NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2006-07

(no subject)

From: James G. McIntyre (jimmcintyresecurity.com)
Date: Mon Jul 17 2006 - 16:41:04 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> On Monday, July 17, 2006 at 20:59 CEST,
> "James G. McIntyre" <jimmcintyresecurity.com> wrote:
>
>> The most of the entries are in the following format:
>>
>> user1hosted-domain1.com localuser1
>> user2hosted-domain2.com localuser2
>> user3hosted-domain3.com localuser3
>
> So the resulting addresses become localuser1$myorigin etc.
>
>> The folowing entry was made for testing purposes, but to no avail.
>>
>> firstname.user4hosted-domain4.com localuser4hosted-domain4.com
>
> Unless the domain in question is listed in mydestination this will
> surely not work.
>
> It seems that you can just list all hosted domains in mydestination,
> but without a more complete picture of what you're trying to achieve
> (and "postconf -n" output) I can't tell for sure.
>

Magnus:

From my limited understanding of postfix you have several options for mail
delivery: shared domain - unix system accounts or separate domains unix
system accounts ( postfix virtual domain hosting howto ).

As you noted above, if I place all of the hosted domains in the
mydestination the email will be received/processed and the TO: will
indicate the hosted domain name. The /etc/aliases file is used for address
translation to obtain the unix account name. Since aliases is used I can
not have infohosted-domain1.com infohosted-domain2.com etc. This is a
problem.

The "separate domains unix accounts" seemed to resolve this problem very
nicely. I can have as many infohost-domains as are needed and send the
email to the necessary unix-account.

=======================================================================
postconf -n

append_at_myorigin = no
append_dot_mydomain = no
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
disable_vrfy_command = yes
html_directory = no
inet_interfaces = all
local_recipient_maps = unix:passwd.byname $alias_maps
mail_owner = postfix
mailq_path = /usr/bin /mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
myhostname = newserve.machine-domain.com
mynetworks = 192.168.0.0/24, 192.168.5.0/24, 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin /newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.1.5/README_FILES
sample_directory = /usr/share/doc/postfix-2.1.5/samples
sendmail_path = /usr/sbin /sendmail.postfix
setgid_group = postdrop
smtpd_data_restrictions = permit
smtpd_helo_required = yes
smtpd_recipient_restrictions = reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_unknown_sender_domain,
reject_unknown_recipient_domain, permit_mynetworks,
reject_invalid_hostname, reject_non_fqdn_hostname,
reject_unauth_destination, check_sender_access
hash:/etc/postfix/access, reject_rbl_client cbl.abuseat.org,
reject_rbl_client list.dsbl.org, reject_rbl_client opm.blitzed.org,
reject_rbl_client relays.ordb.org, reject_rbl_client
bl.spamcop.net, reject_rbl_client sbl.spamhaus.org,
reject_rhsbl_sender sbl.spamhaus.org, reject_rhsbl_client
sbl.spamhaus.org, reject_rhsbl_client rhsbl.sorbs.net,
reject_rbl_client vox.schpider.com, permit
smtpd_sender_restrictions = reject_non_fqdn_sender,
reject_unknown_sender_domain, reject_rhsbl_sender relays.ordb.org,
reject_rhsbl_sender opm.blitzed.org
unknown_local_recipient_reject_code = 550
virtual_alias_domains = host-domain1.net, host-domain2.com,
host-domain3.com, host-domain4.com, host-domain5.net, host-domain6.org,
host-domain7.com, host-domain8.com, host-domain9.org
virtual_alias_maps = hash:/etc/postfix/virtual
~
=======================================================================
below is the script used for calling spamassassin.

#!/bin /bash
SENDMAIL=/usr/sbin /sendmail.postfix
SPAMC=/usr/bin /spamc
UNAVAIL=69
SPAMLIMIT=10
TEMPOUT=/var/tmp/sa.$$
EGREP=/bin /egrep
#
trap "rm -f $TEMPOUT " 0 1 2 3 15
#
cat | $SPAMC -u filter > $TEMPOUT
#
# check start in X-spam_level header
if $EGREP -q "^X-Spam-level: \*{$SPAMLIMIT,}" < $TEMPOUT
then
# mv $TEMPOUT $SPAMFILTER/spamchk/`date +%y-%m-%d_%R`-$$
$SENDMAIL spamfilterlocalhost < $TEMPOUT
else
$SENDMAIL "$" < $TEMPOUT
fi
exit $?

=======================================================================
master.cf

# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
192.168.5.50:smtp inet n - n - - smtpd
   -o content_filter=spamfilter:dummy
#192.168.5.50:smtp inet n - n - - smtpd
# -o smtpd_client_restrictions=permit_mynetworks,reject
# turn off content filtering for local email
127.0.0.1:smtp inet n - n - - smtpd
   -o smtpd_client_restrictions=permit_mynetworks,reject
#smtps inet n - n - - smtpd
# -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#submission inet n - n - - smtpd
# -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o
smtpd_etrn_restrictions=reject
#628 inet n - n - - qmqpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
#tlsmgr fifo - - n 300 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
   -o content_filter=spamfilter:dummy
relay unix - - n - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
#
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# maildrop. See the Postfix MAILDROP_README file for details.
#
maildrop unix - n n - - pipe
  flags=DRhu user=vmail argv=/usr/local/bin /maildrop -d ${recipient}
#
# The Cyrus deliver program has changed incompatibly, multiple times.
#
old-cyrus unix - n n - - pipe
  flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension}
${user}
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
cyrus unix - n n - - pipe
  user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m
${extension} ${user}
uucp unix - n n - - pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
ifmail unix - n n - - pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
  flags=Fq. user=foo argv=/usr/local/sbin /bsmtp -f $sender $nexthop
$recipient
#
# spamassassin
#
spamfilter unix - n n - 10 pipe
   flags=Rq user=spamfilter argv=/usr/local/sbin /spamchk -f ${sender} --
${recipient}

> Stop top-posting.

done.

>
> --
> Magnus Back
> magnusdsek.lth.se
>
Appreciate your assistance.

Jim Mc.

--
James G. McIntyre
Senior Consultant
SANS/GIAC - GCIA Certified Intrusion Analyst
          - GCFA Certified Firewall Analyst
          - GAWN Auditing Wireless Networks
          - GWAS Web Application Security
HP-UX Certified System Administrator

McIntyre & Associates, Inc.
Virginia Tech Corporate Research Center
2020 Kraft Drive, Suite 3005
Blacksburg, VA 24060
540-552-9090
www.mcintyresecurity.com

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]