OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: address verify vs. virtual_alias_maps

From: Arpi (arpithot.banki.hu)
Date: Wed Nov 28 2007 - 15:59:04 CST

Hi,

> > We have a posfix mail server, which does content filtering (spam virus etc)
> > for all of our mail servers, as a relay. I've enabled address verify
> > (both sender and recipient) for all of our server domains. It's working fine.
> >
> > Now I've added
> > virtual_alias_maps = hash:/etc/postfix/virtual, ldap:ldapforward, ldap:ldapvirtual
> > which does address translation for many of our domains where the
> > addresses are redirected to other addresses (users moved and have their
> > old mail forwarded, and some users moved to an ms exchange server).
> > The problem is, that I dont want to do address verification for these
> > foregin domains, where some of our addresses are forwarded/virtaal_aliased.
> > (there are some servers, where address verify doesnt work)
> >
> > Is there any way, to tell postfix which domains NOT to verify
> > mail to? Adding it to check_recipient_access maps in
> > smtpd_recipient_restrictions doesnt work, as it's used by smtpd only,
> > and address verify ignores that when doing the address verify.
> > Or any way to force verify to verify only mails to listed domains,
> > and do this domain check _after_ resolving virtual_alias mappings ?
> >
> > For example:
> > smtpd receives a connection, with recipient arpibmf.hu.
> > there is a such line in the check_recipient_access map:
> > bmf.hu reject_unverified_recipient
> > so it does address verify. it's ok.
> > but this address is mapped to an external address in virtual_alias_maps:
> > arpibmf.hu arpithot.banki.hu
> > so the verify process connects thot.banki.hu to verify this address.
> > but i dont want it to connect thot.banki.hu!
> >
>
> please show evidence (relevant logs).

i dont really see why do you need it, i think it's clear what's
happening, the question is how to avoid it.

but here is it:

i sent a mail from rootserver.archeo.mta.hu to arpibmf.hu,
which has virtual maps entry to arpithot.banki.hu:
virtual_alias_maps = hash:/etc/postfix/virtual, ldap:ldapforward, ldap:ldapvirtual
/etc/postfix/virtual:
arpibmf.hu arpithot.banki.hu

for the demonstration, i set firewall to drop packets from the
relay server to thot.banki.hu, so you can see the address verify fail.
(normally there is no trace in logs of address verify, only if it fails)

Nov 28 22:40:15 sendmail postfix/smtpd[21639]: connect from bb-server.archeo.mta.hu[193.224.177.3]
Nov 28 22:40:15 sendmail postfix/smtpd[21639]: 5116C800EE: client=bb-server.archeo.mta.hu[193.224.177.3]
Nov 28 22:40:15 sendmail postfix/smtpd[21639]: 5116C800EE: reject: RCPT from bb-server.archeo.mta.hu[193.224.177.3]: 450 4.1.1 <arpibmf.hu>: Recipient address rejected: unverified address: connect to 192.190.173.38[192.190.173.38]: Connection timed out; from=<rootarcheo.mta.hu> to=<arpibmf.hu> proto=ESMTP helo=<server.archeo.mta.hu>

here is the mailq of the sender (server.archeo.mta.hu):
-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
7D0CE170E0 288 Wed Nov 28 22:38:20 rootarcheo.mta.hu
(host sendmail.bmf.hu[193.224.40.21] said: 450 4.1.1 <arpibmf.hu>:
Recipient address rejected: unverified address: connect to
192.190.173.38[192.190.173.38]: Connection timed out (in reply to RCPT TO command))
                                         arpibmf.hu

(192.190.173.38 is the IP of thot.banki.hu)

> and while you are at it, show output of 'postconf -n'. is there a

http://thot.banki.hu/arpi/postfix/postconf.txt

> transport entry for bmf.hu?

yes, of course. (the relay server doesnt have local users)

bmf.hu :[webmail.bmf.hu]

A'rpi

> > if the address is listed in virtual_alias_maps, then it's an existing
> > address (but at least an address i can assume it's a working one)
> > so no further checks needed!
> >
> > i hope the problem is clear now.
> > any ideas?
> >
> > A'rpi
> >
> >
>
>