Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

virtual_alias_domains fighting with relay_domains

114 views
Skip to first unread message

Colin Campbell

unread,
Jul 4, 2007, 3:29:12 AM7/4/07
to
Hi,

If I put a domain in virtual_alias_domains how do I accept email for
hosts in that domain, subdomains of that domain and hosts in subdomains
of that domain?

I've tried putting .domain in relay_domains but that doesn't work, I
just get "Relay access denied".

Colin
--
Colin Campbell
Unix Support/Postmaster/Hostmaster
Citec
+61 7 3227 6334

mouss

unread,
Jul 4, 2007, 4:56:13 AM7/4/07
to
Colin Campbell wrote:
> Hi,
>
> If I put a domain in virtual_alias_domains how do I accept email for
> hosts in that domain, subdomains of that domain and hosts in subdomains
> of that domain?
>
> I've tried putting .domain in relay_domains but that doesn't work, I
> just get "Relay access denied".
>

try with

parent_domain_matches_subdomains =


(do read about what this means before complaining if it breaks something
else).

Colin Campbell

unread,
Jul 4, 2007, 7:28:59 PM7/4/07
to
Hi,

On Wed, 2007-07-04 at 10:56 +0200, mouss wrote:
> Colin Campbell wrote:
> > Hi,
> >
> > If I put a domain in virtual_alias_domains how do I accept email for
> > hosts in that domain, subdomains of that domain and hosts in subdomains
> > of that domain?
> >
> > I've tried putting .domain in relay_domains but that doesn't work, I
> > just get "Relay access denied".
> >
>
> try with
>
> parent_domain_matches_subdomains =

I didn't go to that extreme. What I did do was remove relay_domains. So
I now have:

parent_domain_matches_subdomains = debug_peer_list,
fast_flush_domains,
mynetworks,
permit_mx_backup_networks,
qmqpd_authorized_clients,
smtpd_access_maps

which is the default minus relay_domains, and

virtual_alias_domains = domain.tld
relay_domains = .domain.tld

and it all works as expected.

Thanks mouss,
Colin


>
>
> (do read about what this means before complaining if it breaks something
> else).
>

Colin Campbell

unread,
Jul 5, 2007, 3:22:33 AM7/5/07
to
Hi,

On Thu, 2007-07-05 at 09:29 +1000, Colin Campbell wrote:
> Hi,
>
> On Wed, 2007-07-04 at 10:56 +0200, mouss wrote:
> > Colin Campbell wrote:
> > > Hi,
> > >
> > > If I put a domain in virtual_alias_domains how do I accept email for
> > > hosts in that domain, subdomains of that domain and hosts in subdomains
> > > of that domain?
> > >
> > > I've tried putting .domain in relay_domains but that doesn't work, I
> > > just get "Relay access denied".
> > >
> >
> > try with
> >
> > parent_domain_matches_subdomains =
>
> I didn't go to that extreme. What I did do was remove relay_domains. So
> I now have:
>
> parent_domain_matches_subdomains = debug_peer_list,
> fast_flush_domains,
> mynetworks,
> permit_mx_backup_networks,
> qmqpd_authorized_clients,
> smtpd_access_maps
>
> which is the default minus relay_domains, and
>
> virtual_alias_domains = domain.tld
> relay_domains = .domain.tld
>
> and it all works as expected.

I guess I spoke too soon. :-(

virtual_alias_domains also has several sub.domain.tld entries.

Now I get lots of "warning: do not list domain sub.domain.tld in BOTH
virtual_alias_domains and relay_domains"

I guess I'll just have to ignore the warnings, unless anyone has a
better idea.

