Only rewrite sender when forwarding and dynamically exclude local domains

[chaosmaster]

A setup like this only rewrites the sender for mails going to external adresses
Additionally local domains are excluded from SRS

main.cf:

default_transport = smtp:127.0.0.1:10027
recipient_canonical_maps=tcp:localhost:10002
recipient_canonical_classes=envelope_recipient,header_recipient

master.cf:

cleanup-srs   unix  n       -       -       -       0       cleanup
        -o sender_canonical_maps=mysql:/etc/postfix/mysql_virtual_local_email.cf,tcp:localhost:10001
        -o sender_canonical_classes=envelope_sender

127.0.0.1:10027 inet    n       -       -       -       -       smtpd
        -o cleanup_service_name=cleanup-srs
        -o smtpd_tls_security_level=none
        -o content_filter=smtp:
        -o smtpd_recipient_restrictions=permit_mynetworks,reject

user = <DBUSER>
password = <DBPASS>
dbname = <DATABASE>
query = SELECT '%s' FROM domains WHERE domain='%d'
hosts = 127.0.0.1

The query just returns the address if the domain is valid, and therefore doesn't map to an SRS-address

[trefzer]

Thanks for you're idea, I just use it a little bit different:
I use a transport map, that chooses youre srs as transport if destination email starts with 'srs=' (so the redirection goes to srs=emailuser@emaildomain.org. In cleanup-srs I rewrite the destination address to emailuser@emaildomain.org, (so it's sort of opt-in for srs).

main.cf:

transport_maps = regexp:/regex_transport_srs
recipient_ ... (like above)

regex_transport_srs:
/^srs=.*@.*$/ smtp:127.0.0.1:10027

master.cf:

cleanup-srs unix  n       -       -       -       0       cleanup
      -o sender_canonical_maps=mysql:/mysql_virtual_domains_no_srs_maps.cf,tcp:127.0.0.1:10001
      -o sender_canonical_classes=envelope_sender
      -o recipient_canonical_maps=regexp:/regex_sender_canonical_srs

127.0.0.1:10027 .... (like above)

/regex_sender_canonical_srs:
/^srs=(.*)@(.*)$/ ${1}@${2}

Remark: you could also make an opt-out solution like this, if you use the default transport ....

[roehling]

Hey, I really like your solutions! As soon as I find time, I will put them into the README.

[benchonaut]

Ey Timo, das Posting ist 4 Jahre her , in der README steht nix dazu , aber "updated 2 weeks ago" daneben .. :)

[fisher006]

@trefzer I'm trying use your configuration in clean installation of https://www.iredmail.org
But doesn't work.

When I'm send message from yahoo -> local-alias -> gmail I don't have SRS headers at all.

Here is my configuration

in /etc/postfix/

two files:

-rw-r--r--   1 root root       28 04-10 09:18 regex_sender_canonical_srs
-rw-r--r--   1 root root       35 04-10 09:18 regex_transport_srs

in

/etc/postfix/mysql

mysql_virtual_domains_no_srs_maps.cf with SQL query

and in main.cnf

transport_maps = regexp:/etc/postfix/regex_transport_srs
recipient_canonical_maps=tcp:localhost:10002
recipient_canonical_classes=envelope_recipient,header_recipient

and master

cleanup-srs unix  n	  -	  -	  -	  0	  cleanup
      -o sender_canonical_maps=mysql:/etc/postfix/mysql/mysql_virtual_domains_no_srs_maps.cf,tcp:127.0.0.1:10001
      -o sender_canonical_classes=envelope_sender
      -o recipient_canonical_maps=regexp:/etc/postfix/regex_sender_canonical_srs

127.0.0.1:10027 inet    n	-	-	-	-	smtpd
        -o cleanup_service_name=cleanup-srs
        -o smtpd_tls_security_level=none
        -o content_filter=smtp:
        -o smtpd_recipient_restrictions=permit_mynetworks,reject

[trefzer]

where does the local alias points to ? (it needs to point to srs=gmailaddress, otherwise the postsrs transport is not used.
I can also state, that my setup works in my prod and test setup. So probably you need to debug a bit (is the transport used at all ? what does the log say ? what does postsrs log say ? etc.)

