smtp auth

[Fabrizio Monti]

hello to all,
I can not understand: I would like to enable authentication on port 25
to prevent
my server was used as a free smtp, I configured, by the book, postfix, if I
connect to telnet gives me back

Escape character is '^]'.
220 example.com ESMTP Postfix
ehlo example.com
250-test.example.com
250-PIPELINING
250-SIZE 1536
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN


but when I try to send mail from client using port 25 without authentication
and sends the email to me, I do not want this, I do not want it to work!
Where am I doing wrong? Risce someone to tell me where I'm wrong?


this is configuration of main.cf:

smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination
#
smtpd_tls_key_file = /etc/postfix/cert/smtpd.key
smtpd_tls_cert_file = /etc/postfix/cert/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/cert/cacert.pem
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtpd_tls_loglevel = 1

this is configuration of master.cf

smtp  inet  n   -   n   -   -   smtpd
submission inet n - - - - smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_local_domain=$myhostname
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_sender_login_maps=ldap:/etc/postfix/ldap-user.cf
  -o
smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject




Thanks a lot,
Fabrizio.

Re: Virtual Hosting (Ubuntu 12.04)

[Titanus Eramius]

Mon, 24 Jun 2013 20:22:00 -0500 skrev postfix2...@hushmail.com:

> Holy cow? Two things I didn't expect. Somebody would own a goofy name
> like that and somebody else would actually feel like pulling the
> records to test that.  I suppose example.com is taken too, which is
> precisely why I avoided it. I'm sure they get bugged all the time as
> it is.

No, example.com and example.org is reserved by IANA with the specific
purpose of being used as examples. Try to visit one of them.

Cheers

Re: smtp auth

[Fabrizio Monti]

All this because I have problems with my mail server, I have been using as
smtp relay, how can I prevent sending email on port 25 and at the same
time able
to receive mail on port 25?


2013/6/25 Fabrizio Monti 

> hello to all,
> I can not understand: I would like to enable authentication on port 25 to 
> prevent
> my server was used as a free smtp, I configured, by the book, postfix, if
> I connect to telnet gives me back
>
> Escape character is '^]'.
> 220 example.com ESMTP Postfix
> ehlo example.com
> 250-test.example.com
> 250-PIPELINING
> 250-SIZE 1536
> 250-VRFY
> 250-ETRN
> 250-STARTTLS
> 250-AUTH PLAIN LOGIN
> 250-AUTH=PLAIN LOGIN
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN
>
>
> but when I try to send mail from client using port 25 without
> authentication and sends the email to me, I do not want this, I do not
> want it to work! Where am I doing wrong? Risce someone to tell me where
> I'm wrong?
>
>
> this is configuration of main.cf:
>
> smtpd_sasl_auth_enable = yes
> broken_sasl_auth_clients = yes
> smtpd_sasl_type = dovecot
> smtpd_sasl_path = private/auth
> smtpd_recipient_restrictions = permit_mynetworks,
> permit_sasl_authenticated, reject_unauth_destination
> #
> smtpd_tls_key_file = /etc/postfix/cert/smtpd.key
> smtpd_tls_cert_file = /etc/postfix/cert/smtpd.crt
> smtpd_tls_CAfile = /etc/postfix/cert/cacert.pem
> smtpd_use_tls=yes
> smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
> smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
> smtpd_tls_loglevel = 1
>
> this is configuration of master.cf
>
> smtp  inet  n   -   n   -   -   smtpd
> submission inet n - - - - smtpd
>   -o smtpd_tls_security_level=encrypt
>   -o smtpd_sasl_auth_enable=yes
>   -o smtpd_sasl_type=dovecot
>   -o smtpd_sasl_path=private/auth
>   -o smtpd_sasl_security_options=noanonymous
>   -o smtpd_sasl_local_domain=$myhostname
>   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>   -o smtpd_sender_login_maps=ldap:/etc/postfix/ldap-user.cf
>   -o
> smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
>
>
>
>
> Thanks a lot,
> Fabrizio.
>
>

Re: smtp auth

[Jerry]

On Tue, 25 Jun 2013 12:15:28 +0200
Fabrizio Monti articulated:

> > hello to all,
> > I can not understand: I would like to enable authentication on port
> > 25 to prevent my server was used as a free smtp, I configured, by
> > the book, postfix, if I connect to telnet gives me back
> >
> > Escape character is '^]'.
> > 220 example.com ESMTP Postfix
> > ehlo example.com
> > 250-test.example.com
> > 250-PIPELINING
> > 250-SIZE 1536
> > 250-VRFY
> > 250-ETRN
> > 250-STARTTLS
> > 250-AUTH PLAIN LOGIN
> > 250-AUTH=PLAIN LOGIN
> > 250-ENHANCEDSTATUSCODES
> > 250-8BITMIME
> > 250 DSN
> >
> > but when I try to send mail from client using port 25 without
> > authentication and sends the email to me, I do not want this, I do
> > not want it to work! Where am I doing wrong? Risce someone to tell
> > me where I'm wrong?
> >
> >
> > this is configuration of main.cf:

[snip]

> All this because I have problems with my mail server, I have been
> using as smtp relay, how can I prevent sending email on port 25 and
> at the same time able to receive mail on port 25?

Please don't use HTML format to send email. Plain ASCII is preferred.
While you are at it, lose the the tendency to top post. Now, please
follow the directions you received when you signed up for this list.
Provide the unaltered output of "postconf -n", not a few select bits.
See:  and specifically,
.

-- 
Jerry ✌
postfix-u...@seibercom.net
_
TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail
TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html

Re: smtp auth

[Patrick Ben Koetter]

Fabrizio,

* Fabrizio Monti :
> hello to all,
> I can not understand: I would like to enable authentication on port 25
> to prevent
> my server was used as a free smtp, I configured, by the book, postfix, if I
> connect to telnet gives me back
> 
> Escape character is '^]'.
> 220 example.com ESMTP Postfix
> ehlo example.com
> 250-test.example.com
> 250-PIPELINING
> 250-SIZE 1536
> 250-VRFY
> 250-ETRN
> 250-STARTTLS
> 250-AUTH PLAIN LOGIN
> 250-AUTH=PLAIN LOGIN
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN
> 
> 
> but when I try to send mail from client using port 25 without authentication
> and sends the email to me, I do not want this, I do not want it to work!
> Where am I doing wrong? Risce someone to tell me where I'm wrong?

the purpose of an SMTP server is to accept messages for your domains and e.g.
route them into your mailbox. There's nothing wrong with this.

p@rick

-- 
[*] sys4 AG
 
http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
 

Re: Virtual Hosting (Ubuntu 12.04)

[Ansgar Wiechers]

On 2013-06-24 postfix2...@hushmail.com wrote:
> Holy cow? Two things I didn't expect. Somebody would own a goofy name
> like that and somebody else would actually feel like pulling the
> records to test that.  I suppose example.com is taken too, which is
> precisely why I avoided it. I'm sure they get bugged all the time as
> it is.

You're mistaken. example.com, example.net and example.org as well as the
TLDs .test, .example, .invalid and .localhost were reserved for this
exact purpose. See RFC 2606 [1].

