On 10/02/2015 5:10 PM, Viktor Dukhovni wrote:
On Tue, Feb 10, 2015 at 04:05:08PM +1100, Carl Brewer wrote:
I'm trying to get my head around how to get virtual aliases to work with my
cyrus setup (NetBSD, postfix 2.11.0).
I'm using 2.11.3 from pkgsrc, and I imagine 2.11.4 will be out
soonish. You should upgrade when that happens.
yep, I just bumped it to 2.11.3
I have realtime address checking using lmtp :
mailbox_transport = lmtp:unix:/var/imap/socket/lmtp
virtual_transport = lmtp:unix:/var/imap/socket/lmtp
This is not "address checking". Rather this is a common configuration
for LMTP delivery to IMAP for both system and virtual mailbox users.
Ok. Is there some way (or is it doing it already) to do realtime
checking against cyrus? So I don't backscatter. That's one of the big
reasons to move away from sendmail - it's backscattering like crazy.
and that seems to work just fine for addresses that exist in the cyrus
setup, but ... I have this :
virtual_alias_maps = hash:/usr/pkg/etc/postfix/virtual
That's fine, all recipient addresses go through recursive expansion
via this table first.
so it *should* work. It does seem to be now anyway (?!).
which only seems to work for email I submit locally. eg :
Feb 10 15:58:57 postfix/smtpd[3365]:
NOQUEUE: reject: RCPT from mx208.h.outbound.createsend.com[204.75.142.208]:
450 4.1.1 <[email protected]>:
Recipient address rejected: unverified address:
host rollcage3.bl.echidna.id.au[/var/imap/socket/lmtp] said:
550-Mailbox unknown. Either there is no mailbox associated with this
550-name or you do not have authorization to see it.
550 5.1.1 User unknown (in reply to RCPT TO command);
from=<[email protected]>
to=<[email protected]> proto=ESMTP helo=<mx208.h.outbound.createsend.com>
You have recipient address verification configured, and have somehow
managed to disable recipient rewriting in the cleanup(8) service
used by the verify(8) service. Non-default entries in your master.cf
file should tell the whole story.
I don't think I have personally changed much, it maybe stuff from pkgsrc.
postconf reports :
[ Please DO NOT post "postconf" results again, "postconf -n"
reports non-default settings, and don't let cut/paste wrap
long lines, report each setting on a single (long) line. ]
lmtp_tls_mandatory_protocols = SSLv3, TLSv1
smtp_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
Use the exclusion form:
lmtp_tls_mandatory_protocols = !SSLv2
smtp_tls_mandatory_protocols = !SSLv2
smtpd_tls_mandatory_protocols = !SSLv2
this stuff isn't set in main.cf, but I have just set it now.
tls_export_cipherlist = ALL:+RC4:@STRENGTH
tls_low_cipherlist = ALL:!EXPORT:+RC4:@STRENGTH
tls_medium_cipherlist = ALL:!EXPORT:!LOW:+RC4:@STRENGTH
tls_high_cipherlist = ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH
Don't override these, the defaults behave better with OpenSSL 1.0.0
and later.
I haven't, again, is this pkgsrc defaults?
smtpd_tls_eecdh_grade = none
Any particular reason to shun ECDHE?
*shrug*
mail_release_date = 20111924
mail_version = 2.7.7
I did never knew there were 19 months in a year down-under!
It's always January somewhere in the world!
These non-default settings are a bad idea. Especially as
you say you're running 2.10.0.
smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination
reject_unknown_recipient_domain reject_unverified_recipient
Verification probes are not subjected to virtual alias expansion
for some reason.
postconf now shows :
postconf -n -c /usr/pkg/etc/postfix
address_verify_map = btree:$data_directory/verify_cache
alias_database = hash:/usr/pkg/etc/postfix/aliases
alias_maps = hash:/usr/pkg/etc/postfix/aliases
command_directory = /usr/pkg/sbin
config_directory = /usr/pkg/etc/postfix
daemon_directory = /usr/pkg/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
lmtp_tls_mandatory_protocols = !SSLv2
mail_owner = postfix
mailbox_transport = lmtp:unix:/var/imap/socket/lmtp
mailq_path = /usr/pkg/bin/mailq
manpage_directory = /usr/pkg/man
milter_default_action = accept
myhostname = rollcage3.bl.echidna.id.au
mynetworks_style = subnet
newaliases_path = /usr/pkg/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/pkg/share/doc/postfix
relay_recipient_maps = hash:/usr/pkg/etc/postfix/relay_recipients
sample_directory = /usr/pkg/share/examples/postfix
sendmail_path = /usr/pkg/sbin/sendmail
setgid_group = maildrop
smtp_tls_mandatory_protocols = !SSLv2
smtpd_banner = $myhostname ESMTP $mail_name (how far can a goat see-2.10)
smtpd_milters =
unix:/var/clamav/clamav-milter.socket,unix:/var/run/spamass.sock
smtpd_recipient_restrictions = permit_mynetworks
reject_unauth_destination reject_unknown_recipient_domain
reject_unverified_recipient
smtpd_sasl_path = smtpd
smtpd_tls_cert_file =
/usr/pkg/etc/postfix/certs/rollcage.bl.echidna.id.au.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_mandatory_protocols = !SSLv2
smtpd_tls_security_level = may
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/usr/pkg/etc/postfix/virtual
virtual_mailbox_domains = /usr/pkg/etc/postfix/virtual_mailbox_domains
virtual_transport = lmtp:unix:/var/imap/socket/lmtp