[RF3]

For those who don't want to use a SQL server just for the list of local mail addresses that SRS shouldn't be used on, there's a simpler and faster way. Replace

mysql:/etc/postfix/mysql_virtual_local_email.cf

with

hash:/etc/postfix/no_srs

Now add every existing local mail address to /etc/postfix/no_srs. Each entry looks like this:

name1@domain1     name1@domain1
name2@domain1     name2@domain1
...
name1@domain2     name1@domain2
name2@domain2     name2@domain2

If you already have a virtual_alias_maps file, then the no_srs table is not much different. Instead of returning the name of a local mailbox or an external mail address, no_srs returns the same address instead. A lookup hit therefore means to skip SRS (these table lookups basically simulate an already rewritten address, but in fact the address stays the same). A miss means that postsrsd is called next via

tcp:localhost:10001

and the mail address is rewritten. Don't forget to create/update the lookup table (no_srs.db) after you modified no_srs with

postmap hash:/etc/postfix/no_srs

[RhysMcW]

I installed postsrsd a few days ago and noticed all mail got SRS tagged and not just forwarded mail.
I then came across this topic and really like what @chaosmaster posted.
I tried the setup but keep getting and error on any outbound email (forwarded or not)

Oct  4 19:04:12 McWilliamsNX opendkim[19320]: 3B343100E5731: DKIM-Signature field added (s=mail, d=local.domain)
Oct  4 19:04:12 McWilliamsNX postfix/qmgr[32157]: 3B343100E5731: from=<email@local.domain>, size=1311, nrcpt=1 (queue active)
Oct  4 19:04:12 McWilliamsNX postfix/smtpd[32251]: connect from unknown[127.0.0.1]
Oct  4 19:04:12 McWilliamsNX postfix/smtpd[32251]: fatal: host/service localhost/8891 not found: Device or resource busy
Oct  4 19:04:12 McWilliamsNX postfix/smtpd[32226]: disconnect from localhost[127.0.0.1]
Oct  4 19:04:12 McWilliamsNX opendkim[19320]: cache: 244 queries, 68 hits (27%), 73 expired, 84 keys
Oct  4 19:04:13 McWilliamsNX postfix/master[32155]: warning: process /usr/libexec/postfix/smtpd pid 32251 exit status 1
Oct  4 19:04:13 McWilliamsNX postfix/master[32155]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling
Oct  4 19:04:13 McWilliamsNX postfix/smtp[32250]: 3B343100E5731: to=<email@external.domain>, relay=127.0.0.1[127.0.0.1]:10027, delay=1.4, delays=0.4/0.02/1/0, dsn=4.4.2, status=deferred (lost connection with 127.0.0.1[127.0.0.1] while receiving the initial server greeting)

The port 8891 is my DKIM setup but if I remove the DKIM relevant settings in main.cf I still get the same error but for port 10002
fatal: host/service localhost/10002 not found: Device or resource busy

[RhysMcW]

update on my previous post...
been playing around a little, I changed the "localhost" in the config to be 127.0.0.1 and now the outbound mail no longer fails as previous BUT it doesn't use my relayhost setting at all and tries to send direct to the target SMTP server but being on a dynamic IP it gets denied by that target server...
now to try figure out how to get the process to use the relayhost (and I wonder what else it's no longer doing???)???

[chaosmaster]

I believe you may have to change your http://www.postfix.org/postconf.5.html#relay_transport instead of default_transport

[RhysMcW]

Thanks for the reply @chaosmaster , it looked promising...
I changed the default_transport to be relay_transport in main.cf and this solved the standard outbound email working again by using the relayhost.
Now it seems to skip the SRS rewrite. I tested by sending from my gmail account to a local address that forwards to an external address. The email came in and attempted to send to the forward address (via the relayhost) but without doing the SRS rewrite...

[chaosmaster]

@RhysMcW
main.cf:
relay_transport = smtp:127.0.0.1:10027
master.cf:
-o content_filter=relay

[RhysMcW]

Thanks, gave that a try, unfortunately no difference, still no SRS rewriting.

[gklanderman]

RhysMcW did you ever figure out your problem?

I found this issue with great interest as it seemed like I should be able to use a similar technique to apply a content filter only to emails that come in on port 25 (but not 587) and which are being forwarded externally. I attempted to use '-o default_transport=smtp:127.0.0.1:10027' on the port 25 smtpd in master.cf, and then made a similar entry for the 127.0.0.1:10027 smtpd in master.cf as chaosmaster, but instead of setting cleanup_service_name, instead set content_filter to point to my content filter. But it is not working at all, no mail appears to be getting routed through 127.0.0.1:10027 or to my content filter.