[1] http://www.ietf.org/rfc/rfc2606.txt

Regards
Ansgar Wiechers
-- 
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky

/etc/passwd Centos + postfix

[Dejan Doder]

Hi group , I use system users with passwords defined in /etc/passwd.
How can users change their passwords ?

BR

Dejan

Re: /etc/passwd Centos + postfix

[lists]

On Tue, 25 Jun 2013 13:22:46 +0200
Dejan Doder  wrote:

> Hi group , I use system users with passwords defined in /etc/passwd.
> How can users change their passwords ?
> 
use CLI "passwd"..

Re: /etc/passwd Centos + postfix

[Dejan Doder]

yes I know that , but how users will change passwords by themselfs ?


On Tue, Jun 25, 2013 at 2:25 PM,  wrote:

> On Tue, 25 Jun 2013 13:22:46 +0200
> Dejan Doder  wrote:
>
> > Hi group , I use system users with passwords defined in /etc/passwd.
> > How can users change their passwords ?
> >
> use CLI "passwd"..
>

Re: /etc/passwd Centos + postfix

[Wietse Venema]

Dejan Doder  wrote:
> Hi group , I use system users with passwords defined in /etc/passwd.
> How can users change their passwords ?

On Tue, Jun 25, 2013 at 2:25 PM,  wrote:
> use CLI "passwd"..

Dejan Doder:
> yes I know that, but how users will change passwords by themselfs ?

You are looking for a web-based form that can manage a user's system
password. Unfortunately many implementations are cobbled together
with PHP, TCL, etc. With these it is very easy to make terrible
mistakes, so I can't recommend a specific one without a great deal
of review.

Wietse

Re: /etc/passwd Centos + postfix

[Craig R. Skinner]

On 2013-06-25 Tue 14:31 PM |, Dejan Doder wrote:
> 
>yes I know that , but how users will change passwords by themselfs ?
> 

They ssh to the server & then run 'passwd'

This is a Centos question, not a Postfix one.

Cheers,
-- 
Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7

Re: /etc/passwd Centos + postfix

[Ryan Patrick Fernandez]

Use a web based tool like webmin, i think this is not the proper forum for that 
though you can start it from their.. Just google webmin

Ryan


On Jun 25, 2013, at 7:22 PM, Dejan Doder  wrote:

> Hi group , I use system users with passwords defined in /etc/passwd.
> How can users change their passwords ?
> 
> BR
> 
> Dejan

Re: smtp auth

[Fabrizio Monti]

@Jerry

>Please don't use HTML format to send email. Plain ASCII is preferred.
Sorry, correct it immediately.


postconf -n

alias_database = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
html_directory = no
inet_protocols = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 1536
mydestination = localhost
myhostname = mail3.gisnet.it
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
relay_domains = /etc/postfix/rcpthosts
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, rej
ect_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/postfix/cert/cacert.pem
smtpd_tls_cert_file = /etc/postfix/cert/smtpd.crt
smtpd_tls_key_file = /etc/postfix/cert/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_use_tls = yes
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = ldap:/etc/postfix/ldap-virtual-alias-maps.cf
virtual_gid_maps = static:8135
virtual_mailbox_base = /home/vmail
virtual_minimum_uid = 100
virtual_uid_maps = static:8135

@Patrick

> the purpose of an SMTP server is to accept messages for your domains and e.g.
> route them into your mailbox. There's nothing wrong with this.

is my English is bad, I have not explained well. I want my postfix
mail server is an authenticated smtp. In practice now if you configure
the SMTP client with my server on port 25 with no authentication you
can use it. Are using it to send spam.

Re: smtp auth

[Simon B]

On 25 Jun 2013 15:04, "Fabrizio Monti"  wrote:
>
> @Jerry
>
> >Please don't use HTML format to send email. Plain ASCII is preferred.
> Sorry, correct it immediately.
>
>
> postconf -n
>
> alias_database = hash:/etc/aliases
> broken_sasl_auth_clients = yes
> command_directory = /usr/sbin
> config_directory = /etc/postfix
> daemon_directory = /usr/libexec/postfix
> data_directory = /var/lib/postfix
> debug_peer_level = 2
> html_directory = no
> inet_protocols = all
> mail_owner = postfix
> mailq_path = /usr/bin/mailq.postfix
> manpage_directory = /usr/share/man
> message_size_limit = 1536
> mydestination = localhost
> myhostname = mail3.gisnet.it
> newaliases_path = /usr/bin/newaliases.postfix
> queue_directory = /var/spool/postfix
> readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
> relay_domains = /etc/postfix/rcpthosts
> sample_directory = /usr/share/doc/postfix-2.6.6/samples
> sendmail_path = /usr/sbin/sendmail.postfix
> setgid_group = postdrop
> smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
> smtpd_recipient_restrictions = permit_mynetworks,
> permit_sasl_authenticated, rej
> ect_unauth_destination
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_path = private/auth
> smtpd_sasl_type = dovecot
> smtpd_tls_CAfile = /etc/postfix/cert/cacert.pem
> smtpd_tls_cert_file = /etc/postfix/cert/smtpd.crt
> smtpd_tls_key_file = /etc/postfix/cert/smtpd.key
> smtpd_tls_loglevel = 1
> smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
> smtpd_use_tls = yes
> transport_maps = hash:/etc/postfix/transport
> unknown_local_recipient_reject_code = 550
> virtual_alias_maps = ldap:/etc/postfix/ldap-virtual-alias-maps.cf
> virtual_gid_maps = static:8135
> virtual_mailbox_base = /home/vmail
> virtual_minimum_uid = 100
> virtual_uid_maps = static:8135
>
> @Patrick
>
> > the purpose of an SMTP server is to accept messages for your domains
and e.g.
> > route them into your mailbox. There's nothing wrong with this.
>
> is my English is bad, I have not explained well. I want my postfix
> mail server is an authenticated smtp. In practice now if you configure
> the SMTP client with my server on port 25 with no authentication you
> can use it. Are using it to send spam.

On port 25 you accept only mail you are responsible for.

On port 587 you accept any mail as long as it's authenticated.

If people are sending spam through port 25, you're an open relay. Smtp auth
is not the answer you want.

Simon

Re: smtp auth

[Wietse Venema]

Fabrizio Monti:
> > but when I try to send mail from client using port 25 without
> > authentication and sends the email to me, I do not want this, I do not
> > want it to work! Where am I doing wrong? Risce someone to tell me where
> > I'm wrong?

If you don't want to receive mail from the Internet, turn off the
port 25 (smtp) service in master.cf.

/etc/postfix/master.cf:
#smtp  inet  n   -   n   -   -   smtpd

Use the master.cf port 25 (smtp) service to receive and deliver
mail for your domain from the Internet.

Use the master.cf port 587 (submission) service to receive (and
relay or deliver) mail from authenticated users.

Wietse

Re: /etc/passwd Centos + postfix

[Helga . Mayer]

- Message from Ryan Patrick Fernandez  -
   Date: Tue, 25 Jun 2013 20:58:32 +0800
   From: Ryan Patrick Fernandez 
Subject: Re: /etc/passwd Centos + postfix
 To: Dejan Doder 
 Cc: "postfix-users@postfix.org" 





On Jun 25, 2013, at 7:22 PM, Dejan Doder  wrote:


Hi group , I use system users with passwords defined in /etc/passwd.
How can users change their passwords ?


