Hi Matthias,
As expected, opensmtpd now complains that there is no test14 user.
Let me quote from my first email:
>
> > But after you fix this, I think you would indeed run into the problem
> described by Crystal that the user test9 probably doesn't exist. For
> example, the man page of smtpd.conf says that your python script will
> receive an environment variable HOME which is set to the delivery user's
> login directory. But if the user doesn't exist, how should opensmtpd know
> the login directory of the user?
>
My surprise is not so much that this doesn't work; it is that the mail
doesn't enter the queue. The mail is rejected with the connection still in
progress (550 Invalid recipient), after the match test passed. The
description in the man page doesn't mention this possibility; it says:
When mail arrives, each “RCPT TO:” command generates a mail
envelope. If an envelope matches any of a pre-designated set of criteria
(using the match directive), the message is accepted
for delivery. A copy of the message, as well as its associated
envelopes, is saved in the mail queue and later dispatched according to an
associated set of actions (using the action direc‐
tive). If an envelope does not match any options, it is rejected.
The match rules are evaluated sequentially, with the first match winning.
The way I read this is that if the match succeeds, the mail is entered into
the queue. And then, the queue runner will try actions. But that's not what
happens; already in the decision process about whether the mail will be
accepted, the follow-up action (in my case, an mda action) is considered,
and it is determined if all prerequisites for that action are in place; and
if not, the incoming mail is immediately rejected.
I now have a hypothesis of what is really happening, though. I've browsed
through the presentation found on the opensmtpd website:
https://www.opensmtpd.org/presentations/eurobsdcon2017-smtpd/eurobsdcon2017-opensmtpd.pdf
Reading page 61/62 of that presentation, it looks like the config file
format used to be different 10 years ago, with rules; and that the split in
"match" and "action" was introduced later. This decoupling solved a bunch
of issues, according to the presentation.
This suggests that what is going on is a bit different than what the man
page suggests. Already when the decision is made if incoming mail is
accepted, not only the "match" is considered, but also its associated
"action". So, information that is required for the action (such as the
ability to find a local user, in case of method mda) can influence if the
mail is accepted.
If that is correct, matches and actions are much more tightly coupled than
I would expect from reading the description in the man page quoted above. I
would go so far as to say that the description is wrong; it tripped me up,
anyway, leading me to the wrong mental model.
> I think you could use the "user <username>" option for your mda delivery
> action in order to specify one existing user that handles mail for everyone.
>
That doesn't seem to work, the mail still gets rejected.
But I have enough information now to proceed with experimentation.
Cheers, Sidney
