server_host = ldaps://ldap.example.com:636/
server_port = 636
start_tls = no
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
tls_require_cert = yes
search_base = ou=people,dc=example,dc=com
query_filter = (&(objectClass=posixAccount)(uid=%u))
result_attribute = mail
--- CUT ---
Backend2's main.cf :
--- CUT ---
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
readme_directory = /usr/share/doc/postfix
smtpd_tls_cert_file=/etc/ssl/certs/backend2.example.com.pem
smtpd_tls_key_file=/etc/ssl/private/backend2.example.com.key
smtpd_tls_CAfile=/etc/ssl/certs/chain-backend2.example.com.pem
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_note_starttls_offer = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_received_header = yes
smtpd_tls_auth_only = yes
smtpd_tls_security_level = may
myhostname = backend2.example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
virtual_maps = hash:/etc/postfix/virtual, ldap:/etc/postfix/virtual-ldap.cf
myorigin = /etc/mailname
mydestination = sub1.example.com, sub2.example.com, sub3.example.com,
example.com, backend2.example.com, localhost.localdomain,
localhost
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 67108864
recipient_delimiter = +
inet_interfaces = all
virtual_mailbox_maps = ldap:/etc/postfix/virtual-mailbox-maps-ldap.cf
home_mailbox = Maildir/
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = example.com
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
broken_sasl_auth_clients = yes
header_checks = regexp:/etc/postfix/header_checks
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks
check_helo_access
hash:/etc/postfix/helo_access
reject_invalid_hostname
permit
smtpd_sender_restrictions = permit_mynetworks
check_sender_access
hash:/etc/postfix/sender_access
reject_unknown_sender_domain
reject_non_fqdn_sender
permit
smtpd_recipient_restrictions = permit_mynetworks
reject_unauth_pipelining
reject_invalid_hostname
reject_non_fqdn_sender
reject_unknown_sender_domain
reject_unknown_recipient_domain
reject_non_fqdn_recipient
reject_unauth_destination
permit
sender_canonical_maps = ldap:/etc/postfix/sender-canonical-maps-ldap.cf
transport_maps = hash:/etc/postfix/transport
relayhost =
--- CUT ---
NB : uids and the local parts of all email addresses are unique (easier
I think).
Any idea of what I should change to obtain the expected behavior ?
Thanks again, and also thanks in advance
--
Jérôme Alet - <jerome.a...@univ-nc.nc> - Direction du Système d'Information
Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX
Tél : +687 290081 Fax : +687 254829