Have you got a webmail client ?
Horde/Imp comes with:

http://www.horde.org/apps/passwd

Helga



BR

Dejan



- End message from Ryan Patrick Fernandez  -

Re: Local UNIX accounts, aliasing & rejecting mail to non-public UNIX accounts

[Craig R. Skinner]

On 2013-06-24 Mon 20:24 PM |, Wietse Venema wrote:
> Craig R. Skinner:
> > The default aliases file does not indicate that;-
> > 
> > "The aliases(5) table provides a system-wide mechanism to redirect mail for 
> > LOCAL recipients."
> > 
> > "Users can control delivery of their own mail by setting up .forward files 
> > in their home directory."
> 
> Actually, it says:
> 
>The  aliases(5) table provides a system-wide mechanism to redirect mail
>for local recipients. The redirections are  processed  by  the  Postfix
>local(8) delivery agent.
> 
> And hence, it is processed by the local(8) delivery agent, which
> normally handles domains listed in mydestination.
> 

Well, that's the theory - but I don't see that happening when adhering
to the suggestions provided in this thread:

myorigin = $mydomain
mydestination = localhost, localhost.$mydomain
virtual_alias_domains = example.com ($mydomain)
mailbox_transport = lmtp:unix:private/dovecot-lmtp
...
...


Various combinations of these with the above don't trigger aliases
expansion:
append_dot_mydomain = no
local_transport = local:localhost

If local(8) was handling domains listed in mydesti (localhost) then
aliases should be parsed, but nope.


>From http://www.postfix.org/postconf.5.html#mailbox_transport
The precedence of local(8) delivery features from high to low is:
aliases, .forward files, mailbox_transport_maps, mailbox_transport, 

>From the logs I posted earlier, $mailbox_transport is getting evaulated,
but not aliases, which should come 1st.

However, alias expansion does occur when I do the NAUGHTY thing of
including $mydomain in $mydestination. Here notice that both aliases &
Dovecot ($mailbox_transport) are invoked, where as in my earlier email
that aliases where not, while Dovecot was for all items in
$virtual_alias_maps:


$ uptime | mail -s uptime daemon (<--- in aliases, not virtual_alias_maps)
Jun 25 14:04:08 server1 postfix/pickup[29023]: 51B8367E0: uid=7432 
from=
Jun 25 14:04:08 server1 postfix/cleanup[154]: 51B8367E0: 
message-id=<20130625130408.51b836...@server1.example.com>
Jun 25 14:04:08 server1 postfix/qmgr[6613]: 51B8367E0: 
from=, size=389, nrcpt=1 (queue active)
Jun 25 14:04:08 server1 postfix/trivial-rewrite[2958]: warning: do not list 
domain example.com in BOTH mydestination and virtual_alias_domains
Jun 25 14:04:08 server1 dovecot: lmtp(27263): Connect from local
Jun 25 14:04:08 server1 dovecot: lmtp(27263, admin-acct): 
wCqpOjmVyVF/agAANm01jw: sieve: 
msgid=<20130625130408.51b836...@server1.example.com>: stored mail into mailbox 
'INBOX'
Jun 25 14:04:08 server1 postfix/lmtp[30743]: 51B8367E0: 
to=, orig_to=, 
relay=server1.example.com[private/dovecot-lmtp], delay=0.07, 
delays=0.02/0/0.01/0.03, dsn=2.0.0, status=sent (250 2.0.0 
 wCqpOjmVyVF/agAANm01jw Saved)
Jun 25 14:04:08 server1 dovecot: lmtp(27263): Disconnect from local: Client 
quit (in reset)
Jun 25 14:04:08 server1 postfix/qmgr[6613]: 51B8367E0: removed


Could it be vaguely related to?:-

Subject: Postfix stable release 2.10.1 and legacy releases 2.9.7, 2.8.15, 2.7.14

  * Bugfix (introduced: Postfix 2.0): when myhostname is not listed
in mydestination, the trivial-rewrite resolver may log "do not
list in both mydestination and ". The fix is to re-resolve a
domain-less address after adding $myhostname as the surrogate
domain, so that it pops out with the right address-class label.
Reported by Quanah Gibson-Mount.


As instructed, neither do I have myhostname listed in mydestination.

Comments?

Cheers,
-- 
Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7

Re: /etc/passwd Centos + postfix

[Dejan Doder]

Thank you Helga

BR

Dejan


On Tue, Jun 25, 2013 at 3:51 PM,  wrote:

>
> - Message from Ryan Patrick Fernandez  -
>Date: Tue, 25 Jun 2013 20:58:32 +0800
>From: Ryan Patrick Fernandez 
> Subject: Re: /etc/passwd Centos + postfix
>  To: Dejan Doder 
>  Cc: "postfix-users@postfix.org" 
>
>
>
>
>
>> On Jun 25, 2013, at 7:22 PM, Dejan Doder  wrote:
>>
>>  Hi group , I use system users with passwords defined in /etc/passwd.
>>> How can users change their passwords ?
>>>
>>
> Have you got a webmail client ?
> Horde/Imp comes with:
>
> http://www.horde.org/apps/**passwd 
>
> Helga
>
>
>>> BR
>>>
>>> Dejan
>>>
>>
>
> - End message from Ryan Patrick Fernandez  -
>
>
>
>

Re: Local UNIX accounts, aliasing & rejecting mail to non-public UNIX accounts

[Wietse Venema]

Craig R. Skinner:
> On 2013-06-24 Mon 20:24 PM |, Wietse Venema wrote:
> > Craig R. Skinner:
> > > The default aliases file does not indicate that;-
> > > 
> > > "The aliases(5) table provides a system-wide mechanism to redirect mail 
> > > for LOCAL recipients."
> > > 
> > > "Users can control delivery of their own mail by setting up .forward 
> > > files in their home directory."
> > 
> > Actually, it says:
> > 
> >The  aliases(5) table provides a system-wide mechanism to redirect 
> > mail
> >for local recipients. The redirections are  processed  by  the  
> > Postfix
> >local(8) delivery agent.
> > 
> > And hence, it is processed by the local(8) delivery agent, which
> > normally handles domains listed in mydestination.
> > 
> 
> Well, that's the theory - but I don't see that happening when adhering
> to the suggestions provided in this thread:
> 
> myorigin = $mydomain
> mydestination = localhost, localhost.$mydomain
> virtual_alias_domains = example.com ($mydomain)
> mailbox_transport = lmtp:unix:private/dovecot-lmtp

You need to show:

1 - One email address ending in localhost or localhost.$mydomain, 

2 - Logfile evidence that this email address is not bounced or
delivered by the local(8) delivery agent, 

3 - Configuration evidence in the form of postconf command output:
$ postconf myorigin mydestination virtual_alias_domains mailbox_transport

Otherwise, I will ignore this thread.

