wildcard domains
in [Postfix]
|
Prev: sasl with postfix
Next: some addresses failing : Recipient address rejected: unverified address: unknown user:
From: Phil Howard on 25 May 2010 09:24 I'd like to do something like this. I have a domain, let's call example.com. This domain has a set of users. I want to have email accepted for any user in any hostname that is a part of this domain. And, regardless of which hostname in this domain was involved, if the user doesn't exist, the RCPT command should be rejected. This would correspond to using a wildcard (e.g. a * label) in DNS for the zone for that domain. The ability to make exceptions for this (e.g. a special hostname in the domain handled differently) would be a plus, but not essential. It seems what I need is some kind of RCPT command time rewrite.
From: Wietse Venema on 25 May 2010 10:36 Phil Howard: > I'd like to do something like this. I have a domain, let's call > example.com. This domain has a set of users. I want to have email > accepted for any user in any hostname that is a part of this domain. > And, regardless of which hostname in this domain was involved, if the > user doesn't exist, the RCPT command should be rejected. This would > correspond to using a wildcard (e.g. a * label) in DNS for the zone > for that domain. The ability to make exceptions for this (e.g. a > special hostname in the domain handled differently) would be a plus, > but not essential. It seems what I need is some kind of RCPT command > time rewrite. Postfix supports wildcards via regexp/pcre tables. 1) You can use them for all the tables that define Postfix address classes: mydestination + aliases, virtual_alias_domains + virtual_alias_maps, virtual_mailbox_domains + virtual_mailbox_maps, relay_domains + relay_recipient_maps. Simply replacing one domain name by another does not produce the expected result. 2) Postfix 2.7 supports SMTP command rewriting (smtpd_command_filter) However this would produce an incorrect error message: RCPT TO:<user(a)foo.example.com> smtpd_command_filter strips this to ``RCPT TO:<user(a)example.com>'' The Postfix SMTP server then responds with: 550 5.1.1 <user(a)example.com> User unknown Wietse
From: Phil Howard on 25 May 2010 11:23 On Tue, May 25, 2010 at 10:36, Wietse Venema <wietse(a)porcupine.org> wrote: > Postfix supports wildcards via regexp/pcre tables. > > 1) You can use them for all the tables that define Postfix address > classes: mydestination + aliases, virtual_alias_domains + > virtual_alias_maps, virtual_mailbox_domains + virtual_mailbox_maps, > relay_domains + relay_recipient_maps. > > Simply replacing one domain name by another does not produce the > expected result. That's what I'm afraid of ... particularly if it can result in backscatter or open relay. I need to get the test of the valid user done at RCPT time, obviously. But the addressed domain could be foobar.example.com or xyzzy.example.com or anything else in front of the domain, without me knowing what these could be in advance. So I can't just have a table of all possible valid user(a)hostpart.domain. I can have all valid user(a)domain even though RCPT can name user(a)hostpart.domain. If there is no way to do that as-is, maybe a possible source hack would be to make RCPT repeat the lookup, if it fails for user(a)hostpart.domain, with user@*.domain (where the * is literal) on the same table. More generally, it would strip off each part of the hostname, leaving one instance of *. in front, until nothing is left (maybe looking up user@* or maybe not). But, of course, I really don't know the overall impact of this considering all parts. It would have to be done at RCPT time to avoid being a backscatter source, and also done at rewriting to get it delivered to the right place. > > 2) Postfix 2.7 supports SMTP command rewriting (smtpd_command_filter) > However this would produce an incorrect error message: > > RCPT TO:<user(a)foo.example.com> > smtpd_command_filter strips this to ``RCPT TO:<user(a)example.com>'' > The Postfix SMTP server then responds with: > 550 5.1.1 <user(a)example.com> User unknown Even if user(a)example.com really exists (and is the intended destination for user(a)anything.example.com)?
