Prev: too much config version 2.5.5,
Next: swapped postfix for sendmail; now scripts break
From: Nikolaos Milas on 29 Jul 2010 09:07
Hello,

I have been setting up a new mail server for our organization which has
different mailservers, one for each subdomain. The new server, will take
over the whole organization using LDAP and Postfix/Dovecot and things up
to now are looking (almost) nice.

However, I have this problem:

Currently, I have activated the new mailserver (by configuring our
incoming mail gateway which filters for spam/viruses) to receive mail
ONLY for the base domain: *domain.com* AND *NOT *for the subdomains
*a.domain.com, b.domain.com* (but we are planning to gradually migrate
all of the subdomains too, by simply adding the subdomains to
virtual_mailbox_domains directive and configuring our mail gateway -
which is our MX for the mail domain and all subdomains - to deliver to
the new server rather that to the current mail servers of the
subdomains). But, although I have tried hard and read many articles, _*I
cannot stop Postfix in the new server from receiving email for the
subdomains*_ as well. Of course the problem occurs *when the mail is
leaving from the new domain.com mail server * - otherwise, when email
comes from our only point of entrance (our antispam-antivirus gateway),
emails reach the correct subdomain servers without problems (which is
natural).

I have even set the "/parent_domain_matches_subdomains =/" directive to
an empty value to avoid receiving for subdomains, but it didn't solve
the issue.

I have come to the conclusion that the problem is caused by aliases. So,
for example, I have defined in LDAP alias tables (ldap-aliases.cf), that
userx (matched by %u) should be translated to uid userx (found by
ldap-users.cf) whose mail is both: userx(a)domain.com AND
userx(a)a.domain.com (this has been done in anticipation of subdomain
consolidation to the same server, where both email addresses will work
in parallel and lead to the same mailbox). So, when I send mail to
userx(a)a.domain.com, this is matched in aliases tables with userx which
in turn is then matched to userx(a)domain.com (I can see in the logs:
"to=<userx(a)domain.com>, *orig_to*=<userx(a)a.domain.com>, relay=virtual")
and is delivered locally. Instead, *Postfix Server should have
understood from the very beginning that it is not responsible for
a.domain.com* and should have relayed the email to the MX of
*a.subdomain.com* (whatever it is), *without any processing whatsoever
*(that is, before alias or other processing).

The MX for destination (as seen by Postfix machine) is correct (real IPs
- all are public - and domain names are changed for obvious reasons):

# nslookup -q=MX a.domain.com

Server: 10.10.11.10
Address: 10.10.11.10#53

a.domain.com mail exchanger = 50 mail.a.domain.com.
a.domain.com mail exchanger = 10 mailgw.a.domain.com.

....and reachable:

# telnet mailgw.a.domain.com 25

Trying 10.10.11.12...
Connected to mailgw.a.domain.com (10.10.11.12).
Escape character is '^]'.
220 mailgw.a.domain.com ESMTP


*So, what am I doing wrong? Or may it be a bug?*

My installation is package: postfix-2.3.3-2.1.el5_2 on CentOS 5.5

Follow my configuration files (I have changed real domain names, for
obvious reasons):

# postconf -n

alias_database = hash:/etc/postfix/aliases,
hash:/etc/postfix/aliases.d/virtual_aliases,
hash:/etc/postfix/aliases.d/sympa_aliases
broken_sasl_auth_clients = no
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
local_header_rewrite_clients = static:all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = domain.com
myhostname = mailer.domain.com
mynetworks = 10.10.10.0/24, 10.10.11.0/24, 10.10.12.0/24
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
parent_domain_matches_subdomains =
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
relay_domains = $mydestination
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_client_restrictions =
permit_mynetworks,permit_sasl_authenticated,reject
smtpd_delay_reject = yes
smtpd_recipient_restrictions =
permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = /var/spool/postfix/private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/pki/tls/certs/chain.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/cert.pem
smtpd_tls_key_file = /etc/pki/tls/private/mykey.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/aliases,
hash:/etc/postfix/aliases.d/virtual_aliases,
hash:/etc/postfix/aliases.d/sympa_aliases,
ldap:/etc/postfix/ldap-aliases.cf
virtual_gid_maps = static:500
virtual_mailbox_base = /home/vmail/
virtual_mailbox_domains = $mydomain
virtual_mailbox_maps = ldap:/etc/postfix/ldap-users.cf
virtual_uid_maps = static:500

