>>>>> "John" == John Stoffel <j...@stoffel.org> writes:
John> I'm in the process of upgrading an old RHEL 6.6 server running a
John> hacked postfix 2.11.9 release to something newer, on Ubuntu 21.4 and
John> using postfix 3.5.6 but I'm running into a minor annoyance.
John> This server handles incoming email, looks for a match in an NIS
John> mail.aliases map, and then all the email is forwarded on to other
John> destination hosts. There is no local delivery. This has worked for
John> years, because we used to have lots of local Unix/Linux users who sent
John> email in that same NIS domain, so we would have aliases like:
John> john: john.stoffel
John> john.stoffel: john.stof...@server.foo.com
John> mail-list: mail-l...@mailman.foo.com
John> group-mail: group-m...@other-server.foo.com
John> So this all works, but when user's left, their email alias got removed
John> from the NIS map, but their local unix account stayed so we could keep
John> track of files and quotas and such. So postfix would deliver email
John> locally.
John> So to make sure we don't accept email from those accounts, I setup:
John> smtpd_recipient_restrictions = check_recipient_access
John> hash:/etc/postfix/gone_users, check_sender_access
John> hash:/etc/postfix/sender_access, check_client_access
John> cidr:/etc/postfix/client_checks
John> And the gone_users file was just
John> n...@foo.long.com REJECT
John> n...@foo.com REJECT
John> which worked, but meant I had to remember to add users there. Pain in
John> the butt, since I really only need to accept email for matches in the
John> nis:mail.aliases map.
John> In my current attempt, I've removed foo.long.com and foo.com from the
John> 'mydestination' setting. Using:
John> virtual_alias_domains = foo.com foo.primary.com
John> virtual_alias_maps = nis:mail.aliases
John> setting should be what I want, but the left hand side is just bare
John> usernames, not addresses, and I would need them to match
John> <user>@foo.com and <user>@foo.primary.com addresses.
So what I think might be a workable solution is to just do:
ypcat -k aliases | sed -e 's/\s/@foo.com /' | sort > virtual_foo
postmap /etc/postfix/virtual_foo
and update the main.cf to have:
virtual_alias_maps = nis:mail.aliases hash:/etc/postfix/virtual_foo
So that it does both lookups. Not ideal since now I need to add in
some work to push out the virtual_foo map when updates are made to the
NIS map, but it's not terrible.
It would be ideal if there was another way to make this work
otherwise. But I realize I'm doing something slightly wierd and
backwards.
John> So far in my testing, <user> & <user>@foo.primary.com work in the
John> RCPT To: ... testings, but the short <user>@foo.com doesn't get
John> accepted. But in good news, non-defined aliases get rejected without
John> using the gone_users entry in smtpd_recipient_restrictions.
John> This hack only needs to be around for another year, since they plan to
John> deprecate the old foo.com form. Here's my postconf -nf output:
John> # postconf -nf
John> alias_database =
John> alias_maps =
John> command_directory = /usr/sbin
John> compatibility_level = 2
John> daemon_directory = /usr/lib/postfix/sbin
John> data_directory = /var/lib/postfix
John> debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
John> ddd $daemon_directory/$process_name $process_id & sleep 5
John> header_checks = pcre:/etc/postfix/header_checks
John> html_directory = /usr/share/doc/postfix/html
John> inet_interfaces = all
John> inet_protocols = ipv4
John> local_recipient_maps =
John> mail_spool_directory = /var/mail
John> mailbox_size_limit = 0
John> mailq_path = /usr/bin/mailq
John> manpage_directory = /usr/share/man
John> masquerade_domains = !hqmta.foo.com foo.primary.com
John> message_size_limit = 51183040
John> mydestination = $myhostname, localhost.$mydomain, localhost
John> mydomain = foo.primary.com
John> myhostname = mailhost-new.foo.primary.com
John> mynetworks = 127.0.0.0/8, X.Y.Z.0/18, 10.0.0.0/8
John> myorigin = $mydomain
John> newaliases_path = /usr/bin/newaliases
John> recipient_delimiter = +
John> relayhost =
John> sendmail_path = /usr/sbin/sendmail
John> setgid_group = postdrop
John> smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
John> smtpd_recipient_restrictions = check_sender_access
John> hash:/etc/postfix/sender_access, check_client_access
John> cidr:/etc/postfix/client_checks
John> smtpd_tls_security_level = may
John> transport_maps = hash:/etc/postfix/transport_maps
John> unknown_local_recipient_reject_code = 550
John> virtual_alias_domains = foo.com foo.primary.com
John> virtual_alias_maps = nis:mail.aliases