Wietse

Re: Local UNIX accounts, aliasing & rejecting mail to non-public UNIX accounts

[Viktor Dukhovni]

On Tue, Jun 25, 2013 at 02:53:47PM +0100, Craig R. Skinner wrote:

> > And hence, it is processed by the local(8) delivery agent, which
> > normally handles domains listed in mydestination.
> > 
> 
> Well, that's the theory - but I don't see that happening when adhering
> to the suggestions provided in this thread:

No it is a fact, but you're seem too disorganized to follow directions
exactly as specified. :-(

> myorigin = $mydomain
> mydestination = localhost, localhost.$mydomain
> virtual_alias_domains = example.com
> mailbox_transport = lmtp:unix:private/dovecot-lmtp

> Various combinations of these with the above don't trigger aliases
> expansion:

> append_dot_mydomain = no

Don't do that.

> local_transport = local:localhost

Unnecessary, don't do that.

> If local(8) was handling domains listed in mydesti[nation] (localhost) then
> aliases should be parsed, but nope.

What evidence do you have that aliases are not expanded for mail handled
by local?

> Jun 25 14:04:08 server1 postfix/pickup[29023]: 51B8367E0: uid=7432 
> from=
> Jun 25 14:04:08 server1 postfix/cleanup[154]: 51B8367E0: 
> message-id=<20130625130408.51b836...@server1.example.com>
> Jun 25 14:04:08 server1 postfix/qmgr[6613]: 51B8367E0: 
> from=, size=389, nrcpt=1 (queue active)
> Jun 25 14:04:08 server1 postfix/trivial-rewrite[2958]: warning: do not list 
> domain example.com in BOTH mydestination and virtual_alias_domains

This configuration is not what you claim above, stop wasting the list's
time with misleading reports.

> Jun 25 14:04:08 server1 postfix/lmtp[30743]: 51B8367E0: 
> to=, orig_to=, 
> relay=server1.example.com[private/dovecot-lmtp], delay=0.07, 
> delays=0.02/0/0.01/0.03, dsn=2.0.0, status=sent (250 2.0.0 
>  wCqpOjmVyVF/agAANm01jw Saved)

Were example.com in virtual_alias_domains, this message would have bounced.

> Comments?

Do get your act together and try exactly the configuration suggested,
without any tweaks.

0. All address -> address mappings in virtual(5).

1. No address-> address mappings in aliases(5).

2. localhost and localhost.$mydomain only in mydestionation.

3. Your domain in virtual_alias_domains and myorigin.

4. In virtual(5) the LHS and RHS of all lookup keys include @domain:

al...@example.com   u...@example.com, otheru...@example.com
u...@example.comuseracct@localhost
otheru...@example.com   otheracct@localhost

5. Nothing in aliases(5) except aliases whose RHS is a ":include:" file
   if you need that feature (mailing list manager integration).

6. Handle "| command" aliases via .forward files of a designated
   account, rather than in the system aliases file.

7. Did I mention no address to address (or if you like account to
   account, address to account, account to address, ...) mappings in
   aliases(5)?  Plase all of these in virtual(5). 

8. When testing, stop Postfix, check the configuration is what you want
   to test and save "postconf -n" output.  Start Postfix and run your
   tests.  Then report log entries that postdate the most recent Postfix
   stop/start.

9. Don't tinker with the configuration mid-test and report logs that
   don't match the reported configuration.

11. Yes local aliases(5) will still work when useracct@localhost is
processed by local(8), but best practice is to avoid user accounts as
lookup keys in /etc/aliases.

12. Local aliases(5) are not consulted when an address is missing
from virtual(5).  If you send email to "miss...@example.com" with
miss...@example.com not listed in virtual(5), then having an entry of
the form "missing: user" in aliases(5) will not help.  You must
include:

miss...@example.com missing@localhost

for missing to then be looked up in aliases(5), but if
missing needs to be sent to a different user, you should
use virtual(5) for that!  See 1 and 7 above.  Basically,
in most cases aliases(5) can and should be empty.

13. You can even set:

alias_database =
alias_maps =

and the question of whether aliases(5) lookups works becomes moot.
You'll only need aliases(5) for mailing list manager support, with
aliases(5) files that belong to the list manager account, so that
pipe commands there run under the correct account.

-- 
Viktor.

Re: Local UNIX accounts, aliasing & rejecting mail to non-public UNIX accounts

[Craig R. Skinner]

On 2013-06-25 Tue 10:14 AM |, Wietse Venema wrote:
> 
> You need to show:
> 
> 1 - One email address ending in localhost or localhost.$mydomain, 
> 

aliases:
root:   admin-acct
deamon: root
...
...

$ uptime | mail -s uptime daemon@localhost

> 2 - Logfile evidence that this email address is not bounced or
> delivered by the local(8) delivery agent, 
> 

Jun 25 15:25:52 server1 postfix/pickup[1694]: 5D6C167DC: uid=7432 
from=
Jun 25 15:25:52 server1 postfix/cleanup[1739]: 5D6C167DC: 
message-id=<20130625142552.5d6c16...@server1.example.com>
Jun 25 15:25:52 server1 postfix/qmgr[8437]: 5D6C167DC: 
from=, size=399, nrcpt=1 (queue active)
Jun 25 15:25:52 server1 postfix/cleanup[1739]: 8C25B67DF: 
message-id=<20130625142552.5d6c16...@server1.example.com>
Jun 25 15:25:52 server1 postfix/qmgr[8437]: 8C25B67DF: 
from=, size=546, nrcpt=1 (queue active)
Jun 25 15:25:52 server1 postfix/local[22643]: 5D6C167DC: 
to=, orig_to=, relay=local, 
delay=0.3, delays=0.15/0.06/0/0.09, dsn=2.0.0, status=sent (forwarded as 
8C25B67DF)
Jun 25 15:25:52 server1 postfix/qmgr[8437]: 5D6C167DC: removed Jun 25 15:25:52 
server1 postfix/error[16542]: 8C25B67DF: to=, 
orig_to=, relay=none, delay=0.2, delays=0.03/0.08/0/0.08, 
dsn=5.0.0, status=bounced (User unknown in virtual alias table)


> 3 - Configuration evidence in the form of postconf command output:
> $ postconf myorigin mydestination virtual_alias_domains mailbox_transport
> 

$ postconf myorigin mydestination virtual_alias_domains mailbox_transport
myorigin = $mydomain
mydestination = localhost, localhost.$mydomain
virtual_alias_domains = example.com
mailbox_transport = lmtp:unix:private/dovecot-lmtp


Thanks,
-- 
Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7

Re: Local UNIX accounts, aliasing & rejecting mail to non-public UNIX accounts

[Viktor Dukhovni]

On Tue, Jun 25, 2013 at 03:53:53PM +0100, Craig R. Skinner wrote:

> On 2013-06-25 Tue 10:14 AM |, Wietse Venema wrote:
> > 
> > You need to show:
> > 
> > 1 - One email address ending in localhost or localhost.$mydomain, 
> > 
> 
> aliases:
> root: admin-acct
> deamon:   root

Is this the right aliases(5) file?  Some systems use /etc/aliases,
others /etc/mail/aliases, ...  What does "postconf alias_database"
output?  What does "postconf alias_maps" output?

Has this file been munged into a suitable indexed database?

# postalias /some/aliases/file

Do queries return the expected results:

postmap -q daemon hash:/some/aliases/file

(replace hash with the alias map database type selected in main.cf).