Previously I had added '-o content_filter=...' in the port 25 smtpd, and that worked but was applied to both locally delivered and forwarded mail.

I currently suspect the issue with setting '-o default_transport=smtp:127.0.0.1:10027' in the port 25 smtpd is that the setting is used by a later process down the chain, and probably after mail from port 587 has merged into the processing chain. I'm going to play with some ideas around confirming that next, but thought I would post here first since it seems a few of you understand how postfix works much more deeply than I do, and have already been playing with ideas along these lines.

[MeneerDoktoor]

Having the same issue here. Trying to relay it to a different server, which is a spam filter, but no luck so far.

[gklanderman]

I decided I will need to create a multi-instance postfix configuration to do what I want but I think it will work. Unfortunately I have not had time to actually try it yet...

[kevinvalk]

I think I am missing something, but why can we not just use the canonical_maps without the extra internal SMTPD hop? Is there a reason for having the extra SMTPD service?

sender_canonical_maps = mysql:/etc/postfix/mysql_virtual_local_email.cf:127.0.0.1:10001
sender_canonical_classes = envelope_sender
recipient_canonical_maps = tcp:127.0.0.1:10002
recipient_canonical_classes = envelope_recipient, header_recipient

This is my config (well I am using a hash:mailboxes instead of mysql), but I believe this is working just fine. I.e. I read this as, rewrite the sender address to the sender address if the mailbox exist, if not, we are using postsrsd.

Anyone that can shine some light on why originally an extra SMTPD hop was introduced @chaosmaster?

[chaosmaster]

Wouldn't that also rewrite the senders of all incoming mails?

[kevinvalk]

Wouldn't that also rewrite the senders of all incoming mails?

You are correct...

Refusing to give up, I started playing around with receive_override_options and smtp_generic_maps. Alas, I was unable to get that to work for only the case when we are forwarding (and only changing the envelop).

I mean, your solution still works great :) and it works perfectly. Just for future reference, I have:

main.cf

## Sender Rewrite Scheme (SRS)
default_transport = smtp:127.0.0.1:10027
recipient_canonical_maps = tcp:127.0.0.1:10002
recipient_canonical_classes = envelope_recipient, header_recipient

master.cf

cleanup-srs     unix n - - - 0 cleanup
  -o syslog_name=postfix/srs
  -o sender_canonical_maps=hash:/etc/postfix/database/mailboxes,tcp:127.0.0.1:10001
  -o sender_canonical_classes=envelope_sender

127.0.0.1:10027 inet n - - - - smtpd
  -o syslog_name=postfix/srs
  -o smtpd_milters=
  -o cleanup_service_name=cleanup-srs
  -o smtpd_tls_security_level=none
  -o content_filter=smtp:
  -o smtpd_recipient_restrictions=permit_mynetworks,reject

Note: smtpd_milters I put to empty to prevent rspamd from scanning twice

[RedJohn14]

Hello everyone,

If I past this on my master.cf my postfix won't restart "postfix/master[27350]: terminating on signal 15".

If I removed the mysql query "mysql:/etc/postfix/mysql_virtual_local_email.cf" from the master.cf the postfix service is up.

cleanup-srs   unix  n       -       -       -       0       cleanup
        -o sender_canonical_maps=mysql:/etc/postfix/mysql_virtual_local_email.cf,tcp:localhost:10001
        -o sender_canonical_classes=envelope_sender

127.0.0.1:10027 inet    n       -       -       -       -       smtpd
        -o cleanup_service_name=cleanup-srs
        -o smtpd_tls_security_level=none
        -o content_filter=smtp:
        -o smtpd_recipient_restrictions=permit_mynetworks,reject

Any ideas what I can do? I also used postfix with amavis for spam protection. In my main.cf I have this:

content_filter=smtp-amavis:[127.0.0.1]:10024

recipient_canonical_maps=tcp:localhost:10002
recipient_canonical_classes= envelope_recipient

I have no default transport any ideas?

