2

I have a Postfix instance using SASL with Dovecot for authentication. I am using virtual_alias_maps for some address rewriting, but I'm unable to use a catch all definition (@domain newaddress) as Postfix matches that before doing any sort of authentication with Dovecot.

Dovecot and Postfix are using my AD server as a backend for users/groups/etc.

I've been through all of the relevant Postfix documentation for virtual aliases, maps, etc. and I can't figure this out. Does anyone know how I can implement a catch-all address for emails sent to my domain for which I don't have an account/group in AD for Dovecot to match against?

EDIT:

CONFIGURATION EXCERPTS:

proxy_read_maps = $local_recipient_maps, $mydestination, $virtual_alias_maps, $virtual_mailbox_maps, $virtual_mailbox_domains, $relay_recipient_maps, $relay_domains, $canonical_maps, $sender_canonical_maps, $recipient_canonical_maps, $relocated_maps, $transport_maps, $my networks, $virtual_sender_maps, $admins_only, $protected_destinations
virtual_mailbox_maps = proxy:ldap:/etc/postfix/ad_virtual_mailbox_maps.cf
virtual_sender_maps = proxy:ldap:/etc/postfix/ad_sender_login_maps.cf
virtual_alias_maps = proxy:ldap:/etc/postfix/ad_virtual_group_maps.cf,hash:/etc/postfix/virtual

#SASL Stuff
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = DOMAIN.COM
smtpd_client_restrictions = permit_mynetworks,permit
smtpd_recipient_restrictions = check_recipient_access $protected_destinations permit_mynetworks permit_auth_destination permit_sasl_authenticated reject_unauth_destination
smtpd_sender_login_maps = $virtual_sender_maps

I guess what I want to know, is there either 1) an accepted way of doing this, or 2) a way to change the order in which postfix checks the maps?

Matt
  • 142
  • 1
  • 8
  • (1) What is the error or problem you seeing with the method you use? (2) Can you post some related configuration? – John Siu Jan 11 '13 at 18:22
  • No errors, the problem is that as soon as postfix hits the @domain entry in the virtual_alias_maps file, it rewrites the address. I need that match to happen AFTER it checks to see if its a user in the system. Basically, the rule ends up matching all addresses whether they exist as users or not and I need it to not do that. – Matt Jan 11 '13 at 21:09
  • Oh, well, `catchall` is actually what you are seeing and working correctly then. You need something similar but with condition, properly a custom rules. – John Siu Jan 11 '13 at 21:19

2 Answers2

1

1) An acceptable way to implement a spam-catcher: there isn't one.

Accepting spam (with the large likelihood that it will later be bounced and hence make you a backscatter producer) is not acceptable, period.
Instead, configure your system to accept the right messages only, by using valid recipient lists, such as those you have in LDAP.

If you absolutely must accept invalid recipients, make sure you never bounce anything sent to invalid addresses.
The onus is on you to make sure no backscatter spam gets out; additionally, this may cause your system to be blacklisted and hence curtail your ability to send mail at all.

2) Changing the order postfix processes maps: no, this is not possible, since each map has a specific (and different) purpose.

adaptr
  • 16,576
  • 23
  • 34
0

Although inelegant, there is a way accomplish this. By "this" I mean the following:

  • Assumptions: Postfix + Dovecot, SASL, virtual domains, smtpd_relay_restrictions = ... reject_unverified_recipient ...
  • if the specified user exists: deliver mail to them
  • if the specified user does not exist, deliver mail to catchall address

All you have to do is list all users in /etc/postfix/virtual and end it with a catchall address:

john.doe@example.com  john.doe@example.com
jane.doe@example.com  jane.doe@example.com
# Any other address will be caught by the catch-all below,
# even if an account exists in Dovecot
@example.com          spam-magnet@example.com

Again, I need to point out that this is inelegant, because it practically defeats the idea of verifying users via Dovecot.

Source: https://serverfault.com/a/696298

madman_xxx
  • 198
  • 6