> $ uptime | mail -s uptime daemon@localhost
> 
> > 2 - Logfile evidence that this email address is not bounced or
> > delivered by the local(8) delivery agent, 
> > 
> 
> Jun 25 15:25:52 server1 postfix/local[22643]: 5D6C167DC: 
> to=, orig_to=, relay=local, 
> delay=0.3, delays=0.15/0.06/0/0.09, dsn=2.0.0, status=sent (forwarded as 
> 8C25B67DF)
> Jun 25 15:25:52 server1 postfix/qmgr[8437]: 5D6C167DC: removed

This rewrite happened in virtual(5).

Jun 25 15:25:52 server1 postfix/error[16542]: 8C25B67DF: to=, 
orig_to=, relay=none, delay=0.2, delays=0.03/0.08/0/0.08, 
dsn=5.0.0, status=bounced (User unknown in virtual alias table)

The rewrite from daemon@localhost to r...@example.com happend via
virtual(5).  Your environment is messed up.


I'm done too.  Good luck.

-- 
Viktor.

Re: Local UNIX accounts, aliasing & rejecting mail to non-public UNIX accounts

[Wolfgang Zeikat]

In an older episode, on 2013-06-25 18:16, Viktor Dukhovni wrote:

deamon: root



$ uptime | mail -s uptime daemon@localhost


As you may not have noticed,
the alias
deamon is _not_ the same word as
daemon

Does Postfix understand "MX 0 ." ?

[John Levine]

There is a somewhat popular convention that if a domain publishes an
MX like this:

  whatever.example MX 0 .

it means the domain does not receive mail.  There was a draft about it
in 2005 but it's never been formally standardized and the question has
arisen how widely imlplemented it is.

I don't see anything about it in the postfix docs.  Does Postfix
do anything special with such an MX?  Or if not special, does it
fail deliveries?

R's,
John

Re: Does Postfix understand "MX 0 ." ?

[Wietse Venema]

John Levine:
> There is a somewhat popular convention that if a domain publishes an
> MX like this:
> 
>   whatever.example MX 0 .
> 
> it means the domain does not receive mail.  There was a draft about it
> in 2005 but it's never been formally standardized and the question has
> arisen how widely imlplemented it is.
> 
> I don't see anything about it in the postfix docs.  Does Postfix
> do anything special with such an MX?  Or if not special, does it
> fail deliveries?

For all Postfix versions, this is an invalid MX hostname. As of
Postfix 2.3 an invalid result is a permanent error like NXDOMAIN.

In other words Postfix does the right thing for "MX 0 ." but
refuses to treat it like a special case.

Wietse

Re: Does Postfix understand "MX 0 ." ?

[Jim Reid]

On 25 Jun 2013, at 18:01, "John Levine"  wrote:

> There is a somewhat popular convention that if a domain publishes an
> MX like this:
> 
>  whatever.example MX 0 .
> 
> it means the domain does not receive mail.

Well yes. But it only "works" as long as there are no A or  records for . 
in the root zone. If that was ever to change, anyone who adopted this Bad Idea 
will be in for a nasty surprise.

> I don't see anything about it in the postfix docs.  Does Postfix
> do anything special with such an MX?  Or if not special, does it
> fail deliveries?

I don't see why any MTA would need or want to have special code to handle this. 
Or to deploy such code without a proper RFC underpinning it. [If there was an 
I-D about this which died all those years ago, that should give a fairly strong 
hint what the IETF thought of the idea.] IMO there's no justification to make 
MTAs treat the domain name(s) in the RDATA of some MX records as "special 
cases" which should be handled differently from other domain names that may be 
found there.

If someone doesn't want a domain name to get email, the solution is simple. 
Don't start an SMTP listener. For bonus points, don't publish MX records for 
the domain either. Avoid having A or  records too, or at least make sure 
they go somewhere that doesn't listen for SMTP.

Re: Local UNIX accounts, aliasing & rejecting mail to non-public UNIX accounts

[Wietse Venema]

Craig R. Skinner:
> On 2013-06-25 Tue 10:14 AM |, Wietse Venema wrote:
> > 
> > You need to show:
> > 
> > 1 - One email address ending in localhost or localhost.$mydomain, 
> > 
> 
> aliases:
> root: admin-acct
> deamon:   root

That's deamon.

Second, you need admin-acct@localhost, root@localhost here.

> $ uptime | mail -s uptime daemon@localhost

That's daemon.

daemon is not deamon, I don't understand why you expect
that Postfix will treat them as the same thing.

Wietse

Re: Does Postfix understand "MX 0 ." ?

[John Peach]

On Tue, 25 Jun 2013 18:22:22 +0100
Jim Reid  wrote:

> On 25 Jun 2013, at 18:01, "John Levine"  wrote:
> 
> > There is a somewhat popular convention that if a domain publishes an
> > MX like this:
> > 
> >  whatever.example MX 0 .
> > 
> > it means the domain does not receive mail.
> 
> Well yes. But it only "works" as long as there are no A or  records for . 
> in the root zone. If that was ever to change, anyone who adopted this Bad 
> Idea will be in for a nasty surprise.

It's useful for rejecting email that purports to be from that domain

[snip]

-- 
John
GPG Public Key: 412934AC

Re: Does Postfix understand "MX 0 ." ?

[Viktor Dukhovni]

On Tue, Jun 25, 2013 at 05:01:59PM -, John Levine wrote:

> There is a somewhat popular convention that if a domain publishes an
> MX like this:
> 
>   whatever.example MX 0 .
> 
> it means the domain does not receive mail.  There was a draft about it
> in 2005 but it's never been formally standardized and the question has
> arisen how widely imlplemented it is.
> 
> I don't see anything about it in the postfix docs.  Does Postfix
> do anything special with such an MX?  Or if not special, does it
> fail deliveries?

Postfix reluctantly supports this:

- Bounces mail addressed to such domains.

- Refuses mail from such domains when the administrator has chosen
  to use "reject_unknown_sender_domain" in SMTP server restrictions.

-- 
Viktor.

Re: Does Postfix understand "MX 0 ." ?

[Viktor Dukhovni]

On Tue, Jun 25, 2013 at 06:22:22PM +0100, Jim Reid wrote:

> > it means the domain does not receive mail.
> 
> Well yes. But it only "works" as long as there are no A or 
> records for . in the root zone. If that was ever to change, anyone
> who adopted this Bad Idea will be in for a nasty surprise.

This is inaccurate.  Postfix will not perform A/ lookups for ".".

-- 
Viktor.

Re: Does Postfix understand "MX 0 ." ?

[Jim Reid]

On 25 Jun 2013, at 18:53, Viktor Dukhovni  wrote:

> This is inaccurate.  Postfix will not perform A/ lookups for ".".