[benchonaut]

amavis will ( by default ) squat port 10027 , so maybe use 10029 ( or search other free ones e.g. with netstat -ptenl

[benchonaut]

[SOLVED] - postsrsd v1 v2 forward and reverse and the answers to many questions

IMPORTANT NOTE:

• postsrsd is only the 2nd best (fallback) solution
• if you are not able to remove DKIM signatures you might put your mailserver/sending domain into trouble as well
• the preferred way is a sieve enabled mailbox doing this script after changing 90-sieve.conf to sieve_extensions = +notify +imapflags +editheader:

require ["fileinto", "editheader", "variables", "regex", "envelope"];
if allof(    not header :contains ["x-spam-level"] "****", not header :contains ["X-Spam-Report"] "FROM_ILLEGAL_CHARS") {
 
 if allof(exists "Reply-To" ,header :matches "from" "*", not header :is "reply-to" "${1}") {
 deleteheader "From";
 deleteheader "To";
 deleteheader :contains "DKIM-Signature";
 deleteheader :contains "DomainKey-Signature";
 deleteheader :contains "X-DKIM";
 deleteheader :contains "X-DomainKeys";
 deleteheader :contains "Return-Path";
 addheader "Return-Path" "${1}";
 addheader "X-Original-To" "the-forwarding-box@hosted-domain.tld";
 addheader "X-Original-From" "${1}";
 addheader "From" "the-forwarding-box@hosted-domain.tld";
 addheader "To" "target@outgoing.tld";
 redirect "target@outgoing.tld";
}
elsif envelope :matches "From" "MAILER-DAEMON@*" {
## adjust MAILER-DAEMON@* to double_bounce_sender
 deleteheader "To";
 deleteheader "From";
 deleteheader :contains "DKIM-Signature";
 deleteheader :contains "DomainKey-Signature";
 deleteheader :contains "X-DKIM";
 deleteheader :contains "X-DomainKeys";
 deleteheader :contains "Return-Path";
 addheader "From" "the-forwarding-box@hosted-domain.tld";
 addheader "To" "troublecounter@mail-domain.tld";
 redirect "troublecounter@mail-domain.tld";
}
elsif envelope :matches "From" "*" {
 addheader "Reply-To" "${1}";
 deleteheader "From";
 deleteheader "To";
 deleteheader :contains "DKIM-Signature";
 deleteheader :contains "DomainKey-Signature";
 deleteheader :contains "X-DKIM";
 deleteheader :contains "X-DomainKeys";
 deleteheader :contains "Return-Path";
 addheader "X-Original-To" "the-forwarding-box@hosted-domain.tld";
 addheader "X-Original-From" "${1}";
 addheader "Return-Path" "${1}";
 addheader "From" "the-forwarding-box@hosted-domain.tld";
 addheader "To" "target@outgoing.tld";
 redirect "target@outgoing.tld";
}
}

situation:

• had no success with the port mapping in master.cf approach
• same problem for multiple systems , ancient forwards for tons of domains effectively dropping the reputation
• provider got blacklisted, provider showed no interest in countermeasures ( google who used froxlor as default ;D )
• transport mapping/etc already used to catch spammers from pickup ( www-data@ in that case )
  ( client_restrictions → check_sender_access hash:/etc/postfix/sender_access→

  www-data@mailserver.tld    550 Blacklisted
  blocked.tld DISCARD
  vserver.xyz.tld     OK
  

  sender_dependent_default_transport_maps = hash:/etc/postfix/sender_transport →

  www-data@mailserver.tld smtp:127.0.0.1:25666
  ## a fake smtp transport just dropping
  

• needed selective sending via external Service ( SES ) , but couldn't add 300+ domains at once
• amazon failed on SRS ( even though the srs-rewrite-domain was correctly registered and sent with DKIM etc.)
  (hint: use Amazon_SES BYOD , with pre-generated DNS will verify very quickly )
  (hint: remember to remove first and last line + line breaks from files before entering them into BYOD forms)
• only one site said amazon would accept SES , a already deleted reply from amazon support said they don't
  
• murphys law kicked in ... during testing everything went well , later on ( even with domains already tested) it said e.g.

