On Tue, Feb 10, 2026 at 09:46:35PM +0100, Michael Grimm via Postfix-users wrote:
> > This domain would not be listed in any of the address classes,
> > and would be rejected for external senders by
> > "reject_unauth_destination".
>
> This local domain is a member of virtual_mailbox_domains, only, and the
> address space is part of mynetworks.
> I hope that this isn't an issue?
That's a mistake, do not add it it virtual_mailbox_domains, or if you
do, you need to add explicit access(5) rules to reject incoming mail
to that domain:
main.cf:
smtpd_relay_restrictions =
check_recipient_access inline:{ {ellael.lan = reject}, {.ellael.lan
= reject} },
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination
But, simpler to not list it in "virtual_mailbox_domains", and just
use transport table entries to route it via LMTP, while treating
otherwise as some random external domain for which you don't accept
mail from strangers.
> > It would have transport table entries, but these don't imply
> > access permissions:
> >
> > ellael.lan lmtp:...
> > dbmail.ellael.lan lmtp:...
>
> Does that mean:
>
> (1) no need for virtual_transport = lmtp:unix:private/dovecot-lmtp in main.cf
That's harmless, and perhaps you have other virtual_mailbox_domains, or
choose the access(5) route to keep it inaccessible to direct mail from
strangers.
> (2) both transports in transport_maps instead?
Yes.
> If that is correct: I have to admit that will never gain the knowledge
> of 10+% of postfix' functionality in my remaining lifetime ;-)
This is covered in ADDRESS_CLASS_README, VIRTUAL_README and
ADDRESS_REWIRITING_README, and I expect in the Postfix books by Ralf and
Patrick or by Kyle Dent. Address classes combine:
- Access control (which domains are accepted inbound).
- Choice of transport.
- Choice of recipient validation tables.
All of these can be handled explicitly without use of address classes,
which is a Postfix 2.0 abstraction, in Postfxix 1.1 and prior these
were handled directly.
> > So the OP's proposed approach works fine.
>
> Give that *.ellael.lan is member of virtual_mailbox_domains and mynetworks is
> *not* an issue, thanks.
1. Either remove from virtual_mailbox_domains, or equally good approach
add access rules to prevent misuse.
2. Do not include domain names in "mynetworks", this should only list
IP address blocks, or single addresses.
> If it is an issue I will stick to "explicit per-user 1-to-2 virtual
> alias rewrites" as you phrased it in your other mail.
Or the fancier version of recipient BCC mapping, but you really should
be able to handle this with an internal-only mailstore domain.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
