DevHeads.net

Relay mail from virtual domains and issue when the sender and recipient is on same server

What I want to do:

I want to disable local delivery for e-mails from virtual domains / mailboxes when sender / recipient is on same server. I want these e-mails to pass through a relay.

My setup :

I have postfix and dovecot on server1.example.com and smtp.example.com acts as relay for server1.example.com. MX for example.com points to server1.example.com so incoming e-mails go to this server. Outgoing e-mails for domains not hosted in server1.example.com go through the relay. Now I want the e-mails that sender and recipient is on the same server (server1.example.com) to go through the relay (smtp.example.com). For example, currently I send e-mail from <a href="mailto: ... at example dot com"> ... at example dot com</a> to <a href="mailto: ... at example dot com"> ... at example dot com</a> and it does local delivery (e-mail does not leave server1.example.com). I want the e-mail to pass through relay smtp.example.com

The problem is that if I remove domain example.com from virtual_mailbox_domains then e-mails goes from server1.example.com to smtp.example.com but when it comes to server1.example.com it says "Relay denied" which I believe is related to postfix don't consider that is the server that actually hosts this domain (final destination).

/var/log/mailog :

Apr 12 19:49:08 server1 postfix/smtpd[24278]: connect from unknown[62.103.227.xxx]
Apr 12 19:49:08 server1 postfix/smtpd[24278]: Anonymous TLS connection established from unknown[62.103.227.xxx]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Apr 12 19:49:08 server1 dovecot: auth: passwd-file( ... at example dot com,62.103.227.xxx): unknown user
Apr 12 19:49:09 server1 postfix/smtpd[24278]: 24B2A2730A: client=unknown[62.103.227.xxx], sasl_method=PLAIN, sasl_username= ... at example dot com
Apr 12 19:49:09 server1 postfix/cleanup[33817]: 24B2A2730A: message-id=<671AE13C-DBCE-449E-922C- ... at example dot com>
Apr 12 19:49:09 server1 postfix/qmgr[77128]: 24B2A2730A: from=< ... at example dot com>, size=740, nrcpt=1 (queue active)
Apr 12 19:49:09 server1 dovecot: lmtp(40507): Connect from local
Apr 12 19:49:09 server1 dovecot: lmtp(<a href="mailto: ... at example dot com"> ... at example dot com</a>)<40507><w+0rEgWOz1o7ngAAPz4RRA>: sieve: msgid=<671AE13C-DBCE-449E-922C- ... at example dot com>: stored mail into mailbox 'INBOX'
Apr 12 19:49:09 server1 dovecot: lmtp(40507): Disconnect from local: Client has quit the connection (state = READY)
Apr 12 19:49:09 server1 postfix/lmtp[34621]: 24B2A2730A: to=< ... at example dot com>, relay=server1.example.com[private/dovecot-lmtp], delay=0.24, delays=0.22/0/0/0.01, dsn=2.0.0, status=sent (250 2.0.0 < ... at example dot com> w+0rEgWOz1o7ngAAPz4RRA Saved)
Apr 12 19:49:09 server1 postfix/qmgr[77128]: 24B2A2730A: removed

postconf -Mf:

smtp inet n - n - - smtpd
-o content_filter=filter:
-o receive_override_options=no_address_mappings
submission inet n - n - - smtpd
-o smtpd_tls_security_level=may
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o smtp_fallback_relay=
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
filter unix - n n - - pipe flags=Rq
user=filter argv=/usr/local/etc/bogofilter/postfix-filter.sh -f ${sender}
-- ${recipient}

postconf -n:

authorized_mailq_users =
authorized_submit_users = root, filter
body_checks = regexp:/usr/local/etc/postfix/body_checks
command_directory = /usr/local/sbin
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5
default_destination_concurrency_limit = 2
default_destination_rate_delay = 1s
default_extra_recipient_limit = 10
header_checks = pcre:/usr/local/etc/postfix/header_checks
html_directory = /usr/local/share/doc/postfix
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
message_size_limit = 25600000
myhostname = server1.example.com
mynetworks_style = host
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix
relayhost = [smtp.example.com]
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtp_bind_address = 138.201.248.xxx
smtp_destination_concurrency_limit = 2
smtp_destination_rate_delay = 1s
smtp_extra_recipient_limit = 10
smtp_tls_CAfile = /usr/local/share/certs/ca-root-nss.crt
smtp_tls_cert_file = /etc/ssl/certs/mail.pem
smtp_tls_key_file = /etc/ssl/private/mail.pem
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
smtpd_banner = $myhostname
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit
smtpd_recipient_restrictions = check_recipient_access hash:/usr/local/etc/postfix/recipient_access, check_policy_service { inet:127.0.0.1:10040, timeout=10s, default_action=dunno }, permit_sasl_authenticated, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_rbl_client zen.spamhaus.org, reject_rbl_client bad.psky.me, reject_rbl_client b.barracudacentral.org, reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org, reject_rbl_client truncate.gbudb.net, reject_rbl_client bl.blocklist.de, reject_rbl_client dnsbl.dronebl.org, check_policy_service inet:127.0.0.1:10023, permit
smtpd_relay_restrictions = permit_sasl_authenticated, defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = /var/run/dovecot/auth-client
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_unlisted_sender, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access hash:/usr/local/etc/postfix/sender_access, reject_unknown_sender_domain, permit
smtpd_tls_CAfile = /usr/local/share/certs/ca-root-nss.crt
smtpd_tls_ask_ccert = yes
smtpd_tls_cert_file = /etc/ssl/certs/mail.pem
smtpd_tls_key_file = /etc/ssl/private/mail.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:$data_directory/smtpd_tls_session_cache
tls_random_source = dev:/dev/urandom
transport_maps = hash:/usr/local/etc/postfix/recipient_transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/usr/local/etc/postfix/virtual
virtual_gid_maps = hash:/usr/local/etc/postfix/virtual_uids
virtual_mailbox_base = /home/mail
virtual_mailbox_domains = hash:/usr/local/etc/postfix/domains
virtual_mailbox_maps = hash:/usr/local/etc/postfix/vmailbox
virtual_minimum_uid = 100
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = hash:/usr/local/etc/postfix/virtual_uids
% postconf -nf
authorized_mailq_users =
authorized_submit_users = root, filter
body_checks = regexp:/usr/local/etc/postfix/body_checks
command_directory = /usr/local/sbin
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb
$daemon_directory/$process_name $process_id & sleep 5
default_destination_concurrency_limit = 2
default_destination_rate_delay = 1s
default_extra_recipient_limit = 10
header_checks = pcre:/usr/local/etc/postfix/header_checks
html_directory = /usr/local/share/doc/postfix
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
message_size_limit = 25600000
myhostname = server1.example.com
mynetworks_style = host
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix
relayhost = [smtp.example.com]
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtp_bind_address = 138.201.248.xxx
smtp_destination_concurrency_limit = 2
smtp_destination_rate_delay = 1s
smtp_extra_recipient_limit = 10
smtp_tls_CAfile = /usr/local/share/certs/ca-root-nss.crt
smtp_tls_cert_file = /etc/ssl/certs/mail.pem
smtp_tls_key_file = /etc/ssl/private/mail.pem
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
smtpd_banner = $myhostname
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit
smtpd_recipient_restrictions = check_recipient_access
hash:/usr/local/etc/postfix/recipient_access, check_policy_service {
inet:127.0.0.1:10040, timeout=10s, default_action=dunno },
permit_sasl_authenticated, reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_unknown_recipient_domain,
reject_unauth_destination, reject_unauth_pipelining,
reject_invalid_helo_hostname, reject_rbl_client zen.spamhaus.org,