Jan 20 11:36:54 mail postfix/smtp[24995]: 290E26B060: to=<ABCD@efg.tld>, orig_to=<123@456.tld>, 
relay=email-smtp.eu-central-1.amazonaws.com[18.195.201.145]:587, delay=0.24, delays=0.01/0.02/0.14/0.08, dsn=5.0.0, 
status=bounced (host 
email-smtp.eu-central-1.amazonaws.com[18.195.201.145] said: 554 Access denied: User 
`arn:aws:iam::123456789012:user/awssmtpusername' is not authorized to perform `ses:SendRawEmail' 
on resource `arn:aws:ses:eu-central-1:1234567789:identity/sender@fromdomain.tld' (in reply to end of DATA command))

↑↑ line breaks inserted for readability

the final (?) solution :

# PostSRSd settings.
## ATTENTION  _ 2023-01 _ addded local domain check to prevent SRS on local domains
sender_canonical_maps = mysql:/etc/postfix/virtual/mysql-no-srs.cf,tcp:127.0.0.1:10001
sender_canonical_classes = envelope_sender
recipient_canonical_maps =  pcre:/etc/postfix/regex_recipient_srs,tcp:127.0.0.1:10002
recipient_canonical_classes= envelope_recipient,header_recipient

---

/etc/postfix/virtual/mysql-no-srs.cf

user = vmail
password = 000_SCRUBBED_000
hosts = 127.0.0.1

## standardized query
query = SELECT IFNULL( (select concat('%u',"@",domain) from domains where domain='%d' LIMIT 1), IFNULL((SELECT source FROM aliases WHERE source='%u@%d' LIMIT 1),(SELECT CONCAT(username, '@', domain) FROM users WHERE username='%u' AND domain='%d' LIMIT 1) ) )
## the ugly froxlor
# query = SELECT IFNULL( (select concat('%u',"@",domain) from panel_domains where domain='%d'  AND isemaildomain = '1' LIMIT 1), IFNULL((SELECT email FROM mail_virtual WHERE email='%u@%d' LIMIT  1),(SELECT email FROM mail_users WHERE email='%u@%d' LIMIT 1) ) )

/etc/postfix/regex_recipient_srs

/^((?!SRS0=|!?srs=).*)@(.*)$/ $1@$2

---

v1/v2

v1	v2
sender_canonical_maps = mysql:/etc/postfix/virtual/mysql-no-srs.cf,tcp:127.0.0.1:10001	sender_canonical_maps = mysql:/etc/postfix/virtual/mysql-no-srs.cf,socketmap:unix:srs:forward
recipient_canonical_maps = pcre:/etc/postfix/regex_recipient_srs,tcp:127.0.0.1:10002	recipient_canonical_maps = pcre:/etc/postfix/regex_recipient_srs,socketmap:unix:srs:reverse

non-virtual-setup

when having a no-virtual-mail setup ( e.g. no mailboxes in the system and you are a smarthost for multiple senders ),
OR IF YOU NEED TO BYPASS MAILS FROM THE SYSTEM MAILNAME , you can also use a pcre like this (v2 example):

sender_canonical_maps = regexp:/etc/postfix/regex_recipient_srs,socketmap:unix:srs:forward

OR ( to have the PCRE and MYSQL checked):

sender_canonical_maps = regexp:/etc/postfix/regex_recipient_srs,mysql:/etc/postfix/virtual/mysql-no-srs.cf,socketmap:unix:srs:forward

and in the file /etc/postfix/regex_recipient_srs:

/(.*)@mydomain.tld$/ $1@mydomain.tld
/(.*)@auxdomain.tld$/ $1@auxdomain.tld

but only do this if you are certain ..

---

NOTES:

• as you see tcp is engaged it is obviously v1 , you can easily adapt it from the current README by replacing tcp:....

• tcp:10001 is the part that changes sent mails according to the MAILNAME to "thingy=strange@mailname.tld" ( OUTGOING )

• tcp:10002 is the part that changes SRS0=adsasdb.... into a "real" sender sender@domain.tld for processing ( INCOMING )

• hint: the chain of canonical maps is "hit first" and with regex there are no negative matches possible like this, the solution was to "return everything that not matches ( SRS0=.* OR srs=.* ) , only if the there is no match the reversal is passed to postsrs

• hint²: * queries hit early on local domains , that is way quicker , especially under load ,
  the outgoing query is a nested thingy , IFNULL in mysql will return the right wingy if there is no left wingy ( as in RL :( ) ,
  so the match on local domains will be the earliest one and as there were misconfigured setups with local domains in
  mydestination but not in panel_domains , the solution will search through aliases and virtual users as well ,
  but in the end the only question from the smtp-sending-server perspective is "does that sender domain belong to me?" ,
  this could also be done on a dns basis for smarthosts ..

• basically in modern times smtp servers should also engage DKIM-header removal when forwarding , e.g. with opendkim RemoveOldSignatures setting and BYOD , that does the trick with e.g. SES/mail[gun/chimp] and prevents you from seeing 554 Transaction failed: Duplicate header 'DKIM-Signature'.

