From fc9f820d0cd363e127859af23e20b61eed71dc1e Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 24 Nov 2015 15:11:47 -0500 Subject: stop delivering non-existing local user mail to leap-mx (#5431) When mail comes in to the system, a lookup is done to see if it is a valid leap user, if it is, leap_mx now returns something of the form: uuid@deliver.local (see #5959). The virtual_mailbox_domains lists deliver.local, so postfix choses to deliver to virtual_mailbox_base (/var/mail/vmail) which has been hardcoded to the 'vmail' maildir and user. We want leap related mail and leap aliases to go through the virtual alias system, all the hard-coded universal aliases we want to go through the local system and we dont want these separate. Known domains that are considered 'virtual' will be forwarded or delivered to the vmail user, the rest rejected as unknown recipient, instead of being handed off to leap-mx. Previously, the way this was done is we leaned (too heavily) on the 'luser_relay' postfix configuration which sent anything that wasn't locally configured right to the leap_mx spool. That meant everything went there, including addresses that didn't exist, and leap-mx would then have to process those and bounce them. This removes the 'luser_relay' option, so any address that doesn't resolve properly to either a local address/alias, or a leap address or alias (through tcp lookups on 2424 and 4242) will get bounced as an unknown user. Change-Id: I3c22e9383861b3794dd9adfd7aa6a0cf0a773a18 --- puppet/modules/site_postfix/manifests/mx.pp | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_postfix/manifests') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 71d61621..de317205 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -30,13 +30,25 @@ class site_postfix::mx { 'mailbox_size_limit': value => '0'; 'home_mailbox': - value => 'Maildir/'; + value => ''; + 'virtual_mailbox_domains': + value => 'deliver.local'; + 'virtual_mailbox_base': + value => '/var/mail/vmail'; + 'virtual_mailbox_maps': + value => 'static:Maildir/'; # Note: virtual-aliases map will take precedence over leap_mx # lookup (tcp:localhost) 'virtual_alias_maps': value => 'hash:/etc/postfix/virtual-aliases tcp:localhost:4242'; 'luser_relay': - value => 'vmail'; + value => ''; + # uid and gid are set to an arbitrary hard-coded value here, this + # must match the 'vmail' user block below + 'virtual_uid_maps': + value => 'static:42424'; + 'virtual_gid_maps': + value => 'static:42424'; 'smtpd_tls_received_header': value => 'yes'; # Note: we are setting this here, instead of in site_postfix::mx::smtp_tls @@ -67,11 +79,19 @@ class site_postfix::mx { # greater verbosity for debugging, take out for production #include site_postfix::debug + # Make the 'vmail' user for leap-mx. This user is where all legitimate, + # non-system mail is delivered so leap-mx can process it. Previously, we let + # the system pick a uid/gid, but we need to know what they are set to in order + # to set the virtual_uid_maps and virtual_gid_maps. Its a bit overkill write a + # fact just for this, so instead we pick arbitrary numbers that seem unlikely + # to be used and then use them in the postfix configuration user { 'vmail': ensure => present, comment => 'Leap Mailspool', home => '/var/mail/vmail', shell => '/bin/false', + uid => '42424', + gid => '42424', managehome => true, } -- cgit v1.2.3