reject_rbl_client bad.psky.me, reject_rbl_client b.barracudacentral.org,
reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org,
reject_rbl_client truncate.gbudb.net, reject_rbl_client bl.blocklist.de,
reject_rbl_client dnsbl.dronebl.org, check_policy_service
inet:127.0.0.1:10023, permit
smtpd_relay_restrictions = permit_sasl_authenticated, defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = /var/run/dovecot/auth-client
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_unlisted_sender, permit_sasl_authenticated,
reject_non_fqdn_sender, check_sender_access
hash:/usr/local/etc/postfix/sender_access, reject_unknown_sender_domain,
permit
smtpd_tls_CAfile = /usr/local/share/certs/ca-root-nss.crt
smtpd_tls_ask_ccert = yes
smtpd_tls_cert_file = /etc/ssl/certs/mail.pem
smtpd_tls_key_file = /etc/ssl/private/mail.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:$data_directory/smtpd_tls_session_cache
tls_random_source = dev:/dev/urandom
transport_maps = hash:/usr/local/etc/postfix/recipient_transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/usr/local/etc/postfix/virtual
virtual_gid_maps = hash:/usr/local/etc/postfix/virtual_uids
virtual_mailbox_base = /home/mail
virtual_mailbox_domains = hash:/usr/local/etc/postfix/domains
virtual_mailbox_maps = hash:/usr/local/etc/postfix/vmailbox
virtual_minimum_uid = 100
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = hash:/usr/local/etc/postfix/virtual_uids
% postconf -nf
authorized_mailq_users =
authorized_submit_users = root, filter
body_checks = regexp:/usr/local/etc/postfix/body_checks
command_directory = /usr/local/sbin
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb
$daemon_directory/$process_name $process_id & sleep 5
default_destination_concurrency_limit = 2
default_destination_rate_delay = 1s
default_extra_recipient_limit = 10
header_checks = pcre:/usr/local/etc/postfix/header_checks
html_directory = /usr/local/share/doc/postfix
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
message_size_limit = 25600000
myhostname = server1.example.com
mynetworks_style = host
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix
relayhost = [smtp.example.com]
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtp_bind_address = 138.201.248.xxx
smtp_destination_concurrency_limit = 2
smtp_destination_rate_delay = 1s
smtp_extra_recipient_limit = 10
smtp_tls_CAfile = /usr/local/share/certs/ca-root-nss.crt
smtp_tls_cert_file = /etc/ssl/certs/mail.pem
smtp_tls_key_file = /etc/ssl/private/mail.pem
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
smtpd_banner = $myhostname
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit
smtpd_recipient_restrictions = check_recipient_access
hash:/usr/local/etc/postfix/recipient_access, check_policy_service {
inet:127.0.0.1:10040, timeout=10s, default_action=dunno },
permit_sasl_authenticated, reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_unknown_recipient_domain,
reject_unauth_destination, reject_unauth_pipelining,
reject_invalid_helo_hostname, reject_rbl_client zen.spamhaus.org,
reject_rbl_client bad.psky.me, reject_rbl_client b.barracudacentral.org,
reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org,
reject_rbl_client truncate.gbudb.net, reject_rbl_client bl.blocklist.de,
reject_rbl_client dnsbl.dronebl.org, check_policy_service
inet:127.0.0.1:10023, permit
smtpd_relay_restrictions = permit_sasl_authenticated, defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = /var/run/dovecot/auth-client
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_unlisted_sender, permit_sasl_authenticated,
reject_non_fqdn_sender, check_sender_access
hash:/usr/local/etc/postfix/sender_access, reject_unknown_sender_domain,
permit
smtpd_tls_CAfile = /usr/local/share/certs/ca-root-nss.crt
smtpd_tls_ask_ccert = yes
smtpd_tls_cert_file = /etc/ssl/certs/mail.pem
smtpd_tls_key_file = /etc/ssl/private/mail.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:$data_directory/smtpd_tls_session_cache
tls_random_source = dev:/dev/urandom
transport_maps = hash:/usr/local/etc/postfix/recipient_transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/usr/local/etc/postfix/virtual
virtual_gid_maps = hash:/usr/local/etc/postfix/virtual_uids
virtual_mailbox_base = /home/mail
virtual_mailbox_domains = hash:/usr/local/etc/postfix/domains
virtual_mailbox_maps = hash:/usr/local/etc/postfix/vmailbox
virtual_minimum_uid = 100
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = hash:/usr/local/etc/postfix/virtual_uids