NOTE²:

when forwarding ,

• check that you have a complete forward→ip←reverse(==forward) DNS setup
  eg. dns[A]=one.one.one.one == 1.1.1.1 , and the reverse PTR for the ip 1.1.1.1 is 1.1.1.1.in-addr.arpa domain name pointer one.one.one.one. , you can check this with valli
• check that you are not blacklisted , you can check this with valli
• GET YOUR rspamd/clamav/spamassasin/whatever setup done correctly ,
  in the worst case scenario you are sending (signed) spam from your domain,
  effectively dropping the reputation each time , especially with rewritten FROM headers ( either by sieve OR postsrs)

FWD_DETAIL³:

if you have a setup with virtual users you should only adjust the sql config query,
unless you are able to deploy DKIM (re-)signing properly , when forwarding hotmail/o365 will just say fck u ,
especially when you do not rewrite senders ,any final mail server might even refuse the mail since :

• the mail FROM header was not changed and obviously "your-random-vps.theinter.netz.lan" is NOT in the SPF record of e.g. anyone@yahoo.com , this is why people would engage postSRS

• the DKIM headers might or might not be accepted ( the refer to the senders mail adress ) , providers like hotmail DISLIKE having DKIM headers from "another" mailserver, and with postSRS you will have a FROM adress that is strange=somenthing-original@yourmailserver.tld , so it will work when people send non-DKIM-signed mails to you , but "randomly" fail ( maybe due to DKIM , maybe due to spam contents in the forward )

• try to prevent catch-all-to-forward situations, if so , use a sieve thingy like above , so at least spam level 4 and 5 are excluded from forwards

• the assumption is you already filtered all "non-spf-matching" and "non-reverse-dns" senders in your setup , if not do this as well

FWD_NOTES FLOPMAIL(hotmail) / outage365(office365) ( and other large providers ) :

• when you send to hotmail it is URGENTLY REQUIRED to register with their SNDS feedback , so you are noticed if your mailserver reputation drops , especially non-DKIM-signed mails will at least decrease the probability to get through HARDLY

• if you reliably need to get mails INTO hotmail , maybe look for something like imapsync with the purge option , leave the mails on your "forwarding" VPS and sync them via cron , if they switch off imap one day (like zoho) , you might switch to tailored solutions like davmail for imap

• forwarding to hotmail/gmail has never been funny, and over the years it became more pain than ease , especially since hotmail_o365/telekom/google also blocks you via RBLs,
  amongst them e.g. hotmail_o365/telekom use the "famous" UCEPROTECT L1/L2
  ( and it seems like they are taking L3 into account but not as direct disqualification reason) .
  With these blacklists you wont have a chance if SOMEONE IN YOUR IP RANGE (e.g. neighbour VPS) does ugly things ( send to mailtraps , in that case the ones with e.g. nirvana.admins.ws as MX entry ) ,

• so the "last-resort" would also be NOT to send from your real vps IP , and instead use sender_dependent_transport_maps in conjunction with your MAILNAME (the postsrs domain ) and one or more external providers like mail[gun|trap]/sendinblue/SES , in that case maybe engage a randmap for the relayhost like:
  transport_maps=randmap:{smtp:servera.smtp.lan:2525,smtp:serverb.smtp.lan:587,smtp:servera.smtp.lan:2525,smtp:serverb.smtp.lan:587}
  ( using the values 2 times for only 2 entries is no mistake , since only 2 entries lead to "not-so-random" results )
  also you could use smtp_fallback_relay=[another.smtp.lan]:25 but here one problem is that you would need sender_dependent_transport_maps unless all sending domains are enabled with your (fallback-)smtp provider
  and that most of the external smtp providers do not return failure status when sending , they have long queues with feedback mechanisms and basically always say 250 queued, so the round-robin+fallback mechanism only works for "not being able to connect, not enough credits, password not accepted" and other cases that result in a "direct" error during the session

• to prevent backscattering etc, engage reject_unverified_recipient when having virtual users, so your system does reject within the session and will not send bounce-mail when the user doesnt exist

---

02/23 queries + configs updated -> sorry if you already deployed .. the pcre/regexp is not allowed to return tcp:... , only match incoming/outgoing addresses or not as in the previous post version

[mezcalf]

Hello,
I have tried with postfixadmin database. mysql-no-srs.cf is not working. I don´t have domains, aliases and users tables.

