Hi all,
I'm in the process of upgrading an old RHEL 6.6 server running a
hacked postfix 2.11.9 release to something newer, on Ubuntu 21.4 and
using postfix 3.5.6 but I'm running into a minor annoyance.
This server handles incoming email, looks for a match in an NIS
mail.aliases map, and then all the email is forwarded on to other
destination hosts. There is no local delivery. This has worked for
years, because we used to have lots of local Unix/Linux users who sent
email in that same NIS domain, so we would have aliases like:
john: john.stoffel
john.stoffel: john.stof...@server.foo.com
mail-list: mail-l...@mailman.foo.com
group-mail: group-m...@other-server.foo.com
So this all works, but when user's left, their email alias got removed
from the NIS map, but their local unix account stayed so we could keep
track of files and quotas and such. So postfix would deliver email
locally.
So to make sure we don't accept email from those accounts, I setup:
smtpd_recipient_restrictions = check_recipient_access
hash:/etc/postfix/gone_users, check_sender_access
hash:/etc/postfix/sender_access, check_client_access
cidr:/etc/postfix/client_checks
And the gone_users file was just
n...@foo.long.com REJECT
n...@foo.com REJECT
which worked, but meant I had to remember to add users there. Pain in
the butt, since I really only need to accept email for matches in the
nis:mail.aliases map.
In my current attempt, I've removed foo.long.com and foo.com from the
'mydestination' setting. Using:
virtual_alias_domains = foo.com foo.primary.com
virtual_alias_maps = nis:mail.aliases
setting should be what I want, but the left hand side is just bare
usernames, not addresses, and I would need them to match
<user>@foo.com and <user>@foo.primary.com addresses.
So far in my testing, <user> & <user>@foo.primary.com work in the
RCPT To: ... testings, but the short <user>@foo.com doesn't get
accepted. But in good news, non-defined aliases get rejected without
using the gone_users entry in smtpd_recipient_restrictions.
This hack only needs to be around for another year, since they plan to
deprecate the old foo.com form. Here's my postconf -nf output:
# postconf -nf
alias_database =
alias_maps =
command_directory = /usr/sbin
compatibility_level = 2
daemon_directory = /usr/lib/postfix/sbin
data_directory = /var/lib/postfix
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
header_checks = pcre:/etc/postfix/header_checks
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
inet_protocols = ipv4
local_recipient_maps =
mail_spool_directory = /var/mail
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_domains = !hqmta.foo.com foo.primary.com
message_size_limit = 51183040
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = foo.primary.com
myhostname = mailhost-new.foo.primary.com
mynetworks = 127.0.0.0/8, X.Y.Z.0/18, 10.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
recipient_delimiter = +
relayhost =
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_recipient_restrictions = check_sender_access
hash:/etc/postfix/sender_access, check_client_access
cidr:/etc/postfix/client_checks
smtpd_tls_security_level = may
transport_maps = hash:/etc/postfix/transport_maps
unknown_local_recipient_reject_code = 550
virtual_alias_domains = foo.com foo.primary.com
virtual_alias_maps = nis:mail.aliases