Colin

mouss

unread,
Jul 5, 2007, 4:57:16 AM7/5/07
to
Colin Campbell wrote:
> Hi,
>
> On Thu, 2007-07-05 at 09:29 +1000, Colin Campbell wrote:
>
>> Hi,
>>
>> On Wed, 2007-07-04 at 10:56 +0200, mouss wrote:
>>
>>> Colin Campbell wrote:
>>>
>>>> Hi,
>>>>
>>>> If I put a domain in virtual_alias_domains how do I accept email for
>>>> hosts in that domain, subdomains of that domain and hosts in subdomains
>>>> of that domain?
>>>>
>>>> I've tried putting .domain in relay_domains but that doesn't work, I
>>>> just get "Relay access denied".
>>>>
>>>>
>>> try with
>>>
>>> parent_domain_matches_subdomains =
>>>
>> I didn't go to that extreme. What I did do was remove relay_domains. So
>> I now have:
>>
>> parent_domain_matches_subdomains = debug_peer_list,
>> fast_flush_domains,
>> mynetworks,
>> permit_mx_backup_networks,
>> qmqpd_authorized_clients,
>> smtpd_access_maps
>>

The recommended practice now is what I suggested. you should use '.' in
your maps instead of erlyin on parentd_omain_blahblah magic.

See
http://www.postfix.org/postconf.5.html#parent_domain_matches_subdomains

>> which is the default minus relay_domains, and
>>
>> virtual_alias_domains = domain.tld
>> relay_domains = .domain.tld
>>
>> and it all works as expected.
>>
>
> I guess I spoke too soon. :-(
>
> virtual_alias_domains also has several sub.domain.tld entries.
>
> Now I get lots of "warning: do not list domain sub.domain.tld in BOTH
> virtual_alias_domains and relay_domains"
>
> I guess I'll just have to ignore the warnings, unless anyone has a
> better idea.
>

do not ignore warnings. Instead, remove the domain from
virtual_alias_domain and put it in relay_domains.


Colin Campbell

unread,
Jul 5, 2007, 6:16:01 AM7/5/07
to
Hi,

Interesting spelling or "relying" methinks :-)


>
> See
> http://www.postfix.org/postconf.5.html#parent_domain_matches_subdomains
>
> >> which is the default minus relay_domains, and
> >>
> >> virtual_alias_domains = domain.tld
> >> relay_domains = .domain.tld
> >>
> >> and it all works as expected.
> >>
> >
> > I guess I spoke too soon. :-(
> >
> > virtual_alias_domains also has several sub.domain.tld entries.
> >
> > Now I get lots of "warning: do not list domain sub.domain.tld in BOTH
> > virtual_alias_domains and relay_domains"
> >
> > I guess I'll just have to ignore the warnings, unless anyone has a
> > better idea.
> >
> do not ignore warnings. Instead, remove the domain from
> virtual_alias_domain and put it in relay_domains.

I guess I haven't been clear enough.

In virtual_alias_domains if have my top level domain, in this case
"citec.com.au". I need to do rewrites on addresses in that domain, hence
it's in virtual_alias_domains. There are several sub domains of
citec.com.au that require rewrites as well. They're, as required, in
virtual_alias_domains. However I need to accept email for
somehost.citec.com.au (many of), otherdomain.citec.com.au (many of) and
somehost.subdomain.citec.com.au (many of). I can't put them all in
virtual_alias_domains. To the best of my limited Postfix knowledge, they
have to be in relay_domains. I can't take those in virtual_alais_domains
out and put them into relay_domains cos I need to do the rewrites.

What I'm expecting, perhaps naively, is that postfix would behave
something like DNS does with wildcard MX records - if a specific entry
exists (eg subdomain.citec.com.au) in a table, use that otherwise if a
"wildcard" (eg .citec.com.au) exist in some other table, then use that,
else fail.

In transport and relay_domains (I believe p_d_m_s doesn't support
virtual_alias_domains) I am using "." to avoid
"parent_domain_matches_subdomain". As far as I know I'm not relying on
that variable for anything "useful" although I'm more than happy to be
corrected.

So, if someone can tell me how to have:

domain.tld, sub1.domain.tld, sub2.domain.tls, host.domain.tld

in virtual_alias_domains, and at the same time accept, without warnings,
email for

sub3.domain.tld, host2.domain.tld, host1.sub4.domain.tld

then, I'm all ears.

mouss

unread,
Jul 5, 2007, 7:00:47 AM7/5/07
to
Colin Campbell wrote:
> [snip]

> I guess I haven't been clear enough.
>
> In virtual_alias_domains if have my top level domain, in this case
> "citec.com.au". I need to do rewrites on addresses in that domain, hence
> it's in virtual_alias_domains.