# cat ldap-aliases.cf

server_host = ldaps://orgldap.domain.com
search_base = ou=Aliases, dc=domain, dc=com
version = 3
scope = sub
query_filter =
(|(mailacceptinggeneralid=%u)(&(objectClass=nisMailAlias)(cn=%u)))
result_attribute = maildrop, uid
bind = yes
bind_dn = uid=systemuser,ou=System,dc=domain,dc=com
bind_pw = ***************

# cat ldap-users.cf

server_host = ldap://orgldap.domain.com
search_base = ou=people,dc=domain,dc=com
version = 3
query_filter = (mail=%s)
result_attribute = uid
result_format = %s/Maildir/
bind = yes
bind_dn = uid=systemuser,ou=System,dc=domain,dc=com
bind_pw = ***************

Thanks in advance for your help.

Nick Milas
Athens, Greece

From: Noel Jones on 29 Jul 2010 11:24
On 7/29/2010 8:07 AM, Nikolaos Milas wrote:
> Hello,
>
> I have been setting up a new mail server for our organization
> which has different mailservers, one for each subdomain. The
> new server, will take over the whole organization using LDAP
> and Postfix/Dovecot and things up to now are looking (almost)
> nice.
>
> However, I have this problem:
>
> Currently, I have activated the new mailserver (by configuring
> our incoming mail gateway which filters for spam/viruses) to
> receive mail ONLY for the base domain: *domain.com* AND *NOT
> *for the subdomains *a.domain.com, b.domain.com* (but we are
> planning to gradually migrate all of the subdomains too, by
> simply adding the subdomains to virtual_mailbox_domains
> directive and configuring our mail gateway - which is our MX
> for the mail domain and all subdomains - to deliver to the new
> server rather that to the current mail servers of the
> subdomains). But, although I have tried hard and read many
> articles, _*I cannot stop Postfix in the new server from
> receiving email for the subdomains*_ as well. Of course the
> problem occurs *when the mail is leaving from the new
> domain.com mail server * - otherwise, when email comes from
> our only point of entrance (our antispam-antivirus gateway),
> emails reach the correct subdomain servers without problems
> (which is natural).
>
> I have even set the "/parent_domain_matches_subdomains =/"
> directive to an empty value to avoid receiving for subdomains,
> but it didn't solve the issue.
>
> I have come to the conclusion that the problem is caused by
> aliases. So, for example, I have defined in LDAP alias tables
> (ldap-aliases.cf), that userx (matched by %u) should be
> translated to uid userx (found by ldap-users.cf) whose mail is
> both: userx(a)domain.com AND userx(a)a.domain.com (this has been
> done in anticipation of subdomain consolidation to the same
> server, where both email addresses will work in parallel and
> lead to the same mailbox). So, when I send mail to
> userx(a)a.domain.com, this is matched in aliases tables with
> userx which in turn is then matched to userx(a)domain.com (I can
> see in the logs: "to=<userx(a)domain.com>,
> *orig_to*=<userx(a)a.domain.com>, relay=virtual") and is
> delivered locally. Instead, *Postfix Server should have
> understood from the very beginning that it is not responsible
> for a.domain.com* and should have relayed the email to the MX
> of *a.subdomain.com* (whatever it is), *without any processing
> whatsoever *(that is, before alias or other processing).

As documented, virtual_alias_maps applies to all mail. If you
don't want to process some virtual aliases, don't put them in
your table.