True. But postfix is not the only MTA, even if it is the one that gets 
discussed on this list. :-)

Re: Local UNIX accounts, aliasing & rejecting mail to non-public UNIX accounts

[/dev/rob0]

On Mon, Jun 24, 2013 at 10:49:49PM +0100, Craig R. Skinner wrote:
> On 2013-06-24 Mon 12:34 PM |, /dev/rob0 wrote:
> > On Mon, Jun 24, 2013 at 03:12:24PM +0100, Craig R. Skinner wrote:
> > > main.cf:
> > > myorigin = $mydomain # example.com
> > > mydestination = localhost, localhost.$mydomain
> > 
> > Here we see that $myorigin (nor $mydomain) is NOT listed in 
(typo fixed)
> > $mydestination.
> 
> Correct - refer back to earlier messages in the last few days.
> 
> > > However, aliases seems to be totally ignored.
> > > 
> > > When I move these from virtual_alias_maps back to aliases,
> > > mail to those convential aliases bounces:
> > > 
> > > aliases:
> > > root: admin-acct
> > 
> > I don't know if this was mentioned upthread or not, but you
> > seem to be making a common, wrong assumption about the meaning
> > of an unqualified address localpart, e.g., "admin-acct" in this 
> > example. You're probably thinking that means "deliver to the
> > Unix user 'admin-acct'",
> 
> Yes, that's my thinking of how aliases functions. (See below.)

And again, this is wrong.

> > when in fact it means "deliver to the address 
> > 'admin-acct@$myorigin'". If $myorigin (which you set to 
> > $mydomain) is not listed in $mydestination, local(8) delivery
> > is not used.
> 
> That could explain it.

Yes, that did explain it, but you're not getting it.

> > Likewise, aliases(5) ($alias_maps) are only consulted for 
> > addresses where the domain is listed in $mydestination. For
> > you, that's only localpart@localhost.$mydomain (or 
> > "localpart@localhost" also if you followed Jeroen's
> > suggestion of "append_dot_mydomain=no".)
> > 
> > OTOH virtual(5) ($virtual_alias_maps) mapping is applied to
> > all addresses, regardless of class.
> > 
> > Generally I'd say it's a best practice to always specify 
> > fully-qualified addresses on the RHS of $alias_maps
> 
> The default aliases file does not indicate that;-

(If you follow all the instructions beginning with the Basic 
Configuration README onwards, you'll have $myorigin in 
$mydestination.)

> "The aliases(5) table provides a system-wide mechanism to redirect 
> mail for LOCAL recipients."

Where the domain (RHS of the @ in an email address) is listed in 
$mydestination, yes.

> "Users can control delivery of their own mail by setting up 
> .forward files in their home directory."

Likewise.

> Which seems to mean that addresses on the RHS are often Unix 
> accounts.

It depends if that RHS is listed in $mydestination. If it is, yes, 
$local_transport is used. References provided below.

Once again, your $myorigin is NOT listed in $mydestination. This 
means that your unqualified localpart "addresses" are NOT "local".

> # The format of the alias database input file is as follows:
> #
> # o  An alias definition has the form
> #
> # name: value1, value2, ...
> #
> # The name is a local address (no domain part).
> #
> # The value contains one or more of the following:
> #
> # address
> #Mail is forwarded to address, which is compatible
> #with the RFC 822 standard.
> 
> Which to my reading means the RHS does not require the domain
> when it is a local Unix account. i.e. mail from Unix user56 to
> root is aliased.

This reading is not correct.

"The name is a local address (no domain part)." Refer back a line, 
the example is: "name: value1, value2, ..." The NAME is not the RHS, 
it's the LHS. The VALUE is the RHS.

When $myorigin is not listed in $mydestination, an unqualified 
localpart is not delivered to a Unix user by that name.

> > > Jun 24 14:37:25 server1 postfix/error[22953]: C15E367DC: 
> > > to=, orig_to=, relay=none, delay=0.26, 
> > > delays=0.14/0.06/0/0.06, dsn=5.0.0, status=bounced (User 
> > > unknown in virtual alias table)
> > 
> > Postfix has appended @$myorigin as documented. example.com is

See, mail to "root" was delivered to "root@$myorigin", as the 
reference link I gave you showed.

> Previously, the pair of primary postfix developers posted 
> remarkably similar proposed configs, with a virtual $mydomain not 
> listed plainly in $mydestination,

You keep saying $mydomain, which in your case is so because you set 
"myorigin=$mydomain". In fact the controlling setting is $myorigin, 
not $mydomain. And the reference link (omitted from the quoted 
material) is, again:

http://www.postfix.org/postconf.5.html#append_at_myorigin

This one says, in effect, that when Postfix is given an unqualified 
localpart where an email address is expected, it uses 
"localpart@$myorigin" as the actual address.

The other link was this (anchor added this time):

http://www.postfix.org/ADDRESS_CLASS_README.html#local_domain_class

This one would tell you how listing a domain in one of the class 
definitions (mydestination, relay_domains, virtual_alias_domains, 
virtual_mailbox_domains) controls how it is handled. Specifically 
that you must list

> and both including references to aliases eva

Re: Local UNIX accounts, aliasing & rejecting mail to non-public UNIX accounts

[Craig R. Skinner]

On 2013-06-25 Tue 16:16 PM |, Viktor Dukhovni wrote:
> > 
> > aliases:
> > root:   admin-acct
> > deamon: root
> 
> Is this the right aliases(5) file?

Yes.

> Some systems use /etc/aliases,
> others /etc/mail/aliases, ...  What does "postconf alias_database"
> output?  What does "postconf alias_maps" output?
> 

$ postconf alias_maps alias_database config_directory
alias_maps = $alias_database
alias_database = btree:$config_directory/aliases
config_directory = /etc/postfix


> Has this file been munged into a suitable indexed database?
> 
> # postalias /some/aliases/file
> 

Yes.

> Do queries return the expected results:
> 
>   postmap -q daemon hash:/some/aliases/file
> 

Yes:

$ postmap -q daemon btree:/etc/postfix/aliases
root

$ postmap -q root btree:/etc/postfix/aliases
admin-acct


Cheers,
-- 
Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7

Re: Local UNIX accounts, aliasing & rejecting mail to non-public UNIX accounts

[Craig R. Skinner]

On 2013-06-25 Tue 18:27 PM |, Wolfgang Zeikat wrote:
> As you may not have noticed,
> the alias
> deamon is _not_ the same word as
> daemon

No Wolfgang, I hadn't noticed the minor typo in my email.

Thanks,
-- 
Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7

Re: Local UNIX accounts, aliasing & rejecting mail to non-public UNIX accounts

[Craig R. Skinner]

On 2013-06-25 Tue 13:45 PM |, Wietse Venema wrote:
> > aliases:
> > root:   admin-acct
> > deamon: root
> 
> That's deamon.
> 
> Second, you need admin-acct@localhost, root@localhost here.
> 

So the aliases file needs to have the RHS qualified with @localhost when
the machine's domain is virtual?


> > $ uptime | mail -s uptime daemon@localhost
> 
> That's daemon.
> 
> daemon is not deamon, I don't understand why you expect
> that Postfix will treat them as the same thing.
> 

Yes, I made a minor typo in that email. My mistake there.

Nevertheless, aliases was consistent with my testing.

Thanks,
-- 
Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7

Re: Local UNIX accounts, aliasing & rejecting mail to non-public UNIX accounts

[Wietse Venema]

Craig R. Skinner:
> On 2013-06-25 Tue 13:45 PM |, Wietse Venema wrote:
> > > aliases:
> > > root: admin-acct
> > > deamon:   root
> > 
> > That's deamon.
> > 
> > Second, you need admin-acct@localhost, root@localhost here.
> > 
> 
> So the aliases file needs to have the RHS qualified with @localhost when
> the machine's domain is virtual?

You need the domain name on the right-hand of system account names,
side because your configuration has the virtual domain in myorigin.

