6

Using Postfix (2.11.3) I want to redirect all mail to an external address.

/etc/postfix/main.cf:

virtual_alias_maps = regexp:/etc/postfix/rewrite

/etc/postfix/rewrite:

/^.+$/ hijacked@example.com

Sending mail to destination@example.net, the following error occurs:

[...] to=<hijacked@example.com>, orig_to=<destination@example.net> [...] status=bounced (User unknown in virtual alias table)

Documentation says:

Valid recipient addresses are listed with the virtual_alias_maps parameter. The Postfix SMTP server rejects invalid recipients with "User unknown in virtual alias table".

Turns out, the error has to do something with validation of virtual alias domains: virtual_alias_domains by default is $virtual_alias_maps, setting it to anything else (to a non-matching domain or even leaving it empty) resolves the issue.

Another solution I found in an answer is giving the regular expression in another form:

/^.+@.+$/ hijacked@example.com

So my question is, how does validation of alias domains works when using regular expression tables for virtual aliasing? Why does setting virtual_alias_domains to anything else solves the issue? How is the above two, address-mapping-wise equivalent patterns different?

Output of postconf -n is:

config_directory = /etc/postfix
inet_interfaces = loopback-only
inet_protocols = ipv4
mydestination =
myhostname = example.org
myorigin = $myhostname
virtual_alias_domains =
virtual_alias_maps = regexp:/etc/postfix/rewrite
Community
  • 1
Joó Ádám
  • 273

1 Answers1

2

Suppose here you have a mail for destination@example.net to be delivered.

Maps specified in virtual_alias_domains are looked up using the domain part (example.net) as a key, expected to return anything if it's a virtual alias domain, otherwise nothing i.e. that key should be undefined. Maps in virtual_alias_maps are looked up using the full address (destination@example.net) as a key, expected to return a rewritten address.

This means you can share a single map file for both look-ups, just as simple hash map /etc/postfix/virtual explained in virtual (5). The default configuration of Postfix (virtual_alias_domains = $virtual_alias_maps) is assuming a map of this mixed style.

example.net OK
aaa@example.net hijacked@example.com
bbb@example.net hijacked@example.com

The important rules of these look-ups are:

  • virtual_alias_maps are recursively looked up. If it returns the same address as the key, that address is used.
  • If final rewritten address returned by virtual_alias_maps is still in virtual_alias_domains, that looking up is regarded as a failure (User unknown in virtual alias table). This seems not explicitly documented, I've learned by this thread.

Therefore, your first regexp map (/^.+$/ hijacked@example.com) and configuration is problematic, because the map matches everything, so hijacked@example.com is still in virtual_alias_domains and gets bounced.

You could avoid it by specifying nothing in virtual_alias_domains, or use another regexp map that doesn't match a single domain string (/^.+@.+$/ hijacked@example.com).

But either of them don't look to me the correct configuration, but a kind of unintuitive workaround. There would be more suitable solution for your purpose, I think.

yaegashi
  • 12,326
  • Okay, perhaps I didn’t understand the purpose of virtual_alias_domains correctly. According to the documentation: „Postfix is final destination for the specified list of virtual alias domains, that is, domains for which all addresses are aliased to addresses in other local or remote domains.” Does this mean that domains specified in virtual_alias_domains are domains addresses in are strictly aliased to local addresses? Therefore the validation of recipients and error? – Joó Ádám Jul 27 '15 at 14:23
  • Also, what would be the correct solution, in your opinion? – Joó Ádám Jul 27 '15 at 14:23
  • Okay, I think I got it. In virtual(5) it is said that „The main applications of virtual aliasing are: [...] To implement virtual alias domains where all addresses are aliased to addresses in other domains.” So specifying a domain as a virtual_alias_domain serves as a restriction to ensure that every address in that domain is strictly aliased to another adress in another domain. Correct? – Joó Ádám Jul 27 '15 at 14:42
  • @JoóÁdám Yes, probably by those definitions you found, postfix regards itself as the final destination of mails to virtual_alias_domains, so it wil accept such mails from external hosts but won't forward them to other hosts, those mail addresses must be resolved to addresses in other domains or local accounts by virtual_alias_maps. Wish we had more intuitive diagnostic message other than User unknown in virtual alias table... – yaegashi Jul 28 '15 at 00:29
  • @JoóÁdám After all investigating, I've come to conclusion that just specifying a simple regexp map /@/ hijacked@exmaple.com in virtual_alias_maps would do the best for your job with postfix. You could have a smtpd which is open to insiders according to smtpd_relay_restrictions. For my servers I usually install nullmailer with adminaddr setting. It provides /usr/sbin/sendmail and a spool for deferred mails, but no smtpd. – yaegashi Jul 28 '15 at 01:05