Discussion:
If virtual_alias_domains looked up from SQL, then sender domain is also queried in that table
(too old to reply)
Robert Gomezi
2005-08-11 10:14:47 UTC
Permalink
Hi, As a test. I configured a test mysql server with a table

create table domain_list (domain varchar(20));
insert into table values ('example.org');

Then I had in main.cf
virtual_alias_domains = proxy:mysql:/etc/postfix/domain.cf

domain.cf =>
query = select domain from domain_list where domain = '%s'

I had a config for virtual_alias_maps set up already.
virtual_alias_maps = proxy:mysql:/etc/postfix/vmap.cf
vmap.cf =>
query = select RHS from vmaps where LHS = '%s'
domain = example.org

I had ***@example.org => ***@rewrite.example.org in table 'vmaps' as a
test value

Now, I sent a message from <***@some.random.domain> to <***@example.org>
The queries I log are

select domain from domain_list where domain = 'some.random.domain'
select domain from domain_list where domain = 'example.org'
select RHS from vmaps where LHS = '***@example.org'
select RHS from vmaps where LHS = '***@example.org'
select domain from domain_list where domain = 'rewrite.example.org'

The first and the last query is something I can't understand. It would
seem that smtpd is query against the sender domain inside the
virtual_alias_domains map. I don't see this occuring in Postfix 2.0.x.
The last query I can't figure out at all

Regards
Robert
Jussi Silvennoinen
2005-08-11 10:37:41 UTC
Permalink
Post by Robert Gomezi
The queries I log are
select domain from domain_list where domain = 'some.random.domain'
select domain from domain_list where domain = 'example.org'
select domain from domain_list where domain = 'rewrite.example.org'
The first and the last query is something I can't understand. It would
seem that smtpd is query against the sender domain inside the
virtual_alias_domains map. I don't see this occuring in Postfix 2.0.x.
The last query I can't figure out at all
You can eliminate the first query by looking at mysql_table (5).
The last query is perfectly sane, Postfix will try to look up addresses
until it cannot find a match. So you can have

addrA -> addrB
addrB -> addrC
addrC -> addrD

daisy chains.
--
Jussi
mouss
2005-08-12 22:47:04 UTC
Permalink
Post by Robert Gomezi
Hi, As a test. I configured a test mysql server with a table
create table domain_list (domain varchar(20));
insert into table values ('example.org');
Then I had in main.cf
virtual_alias_domains = proxy:mysql:/etc/postfix/domain.cf
domain.cf =>
query = select domain from domain_list where domain = '%s'
I had a config for virtual_alias_maps set up already.
virtual_alias_maps = proxy:mysql:/etc/postfix/vmap.cf
vmap.cf =>
query = select RHS from vmaps where LHS = '%s'
domain = example.org
test value
The queries I log are
select domain from domain_list where domain = 'some.random.domain'
select domain from domain_list where domain = 'example.org'
select domain from domain_list where domain = 'rewrite.example.org'
The first and the last query is something I can't understand. It would
seem that smtpd is query against the sender domain inside the
virtual_alias_domains map. I don't see this occuring in Postfix 2.0.x.
The last query I can't figure out at all
Regards
Robert
postconf -n?
Ralf Hildebrandt
2005-08-13 14:37:10 UTC
Permalink
Post by Robert Gomezi
The first and the last query is something I can't understand. It would
seem that smtpd is query against the sender domain inside the
virtual_alias_domains map. I don't see this occuring in Postfix 2.0.x.
The last query I can't figure out at all
That's normal. Postfix checks if the sender domain may be local,
virtual or a relay domain in order to be able to perform the
"reject_unlisted_recipient" check!
--
Ralf Hildebrandt (***@charite.de) ***@charite.de
http://www.postfix-book.com/ Tel. +49 (0)30-450 570-155
When machines and computers, profit motives and property rights are
considered more important than people; the giant triplets of racism,
militarism, and economic exploitation are incapable of being
conquered. -- Martin Luther King
Victor Duchovni
2005-08-13 15:03:57 UTC
Permalink
Post by Ralf Hildebrandt
Post by Robert Gomezi
The first and the last query is something I can't understand. It would
seem that smtpd is query against the sender domain inside the
virtual_alias_domains map. I don't see this occuring in Postfix 2.0.x.
The last query I can't figure out at all
That's normal. Postfix checks if the sender domain may be local,
virtual or a relay domain in order to be able to perform the
"reject_unlisted_recipient" check!
It is normal, but the reason is simply that any restriction that involves
the sender address needs to resolve the sender address via trivial-rewrite
in order to obtain the standard form of the address. This process also
computes the address class and transport. It is not related to the
"reject_unlisted_recipient" restriction, which is only concerned with
the recipient address.