> Yes, I made a minor typo in that email. My mistake there.
> 
> Nevertheless, aliases was consistent with my testing.

I'm not going to waste time on debugging a configuration
based on modified evidence. Life is too short.

Good luck,

Wietse

Re: Local UNIX accounts, aliasing & rejecting mail to non-public UNIX accounts

[Craig R. Skinner]

On 2013-06-25 Tue 14:38 PM |, Viktor Dukhovni wrote:
> 
> > Jun 25 14:04:08 server1 postfix/pickup[29023]: 51B8367E0: uid=7432 
> > from=
> > Jun 25 14:04:08 server1 postfix/cleanup[154]: 51B8367E0: 
> > message-id=<20130625130408.51b836...@server1.example.com>
> > Jun 25 14:04:08 server1 postfix/qmgr[6613]: 51B8367E0: 
> > from=, size=389, nrcpt=1 (queue active)
> > Jun 25 14:04:08 server1 postfix/trivial-rewrite[2958]: warning: do not list 
> > domain example.com in BOTH mydestination and virtual_alias_domains
> 
> This configuration is not what you claim above, stop wasting the list's
> time with misleading reports.

Viktor, you deleted/ignored the part where I stated that I'd changed it:

On 2013-06-25 Tue 14:53 PM |, Craig R. Skinner wrote:
>
> However, alias expansion does occur when I do the NAUGHTY thing of
> including $mydomain in $mydestination.

It's clear enough if you read what I wrote.

> 
> > Jun 25 14:04:08 server1 postfix/lmtp[30743]: 51B8367E0: 
> > to=, orig_to=, 
> > relay=server1.example.com[private/dovecot-lmtp], delay=0.07, 
> > delays=0.02/0/0.01/0.03, dsn=2.0.0, status=sent (250 2.0.0 
> >  wCqpOjmVyVF/agAANm01jw Saved)
> 
> Were example.com in virtual_alias_domains, this message would have bounced.
> 

That might be what you'd like to happen. I don't see Postfix acting that way.

Here in more detail (deliberately including mydomain in mydestination):

$ postconf \
 config_directory \
 alias_database \
 alias_maps \
 mydomain \
 myorigin \
 mydestination \
 virtual_alias_domains \
 virtual_alias_maps \
 mailbox_transport \
 sender_canonical_maps \
 masquerade_domains \
 remote_header_rewrite_domain \
 local_recipient_maps \
 mail_spool_directory \
 append_dot_mydomain \
 local_transport

config_directory = /etc/postfix
alias_database = btree:$config_directory/aliases
alias_maps = $alias_database
mydomain = example.com
myorigin = $mydomain
mydestination = localhost, localhost.$mydomain, $mydomain
virtual_alias_domains = example.com
virtual_alias_maps = btree:$config_directory/virtual_alias_maps.map
mailbox_transport = lmtp:unix:private/dovecot-lmtp
sender_canonical_maps = btree:$config_directory/canonical.map
masquerade_domains = $virtual_alias_domains
remote_header_rewrite_domain = address.invalid
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
mail_spool_directory = /var/mail/
append_dot_mydomain = yes
local_transport = local:$myhostname

$ postmap -q daemon btree:/etc/postfix/aliases
root

$ postmap -q root btree:/etc/postfix/aliases
admin-acct

$ postmap -q daemon btree:/etc/postfix/virtual_alias_maps.map
[nothing]

$ postmap -q root btree:/etc/postfix/virtual_alias_maps.map
[nothing]

$ postmap -q server.admin btree:/etc/postfix/virtual_alias_maps.map
admin-acct@localhost


$ uname | mail -s uname daemon
Jun 25 19:39:03 server1 postfix/pickup[23791]: 46C026764: uid=7432 
from=
Jun 25 19:39:03 server1 postfix/cleanup[4734]: 46C026764: 
message-id=<20130625183903.46c026...@server1.example.com>
Jun 25 19:39:03 server1 postfix/qmgr[7589]: 46C026764: 
from=, size=328, nrcpt=1 (queue active)
Jun 25 19:39:03 server1 postfix/trivial-rewrite[30793]: warning: do not list 
domain example.com in BOTH mydestination and virtual_alias_domains
Jun 25 19:39:03 server1 postfix/trivial-rewrite[30793]: warning: do not list 
domain example.com in BOTH mydestination and virtual_alias_domains
Jun 25 19:39:03 server1 postfix/trivial-rewrite[30793]: warning: do not list 
domain example.com in BOTH mydestination and virtual_alias_domains
Jun 25 19:39:03 server1 dovecot: lmtp(23729): Connect from local
Jun 25 19:39:03 server1 dovecot: lmtp(23729, admin-acct): 
6epMMMfjyVGxXAAANm01jw: sieve: 
msgid=<20130625183903.46c026...@server1.example.com>: stored mail into mailbox 
'INBOX'
Jun 25 19:39:04 server1 postfix/lmtp[19198]: 46C026764: 
to=, orig_to=, 
relay=server1.example.com[private/dovecot-lmtp], delay=0.78, 
delays=0.14/0.07/0.39/0.19, dsn=2.0.0, status=sent (250 2.0.0 
 6epMMMfjyVGxXAAANm01jw Saved)
Jun 25 19:39:04 server1 dovecot: lmtp(23729): Disconnect from local: Client 
quit (in reset)
Jun 25 19:39:04 server1 postfix/qmgr[7589]: 46C026764: removed


Log evidence of no bounce when the mydomain is both in mydestination &
virtual_alias_domains. Also log evidence of aliases being parsed.


> > Comments?
> 
> 0. All address -> address mappings in virtual(5).
> 
> 1. No address-> address mappings in aliases(5).
> 
> 2. localhost and localhost.$mydomain only in mydestionation.
> 
> 3. Your domain in virtual_alias_domains and myorigin.
> 
> 4. In virtual(5) the LHS and RHS of all lookup keys include @domain:
> 
>   al...@example.com   u...@example.com, otheru...@example.com
>   u...@example.comuseracct@localhost
>   otheru...@example.com   otheracct@localhost
> 
> 5. Nothing in aliases(5) except aliases whose RHS is a ":include:" file
>if you need that feature (mailing list manager integration).

This is what I stated worked for me an ea

Re: Does Postfix understand "MX 0 ." ?

[John Levine]

>> This is inaccurate.  Postfix will not perform A/ lookups for ".".
>
>True. But postfix is not the only MTA, even if it is the one that gets 
>discussed on this list. :-)

I would say that if there are A or  records for "." we have worse
problems than whether some poorly addressed mail bounces.

R's,
John

Re: Does Postfix understand "MX 0 ." ?

[John Levine]

>If someone doesn't want a domain name to get email, the solution is simple. 
>Don't start an SMTP
>listener. For bonus points, don't publish MX records for the domain either. 
>Avoid having A or 
>records too, or at least make sure they go somewhere that doesn't listen for 
>SMTP.

That "works", but it will take a week of repeated connection attempts
before the message times out.  As I think I said, the person who asked
has a domain a typo away from a very popular one, and would like to
get rid of the unwanted traffic efficiently while still having his
web server or whatever on the A record.

The IETF had and currently has no opinion about this hack either way.
I'm trying to figure out whether it's worth resuscitating the draft
and publishing it.