-- Noel Jones

From: Nikolaos Milas on 30 Jul 2010 04:34
Thank you Noel for this clarification. I tested and you are right - I
had not realized it from the documentation: virtual_alias_maps are
always evaluated first, regardless what are the hosted domains on the
server! So, if we put userx in virtual_alias_maps, this will match to
userx(a)all.domains, even to domains not hosted in our server.

The solution, of course, in my case, is to use a fully qualified alias
(i.e. including the domain specification) in virtual_alias_maps: If we
use userx(a)domain.com, we will allow userx(a)a.domain.com to be forwarded
correctly, because it will not be matched by a virtual alias. (I tested
and it works.)

But, let me ask one more question: *Ιs there a way to define alias maps
(where we can define aliases without domain specification) which affect
ONLY virtual_mailbox_domains? **Alternatively, is it allowed to use an
entry like userx@$virtual_mailbox_domains (or similar) in
virtual_alias_maps?*
*
*This would allow easier configuration in cases where we host multiple
domains (on the Postfix server) and we would want one alias to catch
userx for all these hosted domains (and only these).

Thanks again,
Nick

On 29/7/2010 6:24 μμ, Noel Jones wrote:
> On 7/29/2010 8:07 AM, Nikolaos Milas wrote:
>> Hello,
>>
>> I have been setting up a new mail server for our organization
>> which has different mailservers, one for each subdomain. The
>> new server, will take over the whole organization using LDAP
>> and Postfix/Dovecot and things up to now are looking (almost)
>> nice.
>>
>> However, I have this problem:
>>
>> Currently, I have activated the new mailserver (by configuring
>> our incoming mail gateway which filters for spam/viruses) to
>> receive mail ONLY for the base domain: *domain.com* AND *NOT
>> *for the subdomains *a.domain.com, b.domain.com* (but we are
>> planning to gradually migrate all of the subdomains too, by
>> simply adding the subdomains to virtual_mailbox_domains
>> directive and configuring our mail gateway - which is our MX
>> for the mail domain and all subdomains - to deliver to the new
>> server rather that to the current mail servers of the
>> subdomains). But, although I have tried hard and read many
>> articles, _*I cannot stop Postfix in the new server from
>> receiving email for the subdomains*_ as well. Of course the
>> problem occurs *when the mail is leaving from the new
>> domain.com mail server * - otherwise, when email comes from
>> our only point of entrance (our antispam-antivirus gateway),
>> emails reach the correct subdomain servers without problems
>> (which is natural).
>>
>> I have even set the "/parent_domain_matches_subdomains =/"
>> directive to an empty value to avoid receiving for subdomains,
>> but it didn't solve the issue.
>>
>> I have come to the conclusion that the problem is caused by
>> aliases. So, for example, I have defined in LDAP alias tables
>> (ldap-aliases.cf), that userx (matched by %u) should be
>> translated to uid userx (found by ldap-users.cf) whose mail is
>> both: userx(a)domain.com AND userx(a)a.domain.com (this has been
>> done in anticipation of subdomain consolidation to the same
>> server, where both email addresses will work in parallel and
>> lead to the same mailbox). So, when I send mail to
>> userx(a)a.domain.com, this is matched in aliases tables with
>> userx which in turn is then matched to userx(a)domain.com (I can
>> see in the logs: "to=<userx(a)domain.com>,
>> *orig_to*=<userx(a)a.domain.com>, relay=virtual") and is
>> delivered locally. Instead, *Postfix Server should have
>> understood from the very beginning that it is not responsible
>> for a.domain.com* and should have relayed the email to the MX
>> of *a.subdomain.com* (whatever it is), *without any processing
>> whatsoever *(that is, before alias or other processing).
>
> As documented, virtual_alias_maps applies to all mail. If you don't
> want to process some virtual aliases, don't put them in your table.
>
> -- Noel Jones
>
>
 | 
Pages: 1
Prev: too much config version 2.5.5,
Next: swapped postfix for sendmail; now scripts break