On 11/10/21 2:06 pm, Rob Kampen wrote:
OK - just to let you know the munge I used.
example.com is an alias domain for example.org which is the actual
domain with Maildir space on the server.
rob@ is alias for rkampen@ thus the only real address is
rkampen@xxxxxxxxxxx
That's not what I meant by munge, but it helps. Anyhow, what you showed
me is what I need to see.
now the results
This is all good, except...
[root@mx rkampen]# postmap -q @example.com
mysql:/etc/postfix/mysql-virtual_forwardings.cf
@example.org
This is a bad idea. It's not the cause of your problem (as you
discovered below) but it will lead you to become a backscatter source.
I'll explain.
Postfix checks virtual_alias_maps entries twice, once in smtpd and once
in cleanup (actually trivial_rewrite, which is called from cleanup). At
the smtpd stage it simply checks to make sure that there is a
virtual_alias_map entry for the recipient address, but it doesn't care
where that entry points, then (after other checks) postfix accepts and
queues the message.
The message is then passed to cleanup, which, as once of its functions,
calls trivial_rewrite which, once again, checks virtual_alias_maps and
in turn rewrites the recipient to the target email address. (It then
loops and does this until there are no more rewrites to be done). Then
delivery is attempted to the target address.
So in your case, what happens when the original recipient is
"nonexistent@xxxxxxxxxxx"? Well Postfix first checks virtual_alias_maps
for entries of "nonexistant@xxxxxxxxxxx", "nonexistent" and
"@example.com", it finds a match for the last of these and so the
message passes the checks in smtpd and the message is accepted for
delivery and queued.
Then the message is passed to cleanup which checks with trivial_rewrite
and trivial_rewrite checks virtual_alias_maps (again) and after finding
the "@example.com" entry it rewrites the recipient to
"nonexistent@xxxxxxxxxxx".
Then Postfix attempts to deliver the message to nonexistent@xxxxxxxxxxx,
but since there's no such recipient and since postfix has already
accepted the message for delivery it generates a bounce message which it
sends to the envelope sender. Thus you have a situation where messages
can be sent to invalid recipients and your system will bounce them, and
as such you become a source of backscatter.
You can confirm this by attempting to send a message to
nonexistent@xxxxxxxxxxx and another one to nonexistent@xxxxxxxxxxx. The
example.com one will generate a bounce from Postfix while the
example.org one will reject the message instead (you'll be able to see
the difference in your Postfix logs).
The solution here is to not use an @example.com entry in
virtual_alias_maps, but instead to have a separate entry for each valid
recipient in example.com. Since you're using mysql it is possible to
craft a mysql query that can check the valid example.org recipients and
only return example.com matches for those recipients, I'll leave that as
an exorsize for you, but if you have problems with it I'll be happy to help.
Well that may have done it!
Now I get a correctly sent email with the alias substitutions done.
Funny how that line seems to cause no error on my two original MX -
looks like I better check them out a little more too.
That's great. So basically what you've done by removing that entry is
to bypass the policyd-spf check from Postfix. What that means is that
the problem is in policyd-spf and this is further confirmed by the
following log entry:
Oct 11 13:53:10 mx policyd-spf[10723]: ERROR: Unknown name "TestOnly" in
file "/etc/python-policyd-spf/policyd-spf.conf"
Unfortunately I am not a policyd-spf expert by any stretch, so at this
stage I'll direct you to their community support for further help
(unless someone else here wants to chime in and help). What I can say
is that if you fix your policyd-spf issue then it is likely that you can
add that entry back into the Postfix configuration and it will work.
Thanks Peter, your help has been invaluable and MUCH appreciated!
You're quite welcome.
Peter
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
