Hello,
My first guess is
http://www.postfix.org/DEBUG_README.html#no_chroot
So I went through /etc/postfix/master.cf and changed each line to make
sure that nothing was left in a chroot:
#egrep '^[a-z]' master.cf
smtp inet n - n - - smtpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
maildrop unix - n n - - pipe
policy unix - n n - 0 spawn
uucp unix - n n - - pipe
ifmail unix - n n - - pipe
bsmtp unix - n n - - pipe
scalemail-backend unix - n n - 2 pipe
mailman unix - n n - - pipe
smtp-amavis unix - - n - 2 smtp
and alas, the message remains in mail.log . It was a good call though.
Any other idea?
Sébastien.
Noel Jones (Tue, 7 Nov 2017):
On 11/7/2017 9:40 AM, Seb wrote:
Hello,
I run a small publishing company and for the sake of easing
communication between authors (who work in teams) I have provided
each of them with a local alias. Typically, mail sent to
<firstname>.<lastname>@<mydomain> is redirected to
<firstname>.<lastname>@gmail.com, the usual email address of the
author.
You can use a postfix policy service such as postfwd to create a
list of allowed senders for some particular recipient. This isn't
difficult, but will require manual intervention anytime a change
is needed. Postfwd may be kinda old, but is still widely used.
http://postfwd.org/
(Reminder: my aim is to allow emails for our site's users only if
the emails come from a certain dynamic list of addresses. It's a
tool to Filter Unauthorized Communications with Keyholes, or in
short, let's call it f.u.c.k.)
I looked at the three solutions hinted at by Noel Jones. Postfwd was
closest to my needs but it seemed more straightforward to use
Postfix' SMTP Access Policy Delegation, which is mentioned in
Postfwd's own documentation. To this end I closely followed the
instructions provided by the documentation:
http://www.postfix.org/SMTPD_POLICY_README.html#client_config
In master.cf I added the lines
# service type private unpriv chroot wakeup maxproc command
+ args
policy unix - n n - 0 spawn
user=nobody argv=/home/seb/sandra/bin/fuck
(I tried writing this on 1 line or on 2 lines.)
In main.cf I extended smtpd_recipient_restrictions to:
smtpd_recipient_restrictions =
reject_invalid_helo_hostname,
[...]
check_policy_service inet:127.0.0.1:10023,
check_policy_service unix:/home/seb/sandra/bin/fuck,
permit
and, as the doc instructed, I also added:
policy_time_limit = 3600
As for the Perl script that would decide whether an email should go
through or not, for testing purposes I simply wrote:
#!/usr/bin/perl
print "action=dunno\n\n";
I then did a "chmod a+x" on /home/seb/sandra/bin/fuck and a "postfix
reload"; my postfix version is 2.11 (Debian 8).
This setup is as close to the documentation as I can make it. Yet I
have missed something because /var/log/mail.log says:
Nov 7 13:51:17 ns3358511 postfix/smtpd[14177]: warning: connect to
/home/seb/sandra/bin/fuck: No such file or directory
Nov 7 13:51:17 ns3358511 postfix/smtpd[14177]: warning: problem
talking
to server /home/seb/sandra/bin/fuck: No such file or directory
although the file really exists:
~>ls -l /home/seb/sandra/bin/fuck
-rwxr-xr-x 1 seb seb 2880 Nov 7 16:31 /home/seb/sandra/bin/fuck
The problem could very well be something simple or so self-evident
that it was not deemed necessary to write it in the documentation.
I toyed with this as much as I dared on a live system, and still
have no clue what the message in mail.log really means.
Any help figuring this out would be very much appreciated, thank you!
Kind regards,
Sébastien.