Comments

Re: Relay mail from virtual domains and issue when the sender an

By dev rob0 at 04/14/2018 - 10:43

On Sat, Apr 14, 2018 at 05:17:09AM +0300, Christos Chatzaras wrote:
[ is overly complicated IMO :) ]

Yes, explicitly it means that the restriction
"reject_unauth_destination" was matched in smtpd_relay_restrictions.

Your content_filter only applies to MX mail on port 25.

Perhaps what you want is for the other host to be the MSA (mail
submission agent), and do not accept submission here?

This is your content_filter. You're using a script, but better
practice would probably be to use smtp. And of course SMTP doesn't
have to be local; your filter could be elsewhere.

Check out amavisd-new as a better means of content filtering. This
also gives you a means of applying different filtering depending on
origin: the spam filtering needed for submission differs from that
which makes sense on your MX stream.

So if users submitted directly there, it would come back for
addresses hosted here. That's what you want, right?

You can do this by changing the server name your users use for their
submission server to point to this relayhost instead. It could
possibly be a painless change for the users.

Note: I am supposing you have a large number of users, because this
level of complexity does not make sense for a small number.

I don't consider spamcop safe for outright rejection, at least not
without DNSWL whitelisting. Also, CBL is part of Zen, so this is a
wasted lookup. And postscreen has been around for many years now,
you should look at it:

<a href="http://www.postfix.org/POSTSCREEN_README.html" title="http://www.postfix.org/POSTSCREEN_README.html">http://www.postfix.org/POSTSCREEN_README.html</a>
<a href="http://rob0.nodns4.us/postscreen.html" title="http://rob0.nodns4.us/postscreen.html">http://rob0.nodns4.us/postscreen.html</a>

You should force all submission through submission/submissions
services, or as mentioned above, through a separate MSA. You don't
want to accept submission on port 25.

smtpd_relay_restrictions = reject_unauth_destination

This, also, is not appropriate for port 25.

You could have your auth socket on TCP, and thus your remote MSA
could use it to authenticate your users. (You would of course want
to protect access to this socket via firewall or more. Perhaps a VPN
connection between the two hosts, and only listen on the VPN
address.)

why?

Re: Relay mail from virtual domains and issue when the sender an

By Christos Chatzaras at 04/14/2018 - 16:16

Thank you for your reply and tips :-)

Yes I want to use bogofilter only for incoming mails from other mail servers. It's configured with a global sieve rule to move spam e-mails to Spam folder for each mailbox. Dovecot is configured so when user moves e-mail from Inbox to Spam or the opposite to train bogofilter with new ham or spam keywords. Also ham/spam messages are forwarded from all the servers to <a href="mailto: ... at example dot com"> ... at example dot com</a> (using a script that forwards the original messages as attachments) and using another script I train a global bogofilter database which every fews days I copy to all the servers. This way I get good results and only few false positives.

I want to accept submission on server1.example.com as it's easier for end users to use the same hostname for SMTP, POP3 and IMAP.

Do you have a link with instructions for doing it with SMTP instead of script? Maybe I can setup another server for incoming filtering (bogofilter) which is used by all the servers so I avoid to copy the bogofilter database every few days to all the servers.

Maybe I can use MailScanner (hosted in other server) for incoming messages to. It filters spam, virus, bad attachment extensions and some more things.

The same hostname is used for other things too, for example FTP. So changing the server1.example.com hostname and point it to smtp.example.com IP is not possible without causing frustration to users.

Yes there are more than 60.000 mail accounts split in 55 servers. These servers do shared hosting (www, ftp, dns, mail, mysql, php).

I removed CBL from checks.

To add DNSWL whitelisting I have to add under smtpd_recipient_restrictions and before the RBL checks:

permit_dnswl_client list.dnswl.org

Is this rignt?

I will check this too. I didn't mention it but I also use postgrey (greylisting). If I can get good results with postscreen maybe I can remove postgrey.

I know this but some old clients are configured to submission on port 25. Also some sites use port 25 for contact forms and transactional e-mails. Maybe it's time to send them a mass e-mail and notify them to change their submission port to 587 and after some time to remove submission on port 25.

Few years ago I was using postfix for sasl authentication. After upgrading postfix to new version the quota patch was not working (the developer abandon it) so I changed it to dovecot authentication because dovecot has plugin for mailbox quota. So these settings are not required any more, right?

Re: Relay mail from virtual domains and issue when the sender an

By Christos Chatzaras at 04/14/2018 - 00:23

More info to make it clearer:

The 'relay denied' I wrote in my previous is not in smtp.example.com logs.

E-mail from <a href="mailto: ... at example dot com"> ... at example dot com</a> to <a href="mailto: ... at example dot com"> ... at example dot com</a> :

The 'relay denied' message is on server1.example.com logs at step (4).

I can solve the 'relay denied' by changing main.cf at server1.example.com from:

to:

smtpd_relay_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
defer_unauth_destination

But then I have an infinitive loop:

I think the only way to fix this is to have 2 postfix instances, right? One for incoming and one for outgoing.

Re: Relay mail from virtual domains and issue when the sender an

By Viktor Dukhovni at 04/14/2018 - 00:28

If you want to round-trip mail through an external SMTP server,
and then bring it back to the same host, then yes, there typically
need to be two queues (Postfix instances), one that sends all mail
out, and another that accepts and delivers.

One can play games with rewriting, so that mail originally rewrites
to a domain that goes off-box, possibly rewrites in the outbound
smtp delivery agent smtp_generic_maps, and then returns into an
smtpd(8)/cleanup(8) pair that does no or different rewriting.
That could make it possible to use a single queue, because the
destination domain would be different for returned mail than
for originally incoming mail.