OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: address verify vs. virtual_alias_maps

From: Arpi (arpithot.banki.hu)
Date: Fri Nov 30 2007 - 13:08:11 CST

Hi,

Any chance to get this answered? Wietse?
please at least tell me if my problem is:
A, known bug/problem of postfix, will be fixed (when?)
B, can be solved by proper configuration (some hint?)
C, feature request

btw i'm using postfix 2.4.1, but i didnt see such problem/fix mentioned
in later changelogs. if it's fixed in 2.5, then i'll upgrade.

thanks a lot,

A'rpi

> Hi,
>
> > > We have a posfix mail server, which does content filtering (spam virus etc)
> > > for all of our mail servers, as a relay. I've enabled address verify
> > > (both sender and recipient) for all of our server domains. It's working fine.
> > >
> > > Now I've added
> > > virtual_alias_maps = hash:/etc/postfix/virtual, ldap:ldapforward, ldap:ldapvirtual
> > > which does address translation for many of our domains where the
> > > addresses are redirected to other addresses (users moved and have their
> > > old mail forwarded, and some users moved to an ms exchange server).
> > > The problem is, that I dont want to do address verification for these
> > > foregin domains, where some of our addresses are forwarded/virtaal_aliased.
> > > (there are some servers, where address verify doesnt work)
> > >
> > > Is there any way, to tell postfix which domains NOT to verify
> > > mail to? Adding it to check_recipient_access maps in
> > > smtpd_recipient_restrictions doesnt work, as it's used by smtpd only,
> > > and address verify ignores that when doing the address verify.
> > > Or any way to force verify to verify only mails to listed domains,
> > > and do this domain check _after_ resolving virtual_alias mappings ?
> > >
> > > For example:
> > > smtpd receives a connection, with recipient arpibmf.hu.
> > > there is a such line in the check_recipient_access map:
> > > bmf.hu reject_unverified_recipient
> > > so it does address verify. it's ok.
> > > but this address is mapped to an external address in virtual_alias_maps:
> > > arpibmf.hu arpithot.banki.hu
> > > so the verify process connects thot.banki.hu to verify this address.
> > > but i dont want it to connect thot.banki.hu!
> > >
> >
> > please show evidence (relevant logs).
>
> i dont really see why do you need it, i think it's clear what's
> happening, the question is how to avoid it.
>
> but here is it:
>
> i sent a mail from rootserver.archeo.mta.hu to arpibmf.hu,
> which has virtual maps entry to arpithot.banki.hu:
> virtual_alias_maps = hash:/etc/postfix/virtual, ldap:ldapforward,
> ldap:ldapvirtual
> /etc/postfix/virtual:
> arpibmf.hu arpithot.banki.hu
>
> for the demonstration, i set firewall to drop packets from the
> relay server to thot.banki.hu, so you can see the address verify fail.
> (normally there is no trace in logs of address verify, only if it fails)
>
> Nov 28 22:40:15 sendmail postfix/smtpd[21639]: connect from b
> b-server.archeo.mta.hu[193.224.177.3]
> Nov 28 22:40:15 sendmail postfix/smtpd[21639]: 5116C800EE: cl
> ient=bb-server.archeo.mta.hu[193.224.177.3]
> Nov 28 22:40:15 sendmail postfix/smtpd[21639]: 5116C800EE: reject: RCPT
> from bb-server.archeo.mta.hu[193.224.177.3]: 450 4.1.1 <arpibmf.hu>:
> Recipient address rejected: unverified address: connect to 19
> 2.190.173.38[192.190.173.38]: Connection timed out; from=<roo
> tarcheo.mta.hu> to=<arpibmf.hu> proto=ESMTP helo=<server.archeo.mta.hu>
>
> here is the mailq of the sender (server.archeo.mta.hu):
> -Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
> 7D0CE170E0 288 Wed Nov 28 22:38:20 rootarcheo.mta.hu
> (host sendmail.bmf.hu[193.224.40.21] said: 450 4.1.1 <arpibmf.hu>:
> Recipient address rejected: unverified address: connect to
> 192.190.173.38[192.190.173.38]: Connection timed out (in reply to RCPT TO
> command))
> arpibmf.hu
>
> (192.190.173.38 is the IP of thot.banki.hu)
>
> > and while you are at it, show output of 'postconf -n'. is there a
>
> http://thot.banki.hu/arpi/postfix/postconf.txt
>
> > transport entry for bmf.hu?
>
> yes, of course. (the relay server doesnt have local users)
>
> bmf.hu :[webmail.bmf.hu]
>
> A'rpi
>
> > > if the address is listed in virtual_alias_maps, then it's an existing
> > > address (but at least an address i can assume it's a working one)
> > > so no further checks needed!
> > >
> > > i hope the problem is clear now.
> > > any ideas?
> > >
> > > A'rpi
> > >
> > >
> >
> >
>
>