The restrictions that pertain to the sender address and trigger sender
address resolution are listed under:

http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions
--
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:***@postfix.org?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Robert Gomezi
2005-08-17 05:31:30 UTC
Permalink
Post by Victor Duchovni
It is normal, but the reason is simply that any restriction that involves
the sender address needs to resolve the sender address via trivial-rewrite
in order to obtain the standard form of the address. This process also
computes the address class and transport. It is not related to the
"reject_unlisted_recipient" restriction, which is only concerned with
the recipient address.
The restrictions that pertain to the sender address and trigger sender
http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions
So even with an empty smtpd_sender_restrictions (which is the
default), since smtpd_recipient_restrictions is valid within
smtpd_sender_restrictions and reject_unlisted_recipient defaults to
yes, this implies that sender address resolution always occur and if
virtual_alias_domains is looked via SQL/LDAP then the sender address
is looked up via the corresponding SQL query.
Victor Duchovni
2005-08-17 05:55:55 UTC
Permalink
Post by Robert Gomezi
Post by Victor Duchovni
It is normal, but the reason is simply that any restriction that involves
the sender address needs to resolve the sender address via trivial-rewrite
in order to obtain the standard form of the address. This process also
computes the address class and transport. It is not related to the
"reject_unlisted_recipient" restriction, which is only concerned with
the recipient address.
The restrictions that pertain to the sender address and trigger sender
http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions
So even with an empty smtpd_sender_restrictions (which is the
default), since smtpd_recipient_restrictions is valid within
smtpd_sender_restrictions and reject_unlisted_recipient defaults to
yes, this implies that sender address resolution always occur and if
virtual_alias_domains is looked via SQL/LDAP then the sender address
is looked up via the corresponding SQL query.
No, the sender is only resolved if restrictions that make use of the
sender address are configured (regardless of whether they are listed
in smtpd_sender_restrictions or smtpd_recipient_restrictions). The
URL documents which restrictions use the sender address, but they
can be used in other contexts (e.g. recipient or data restrictions).

The sender is also resolved if reject_unlisted_sender is on by default
(i.e. smtpd_reject_unlisted_sender = yes). For Postfix snapshots between:

20040101

Cleanup: the Postfix SMTP server rejects a MAIL FROM address
that matches a local, virtual or relay domain, while the
address is not listed in the corresponding local, virtual
or relay recipient table.

Feature: the reject_unlisted_sender(recipient) SMTPD access
restriction rejects an address that matches a local, virtual
or relay domain, while the address is not listed in the
corresponding local, virtual or relay recipient table.

and

20040329

Compatibility: smtpd_reject_unlisted_sender is turned off
by default, to avoid trouble with with in-house software
that sends out mail software with an unreplyable address.

senders are resolved by default and unlisted senders are always rejected.
Postfix 2.1.0 was released on 20040421, and does not by default resolve
sender addresses.

Finally, in addition to the above discussion of sender resolution, if
mydestination is defined via an SQL or LDAP table, and canonical mappings
or From header rewrites are enabled, the sender domain will be checked
against the table in order to determine whether bare "user" keys should
be used in the rewrite lookup key.
--
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:***@postfix.org?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Robert Gomezi
2005-08-17 09:07:41 UTC
Permalink
Post by Victor Duchovni
senders are resolved by default and unlisted senders are always rejected.
Postfix 2.1.0 was released on 20040421, and does not by default resolve
sender addresses.
Finally, in addition to the above discussion of sender resolution, if
mydestination is defined via an SQL or LDAP table, and canonical mappings
or From header rewrites are enabled, the sender domain will be checked
against the table in order to determine whether bare "user" keys should
be used in the rewrite lookup key.
Victor, I am using Postfix 2.2.5 and I have inet_interfaces = ip.addr 127.0.0.1

I am injecting mail via smtp from another machine on the same network
so I don't see myself triggering From header rewrites and neither do I
have mydestination defined via SQL/LDAP.
Also in postfix 2.2 as in previous versions, canonical mappings are
disabled by default

This given that I am not using the sender address in any restrictions,
it's resolution via SQL seems to be a mystery for me
Victor Duchovni
2005-08-17 18:14:47 UTC
Permalink
Post by Robert Gomezi
I am injecting mail via smtp from another machine on the same network
so I don't see myself triggering From header rewrites and neither do I
have mydestination defined via SQL/LDAP.
Also in postfix 2.2 as in previous versions, canonical mappings are
disabled by default
This given that I am not using the sender address in any restrictions,
it's resolution via SQL seems to be a mystery for me
As it does no harm, I would not waste too much time solving the
mystery. If you enable verbose logging everywhere you can find
the origin of the query, but my advice is forget it and move on.
--
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:***@postfix.org?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Loading...