I have tried:
query = SELECT address FROM alias WHERE address='%s' AND active = 1

All emails are rewriting even they are not forwarding.
Is it possible to rewrite only forward emails?

[benchonaut]

@mezcalf
query = SELECT address FROM alias WHERE address=%u@%dAND active = 1
maybe

( if i find time i will look into a postfixadmin instance , but your query should generally also get "real users" on yout system, not only forwards or you have to inverse logic )

[kwisatz]

@benchonaut I'm sure your post is a treasure trove of useful information, unfortunately it is also very hard to read and make sense of.

I probably know how that document came to be, I have the same type of draft open in another window right now, and if you find the time, I would greatly appreciate if you could sort it out a bit, add context, name code blocks, etc.

[benchonaut]

@kwisatz we can go byclicling , but i am not gonna do your work , sorry ..

for me it's currently 10 times more readable than all postfix/sieve/RFC pages
one had to go through..

and to be honest, go somewhere where they charge $$$ and use it for changing ip's etc,
at least for the sending part .. the shittification of the internet has gone so far , that

• tcp/25 is blocked by default in many VPS, some ISP unlock on request

• even gmail is sometimes blacklisted ,

• hotmail/telekom tends does not accept "larger" ISP's like strato / ionos / dig.ocean / hetzner several times a week

• policys are not kept ,

  • there are hosters who lock down ip4's before its too late ( hetzner ) ,
  • there are ISP's who seemed to pay UCEPROTECT ( medium, famous for typo3/contao )
  • there are ISP's NETCUP ( and in this case the name has to be dropped)
    • that did'nt warn customers that their "DEFAULT" froxlor stores cleartext passwords ( GDPR any1? ) ,
    • shipped VPS with a default config that is more or less an invitation for transport-injected phpmail-spam
    • did not take action after they were mailed and phoned that one of their ip's is causing a UCEProtect Level3(ASN level) block , and even said "tUCEProtect wants too much , we're not gonna pay" ( instead of preventing that beforehand )

• players like mailchannels let people send without at least spf checking
  etc.

I have the same type of draft open in another window right now

with 90% copy pasted ? why not post it ?

regards

---

notes:

I am not a fan of UCEProtect , but since other ISP's /RBL's obviously take them into account , one should at least beware ,
and always beware of "Dirk Lautenschläger" from UCEProtect

[mezcalf]

@benchonaut

postfixadmin database structure

table alias:
address goto domain created modified active

examples:
	only mailbox delivery:
	user1@mydomain.tld	user1@mydomain.tld	mydomain.tld 2015-09-02 13:48:53	2015-09-02 13:48:53	1

	only forward:
	user1@mydomain.tld	user@externaldomain.tld	mydomain.tld 2015-09-02 13:48:53	2015-09-02 13:48:53	1

	mailbox delivery and forward:
	user1@mydomain.tld	user@externaldomain.tld,user2@myotherdomain.tld,user1@mydomain.tld	mydomain.tld 2015-09-02 13:48:53	2015-09-02 13:48:53	1

table alias_domain:
alias_domain target_domain created modified active

table domain:
domain description aliases mailboxes maxquota quota transport backupmx created modified active password_expiry

examples:
	mydomain.tld 		10 	10 	15000 	0 	virtual 	0 	2015-10-16 13:23:13 	2022-05-05 09:52:14 	1 	0

table mailbox:
username password name maildir quota local_part domain created modified active phone email_other token token_validity password_expiry

examples:
	user1@mydomain.tld 	$1$2bd1951b$36eGddsqo32KmTlYoFNPv0 	Peter 	user1@mydomain.tld/ 	15360000000 	user1 	mydomain.tld 	2019-02-04 11:18:17 	2019-02-04 11:18:17 	1 		2019-02-04 11:18:17 	2000-01-01 00:00:00

Should be tables domains -> domain, aliases -> alias and users -> mailbox and then query?

query = SELECT IFNULL( (SELECT CONCAT('%u',"@",domain) FROM domain WHERE domain='%d' AND active=1 LIMIT 1), IFNULL((SELECT address FROM alias WHERE address='%u@%d' AND active=1 LIMIT 1),(SELECT username FROM mailbox WHERE username=CONCAT('%u', '@', '%d') AND active=1 LIMIT 1) ) )