From: Noel Jones on 25 May 2010 11:44 On 5/25/2010 10:23 AM, Phil Howard wrote: > On Tue, May 25, 2010 at 10:36, Wietse Venema<wietse(a)porcupine.org> wrote: > >> Postfix supports wildcards via regexp/pcre tables. >> >> 1) You can use them for all the tables that define Postfix address >> classes: mydestination + aliases, virtual_alias_domains + >> virtual_alias_maps, virtual_mailbox_domains + virtual_mailbox_maps, >> relay_domains + relay_recipient_maps. >> >> Simply replacing one domain name by another does not produce the >> expected result. > > That's what I'm afraid of ... particularly if it can result in > backscatter or open relay. I need to get the test of the valid user > done at RCPT time, obviously. But the addressed domain could be > foobar.example.com or xyzzy.example.com or anything else in front of > the domain, without me knowing what these could be in advance. So I > can't just have a table of all possible valid user(a)hostpart.domain. I > can have all valid user(a)domain even though RCPT can name > user(a)hostpart.domain. > > If there is no way to do that as-is, maybe a possible source hack > would be to make RCPT repeat the lookup, if it fails for > user(a)hostpart.domain, with user@*.domain (where the * is literal) on > the same table. More generally, it would strip off each part of the > hostname, leaving one instance of *. in front, until nothing is left > (maybe looking up user@* or maybe not). But, of course, I really > don't know the overall impact of this considering all parts. It would > have to be done at RCPT time to avoid being a backscatter source, and > also done at rewriting to get it delivered to the right place. If these are local domains listed in $mydestination, you can us a regexp mydestination table to accept *.example.com and the bare username lookup will take care of itself. All system users and aliases would be valid in any subdomain; all unlisted recipients would be rejected during SMTP. Exceptions can be rejected by a check_recipient_access map. This is standard postfix behavior, no hacks or awkward config gyrations needed. With other address classes, it gets considerably more complicated as Wietse outlined. I suppose if you were using *sql tables a clever query could strip off the subdomain when validating recipients. -- Noel Jones > >> >> 2) Postfix 2.7 supports SMTP command rewriting (smtpd_command_filter) >> However this would produce an incorrect error message: >> >> RCPT TO:<user(a)foo.example.com> >> smtpd_command_filter strips this to ``RCPT TO:<user(a)example.com>'' >> The Postfix SMTP server then responds with: >> 550 5.1.1<user(a)example.com> User unknown > > Even if user(a)example.com really exists (and is the intended > destination for user(a)anything.example.com)?
From: Wietse Venema on 25 May 2010 12:37 Phil Howard: > On Tue, May 25, 2010 at 10:36, Wietse Venema <wietse(a)porcupine.org> wrote: > > > Postfix supports wildcards via regexp/pcre tables. > > > > ?1) You can use them for all the tables that define Postfix address > > ? ?classes: mydestination + aliases, virtual_alias_domains + > > ? ?virtual_alias_maps, virtual_mailbox_domains + virtual_mailbox_maps, > > ? ?relay_domains + relay_recipient_maps. > > > > ? ?Simply replacing one domain name by another does not produce the > > ? ?expected result. > > That's what I'm afraid of ... particularly if it can result in > backscatter or open relay. I need to get the test of the valid user > done at RCPT time, obviously. But the addressed domain could be > foobar.example.com or xyzzy.example.com or anything else in front of > the domain, without me knowing what these could be in advance. So I > can't just have a table of all possible valid user(a)hostpart.domain. I > can have all valid user(a)domain even though RCPT can name > user(a)hostpart.domain. Postfix supports wildcards via regexp/pcre tables: /^user@.*\.example\.com$/ will match the user in any subdomain of example.com. > > ?2) Postfix 2.7 supports SMTP command rewriting (smtpd_command_filter) > > ? ?However this would produce an incorrect error message: > > > > ? ?RCPT TO:<user(a)foo.example.com> > > ? ? ? ?smtpd_command_filter strips this to ``RCPT TO:<user(a)example.com>'' > > ? ? ? ?The Postfix SMTP server then responds with: > > ? ?550 5.1.1 <user(a)example.com> User unknown In this example, the user really does not exist. Postfix does not produce an error message when user(a)example.com exists. Wietse
|
Next
|
Last
Pages: 1 2 3 Prev: sasl with postfix Next: some addresses failing : Recipient address rejected: unverified address: unknown user: |