R's,
John

Re: Does Postfix understand "MX 0 ." ?

[Viktor Dukhovni]

On Tue, Jun 25, 2013 at 08:55:08PM -, John Levine wrote:

> > If someone doesn't want a domain name to get email, the solution
> > is simple. Don't start an SMTP listener. For bonus points, don't publish
> > MX records for the domain either. Avoid having A or  records too, or
> > at least make sure they go somewhere that doesn't listen for SMTP.
> 
> That "works", but it will take a week of repeated connection attempts
> before the message times out.  As I think I said, the person who asked
> has a domain a typo away from a very popular one, and would like to
> get rid of the unwanted traffic efficiently while still having his
> web server or whatever on the A record.
> 
> The IETF had and currently has no opinion about this hack either way.
> I'm trying to figure out whether it's worth resuscitating the draft
> and publishing it.

It also acts a joe-job deflector, receiving systems can drop mail
alleged to be from the domain as a forgery.

Does any MTA other than Postfix implement nullmx?  If this is
supported by Exim, Postfix, and Sendmail the rest have insignificant
market share on Unix.  Leaving largely in some order:

- Microsoft Exchange 

- Gmail

- Yahoo

- AOL

-- 
Viktor.

Re: Does Postfix understand "MX 0 ." ?

[Jim Reid]

On 25 Jun 2013, at 21:55, "John Levine"  wrote:

> That "works", but it will take a week of repeated connection attempts
> before the message times out.

Seems like the right outcome for the circumstances you refer to: the problem 
lies with the end user who mistyped the domain name -- who does that any more? 
-- and they alone have to take corrective action to deal with the consequences 
of their mistake. Nobody else needs to do anything or care. Result!

> As I think I said, the person who asked
> has a domain a typo away from a very popular one, and would like to
> get rid of the unwanted traffic efficiently while still having his
> web server or whatever on the A record.

Tough. Whoever is in that position is presumably making enough money from the 
ads on his/her "typosquatted" web site to put up with the hassle.

> The IETF had and currently has no opinion about this hack either way.
> I'm trying to figure out whether it's worth resuscitating the draft
> and publishing it.

Well go ahead. The last attempt (if there was one) didn't get very far so maybe 
you'll do better this time round. Just publish the draft and stop talking about 
doing that.

Re: Does Postfix understand "MX 0 ." ?

[John Levine]

>Does any MTA other than Postfix implement nullmx?

I did some experiments.  My qmail system rejects on nullmx immediately
for roughly the same reason postfix does, a general rejection on bad
MX records.

Among web mail, Yahoo rejects immediately, Gmail and AOL don't reject
immediately and I don't know yet what will eventually happen, and
Hotmail/Outlook.com sometimes gives an odd error message and sometimes
sends it, again dunno what will eventually happen.

So it's not universally implemented, but there's a significant part
of the mail world that does it.

R's,
John

Re: Does Postfix understand "MX 0 ." ?

[John Levine]

>> As I think I said, the person who asked
>> has a domain a typo away from a very popular one, and would like to
>> get rid of the unwanted traffic efficiently while still having his
>> web server or whatever on the A record.
>
>Tough. Whoever is in that position is presumably making enough money from the 
>ads on his/her
>"typosquatted" web site to put up with the hassle.

This is not a typosquat, it's a live domain that happens by
coincidence to be close to some other domain that gets a lot of mail,
is in use for stuff other than e-mail, and wants the mail attempts to
stop.

But more important, I understand your position to be that anyone who
types an invalid domain in an e-mail addresses is a bad person, and
deserves to be punished for it by not learning for a week that the
message bounced.  Interesting viewpoint.

R's,
John

Re: /etc/passwd Centos + postfix

[Thomas Harold]

On 6/25/2013 8:31 AM, Dejan Doder wrote:

yes I know that , but how users will change passwords by themselves ?


Long-term, I recommend moving away from local users and towards virtual 
users with the accounts stored in a SQL database.  Which lets you use 
things like PostfixAdmin or other database-driven tools.


It's a lot harder for users to damage the mail server if they don't have 
a login account.

Re: Does Postfix understand "MX 0 ." ?

[DTNX Postmaster]

On Jun 25, 2013, at 23:55, John Levine  wrote:

>>> As I think I said, the person who asked
>>> has a domain a typo away from a very popular one, and would like to
>>> get rid of the unwanted traffic efficiently while still having his
>>> web server or whatever on the A record.
>> 
>> Tough. Whoever is in that position is presumably making enough money from 
>> the ads on his/her
>> "typosquatted" web site to put up with the hassle.
> 
> This is not a typosquat, it's a live domain that happens by
> coincidence to be close to some other domain that gets a lot of mail,
> is in use for stuff other than e-mail, and wants the mail attempts to
> stop.

We have a two-letter domain that gets quite a bit of delivery attempts 
from a three-letter domain that belongs to a large university here. Our 
registration predates theirs by eight months, but they have both been 
registered by their original owners for 15+ years.

I am not sure how they manage to keep forgetting that extra letter in 
the days of synced address books and whatnot, especially when the part 
in front of the @ sign is often ten times as long, but there ya go. It 
happens.

> But more important, I understand your position to be that anyone who
> types an invalid domain in an e-mail addresses is a bad person, and
> deserves to be punished for it by not learning for a week that the
> message bounced.  Interesting viewpoint.

How about running a basic MTA for that domain on that IP address, one 
that rejects all mail to said domain? Or adding MX records to another 
server that does the same?

Instant rejection, problem solved?

Mvg,
Jona

Blacklist IP with a reject message

[Abhijeet Rastogi]

Hi all,

Straight to the point, I ban IPs using fail2ban based on 4 jails. The
reasons vary from bruteforce sasl login attacks from specific IPs to number
of attempts to send suspect/confirmed spam mails. Right now, there is a
iptables rule that starts dropping packets for a IP. This is highly
undesirable as if sometimes this IP is a NAT server's IP for a org, there
are cases where SMTP packets from all clients of that org get dropped and
they have no clue what so ever.

For now, I want to start rejecting connects with a REJECT message that can
be different for different IPs. One way I could do is using "access" file
and adding IPs to it. Unfortunately, it will work for a single server but
not for a cluster of outbound servers.

Questions:
1. If I use "access" file to block IPs, it's a challenge to keep all
servers data in sync. Also, it'll require me to run postmap each and every
time file changes, does that effect postfic performance in any way?
2. I thought the option of writing milter using python where I could keep
one Redis instance as master & rest outbound servers will have a slave
Redis server. Each time a connect happens, I'll check the IP against my
local Redis instance and act accordingly. I think it's a overkill. What do
you guys think?
3. I could also write a policy server. Is there already a policy server
that's as simple as blocking IPs based on a ACL. But then, I'll have to run
a local mysql server also.

For now,  my postfix instance supports these lookup tables.

$ postconf -c /etc/postfix -m
btree
cidr
environ
hash
internal
nis
pcre
pgsql
proxy
regexp
static
tcp
texthash
unix

None of them is a database that's light like Redis and supports
master-slave configuration. Can you suggest what are my options?

-- 
Regards,
Abhijeet Rastogi (shadyabhi)
http://blog.abhijeetr.com