OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: Catchall setup problem with Virtual domains and cyrus

From: Andrew Koros (akoroske.uu.net)
Date: Wed Jan 16 2008 - 04:24:30 CST

mouss wrote:
>>>
>> See the resulting master.cf below.
>>
>> I also thought I should explain my setup a little. What I want to
>> achieve is the
>> ability to filter some domains while leaving out others because some
>> customers
>> may prefer their mail filtered while others may not. I want to
>> achieve this on
>> one machine. I don't want to setup two separate boxes nor two
>> instances of
>> postfix. I read that all I need is to use the /etc/postfix/access
>> file with
>> entries like these:
>>
>> domains1.tld FILTER smtp-amavis:[127.0.0.1]:10024
>> domain2.tld OK
>> domain3.tld FILTER smtp-amavis-mailzu:[127.0.0.1]:10026
>> e.t.c.
>
>
> As Magnus says, this doesn't work with multi recipient mail. For every
> message, only one filter is used. FILTER sets the filter (it does not
> run it) so the last FILTER wins (the last recipient).
>
> to do per recipient filtering, use multiple instances and use
> transport_maps instead of content_filter and FILTER. multiple
> instances are needed because transport_maps are global.
>
>>
>> Is it possible to achieve this without setting the "-o
>> receive_override_options=no_address_mappings" in the smtp section of
>> the master.cf?
>>
>
> no_address_mapping disables rewrite (in particular, virtual alias
> expansion). It has nothing to do with filtering. The filter is
> selected before rewrite.
>
>
>>>
>> My master.cf
>> ----------------------------------------------------------------
>> smtp inet n - n - 250 smtpd
>
> you need
> -o receive_override_options=no_address_mappings
> here. you must disable rewrite except in one smtpd in a chain.
> otherwise, virtual aliases will be expanded multiple times, which may
> result in duplicate mail. think of a virtual alias like this:
>
> fooexample.com => fooexample.com, barexample.com
>
> if this is expanded twice, bar will get the message twice.
>
>> smtps inet n - n - - smtpd
>> -o smtpd_tls_wrappermode=yes
>> -o smtpd_sasl_auth_enable=yes
>
> here too
>
>> submission inet n - n - - smtpd
>> -o smtpd_enforce_tls=yes
>> -o smtpd_sasl_auth_enable=yes
>
> probably here too.
>>
>> cleanup unix n - n - 0 cleanup
>> -o mime_header_checks=
>> -o nested_header_checks=
>> -o body_checks=
>> -o header_checks=
>> -o header_checks=pcre:/etc/postfix/header_checks2
>
> remove the options of cleanup here and put them in main.cf.
>
>> mailman unix - n n - - pipe
>> flags=FR user=mailman:mailman
>> argv=/etc/postfix/postfix-to-mailman-2.1.py ${nexthop} ${user}
>>
>
> do the suggested modifications, try again. if "it doesn't work", show
> the corresponding logs and the new master.cf (yes, again, because logs
> can only be analyzed with the corresponding setup).
>
> PS. Take a look at amavisd-new README.postfix.
amavisd-new README.postfix suggests that:

"... Any transformations and checks done by a cleanup service are thus
performed twice. In simpler
setups this does not matter much, but in more demanding situations one
needs to consider which cleanup instance should perform which task. ...."

This is the relevant master.cf section they suggest and is waht I'am now
using and seems to work; I have shown it below :

127.0.0.1:10025 inet n - y/n - - smtpd
    -o content_filter=
    -o smtpd_restriction_classes=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=reject_unauth_pipelining
    -o smtpd_end_of_data_restrictions=
    -o mynetworks=127.0.0.0/8
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o smtpd_milters=
    -o local_header_rewrite_clients=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks

What does the lines below do with respect to virtual aliases expansion?
    -o local_header_rewrite_clients=
    -o local_recipient_maps=
    -o relay_recipient_maps=

Due to legacy reasons my clients have always used the same server and IP
for sending out email and as an MX for their domains hence making
changes is always and uphill task.

Lastly why was the FILTER feature added ? Where is it ideal to use?

Thanks again.

--
Andrew Koros

|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| / / (_)__ __ ____ __ |
| / /__/ / _ \/ // /\ \/ / | Freedom to
| /____/_/_//_/\_,_/ /_/\_\ | Experiment
|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~