NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2008-05

Re: smtp auth/local delivery question

From: Brian Evans (grknightscent-team.com)
Date: Fri May 02 2008 - 10:05:43 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Matthias Leopold wrote:
> Brian Evans schrieb:
>> Matthias Leopold wrote:
>>> hi,
>>>
>>> i need help with the following problem:
>>>
>>> i have a (mostly) ldap based setup (relevant main.cf lines see below).
>>>
>>> virtual_mailbox_maps = ldap:/etc/postfix/ldapmaps/virtual_mailbox.cf
>>> virtual_mailbox_domains = hash:/etc/postfix/virtual_mailbox_domains
>>>
>>> virtual_alias_maps = hash:/etc/postfix/virtual_alias
>>>
>>> smtpd_recipient_restrictions = reject_unauth_destination
>>> permit_sasl_authenticated
>>>
>>> a lookup for "userdomain.tld" in virtual_mailbox_maps yields a result
>>> /etc/postfix/virtual_mailbox_domains does not contain "domain.tld"
>>> /etc/postfix/virtual_alias only contains "userdomain.tld" as a remote
>>> destination
>>>
>>> when i try to relay mail to "userdomain.tld" via my server i get
>>> "relaying denied". this is what i expect. when i try to relay mail
>>> to "userdomain.tld" after successful smtp authentication postfix
>>> tries to deliver locally. this is contrary to what i thought. is
>>> there a way to make this work other than deleting "userdomain.tld"
>>> from virtual_mailbox_maps?
>> My "guess" would be you have your domain in mydestination.
>>
>> No one here can help further without posting `postconf -n`.
>> Substitute example.(com|net|org) instead of your own domain if you so
>> desire.
>>
>> Brian
>>
> the domain in question is definitely not in $mydestination, since the
> problem arises for all virtual domains
>
> the output of postconf -n is below
>
> i "beautified" the main.cf lines in the original post a little, but (i
> think) the basic layout described is the same
>
> matthias
>
> # postconf -n
> alias_maps = hash:/home2/var/virtual_alias
Do not set alias_maps = virtual_alias_maps. The formor is for *local*
delivery.
> biff = no
> bounce_size_limit = 50000
> broken_sasl_auth_clients = yes
> command_directory = /usr/sbin
> config_directory = /etc/postfix
> daemon_directory = /usr/libexec/postfix
> debug_peer_level = 2
> default_destination_concurrency_limit = 25
> disable_vrfy_command = yes
> header_checks = regexp:/etc/postfix/header_checks
> header_size_limit = 1024
> home_mailbox = Maildir/
> html_directory = no
> inet_interfaces = all
> local_destination_concurrency_limit = 10
> mail_owner = postfix
> mailbox_size_limit = 150000000
> mailq_path = /usr/bin/mailq
> manpage_directory = /usr/local/man
> message_size_limit = 10240000
> mydestination = $myhostname, localhost.$mydomain, localhost
> mydomain = example.com
> myhostname = host.example.com
> mynetworks_style = host
> newaliases_path = /usr/bin/newaliases
> queue_directory = /localdisk/var/spool/node2
> readme_directory = no
> relay_domains = $mydestination
> sample_directory = /etc/postfix
> sendmail_path = /usr/sbin/sendmail.postfix
> setgid_group = postdrop
> smtpd_banner = $myhostname ESMTP
> smtpd_client_restrictions = permit_mynetworks,
> permit_sasl_authenticated, reject_rbl_client
> relays.mail-abuse.org, reject_rbl_client
> list.dsbl.org, reject_rbl_client
> sbl.spamhaus.org, reject_rbl_client
> cbl.abuseat.org, reject_rbl_client
> dul.dnsbl.sorbs.net
> smtpd_hard_error_limit = 3
> smtpd_helo_required = yes
> smtpd_helo_restrictions = permit_sasl_authenticated,
> permit_mynetworks, reject_invalid_hostname, reject_unauth_pipelining,
> check_helo_access hash:/etc/postfix/helo_access
> smtpd_recipient_restrictions = permit_mynetworks,
> permit_sasl_authenticated, reject_unknown_recipient_domain,
> reject_invalid_hostname, reject_non_fqdn_hostname,
> reject_non_fqdn_sender reject_non_fqdn_recipient,
> reject_unknown_sender_domain, reject_unknown_recipient_domain,
> reject_unauth_destination, reject_unauth_pipelining, reject_rbl_client
> list.dsbl.org, reject_rbl_client sbl.spamhaus.org, reject_rbl_client
> cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net,
> reject_rhsbl_sender rhsbl.sorbs.net
Highly recommended to move reject_unauth_destination just after
permit_sasl_authenticated.
reject_unauth_pipelining is worthless here, it should be in
smtpd_data_restrictions only.
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_security_options = noanonymous
> smtpd_sender_restrictions = permit_mynetworks,
> permit_sasl_authenticated, reject_unknown_sender_domain,
> reject_non_fqdn_sender, reject_unauth_pipelining,
> reject_sender_login_mismatch, check_sender_access
> hash:/etc/postfix/sender_access
Remove unauth_pipelining from here too as described above
> transport_maps = ldap:/etc/postfix/ldapmaps/virtual_transport.cf
> unknown_local_recipient_reject_code = 550
> virtual_alias_maps = hash:/home2/var/virtual_alias
> virtual_gid_maps = ldap:/etc/postfix/ldapmaps/virtual_mailbox_gid.cf
> virtual_mailbox_base = /
> virtual_mailbox_domains = hash:/home2/var/virtual_relay_domains
> virtual_mailbox_limit = 150000000
> virtual_mailbox_maps = ldap:/etc/postfix/ldapmaps/virtual_mailbox.cf
> virtual_uid_maps = ldap:/etc/postfix/ldapmaps/virtual_mailbox_uid.cf
>
>

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]