I understood that, but the rewrite is done by virtual_alias_maps, not
virtual_domain_maps. so putting the domain in relay domains will not
change the situation.

> There are several sub domains of
> citec.com.au that require rewrites as well. They're, as required, in
> virtual_alias_domains. However I need to accept email for
> somehost.citec.com.au (many of), otherdomain.citec.com.au (many of) and
> somehost.subdomain.citec.com.au (many of). I can't put them all in
> virtual_alias_domains. To the best of my limited Postfix knowledge, they
> have to be in relay_domains. I can't take those in virtual_alais_domains
> out and put them into relay_domains cos I need to do the rewrites.
>
> What I'm expecting, perhaps naively, is that postfix would behave
> something like DNS does with wildcard MX records - if a specific entry
> exists (eg subdomain.citec.com.au) in a table, use that otherwise if a
> "wildcard" (eg .citec.com.au) exist in some other table, then use that,
> else fail.
>
> In transport and relay_domains (I believe p_d_m_s doesn't support
> virtual_alias_domains) I am using "." to avoid
> "parent_domain_matches_subdomain". As far as I know I'm not relying on
> that variable for anything "useful" although I'm more than happy to be
> corrected.
>
> So, if someone can tell me how to have:
>
> domain.tld, sub1.domain.tld, sub2.domain.tls, host.domain.tld
>
> in virtual_alias_domains, and at the same time accept, without warnings,
> email for
>
> sub3.domain.tld, host2.domain.tld, host1.sub4.domain.tld
>

you can list the domains one by one in whatever class they should be.
otherwise, put them all under relay_domains and let virtual_alias_maps
do the rewrite (which is anyway necessary. virtual_alias_domains will
only tell postfix to accept mail for that domain, it won't help for
delivery).

Colin Campbell

unread,
Jul 5, 2007, 8:20:54 PM7/5/07
to
Hi,

So, if I understand this now, it doesn't matter where a "virtual" domain
is listed as long as it's listed somewhere. The rewrites in
virtual_alias_maps will occur if the domain is in virtual_alias_domains
or in relay_domains. Just make sure it isn't in both.

I guess then the only difference between virtual_alias_domains and
relay_domains is that:

- a domain in virtual_alias_domains MUST have entries in
virtual_alias_maps

- domain in relay_domains doesn't require virtual_alias_maps entries but
if they exist they will be used

Anywhere near correct?

mouss

unread,
Jul 6, 2007, 10:53:17 AM7/6/07
to
Colin Campbell wrote:
> So, if I understand this now, it doesn't matter where a "virtual" domain
> is listed as long as it's listed somewhere. The rewrites in
> virtual_alias_maps will occur if the domain is in virtual_alias_domains
> or in relay_domains. Just make sure it isn't in both.
>

The rewrite in virtual_alias_maps does not depend on the domain class.
It even occurs for "foeign" domains (if you add a virtual alias for a
yahoo or gmail address, it will apply).

The only caveat here is address validation. with a virtual alias domain,
if the recipient is not in virtual_alias_maps, it will be rejected. with
relay domains, the address is rejected if it is not in either
relay_recipient_maps or virtual_alias_maps, EXCEPT if you set
relay_recipient_maps =
(which is the default). In this case, all addresses will be accepted
(and most probably bounced), which is bad.

so make sure you don't use an "empty" relay_recipient_maps.

> I guess then the only difference between virtual_alias_domains and
> relay_domains is that:
>
> - a domain in virtual_alias_domains MUST have entries in
> virtual_alias_maps
>
> - domain in relay_domains doesn't require virtual_alias_maps entries but
> if they exist they will be used
>

yes. but unlike virtual_alias_domains, if you disable address validation
by using an empty relay_recipient_maps, all such addresses will be
accepted, which is not good.
> Anywhere near correct?
>

0 new messages