Postfix virtual alias domain matching with regular expression virtual alias map

Using Postfix (2.11.3) I want to redirect all mail to an external address.

/etc/postfix/main.cf:

virtual_alias_maps = regexp:/etc/postfix/rewrite

/etc/postfix/rewrite:

/^.+$/ hijacked@example.com

Sending mail to destination@example.net, the following error occurs:

[...] to=<hijacked@example.com>, orig_to=<destination@example.net> [...] status=bounced (User unknown in virtual alias table)

Documentation says:

Valid recipient addresses are listed with the virtual_alias_maps parameter. The Postfix SMTP server rejects invalid recipients with “User unknown in virtual alias table”.

Turns out, the error has to do something with validation of virtual alias domains: virtual_alias_domains by default is $virtual_alias_maps, setting it to anything else (to a non-matching domain or even leaving it empty) resolves the issue.

Another solution I found in an answer is giving the regular expression in another form:

/^.+@.+$/ hijacked@example.com

So my question is, how does validation of alias domains works when using regular expression tables for virtual aliasing? Why does setting virtual_alias_domains to anything else solves the issue? How is the above two, address-mapping-wise equivalent patterns different?

Output of postconf -n is:

config_directory = /etc/postfix
inet_interfaces = loopback-only
inet_protocols = ipv4
mydestination =
myhostname = example.org
myorigin = $myhostname
virtual_alias_domains =
virtual_alias_maps = regexp:/etc/postfix/rewrite
Asked By: Joó Ádám

||

Suppose here you have a mail for destination@example.net to be delivered.

Maps specified in virtual_alias_domains are looked up using the domain part (example.net) as a key, expected to return anything if it’s a virtual alias domain, otherwise nothing i.e. that key should be undefined. Maps in virtual_alias_maps are looked up using the full address (destination@example.net) as a key, expected to return a rewritten address.

This means you can share a single map file for both look-ups, just as simple hash map /etc/postfix/virtual explained in virtual (5). The default configuration of Postfix (virtual_alias_domains = $virtual_alias_maps) is assuming a map of this mixed style.

example.net OK
aaa@example.net hijacked@example.com
bbb@example.net hijacked@example.com

The important rules of these look-ups are:

  • virtual_alias_maps are recursively looked up. If it returns the same address as the key, that address is used.
  • If final rewritten address returned by virtual_alias_maps is still in virtual_alias_domains, that looking up is regarded as a failure (User unknown in virtual alias table). This seems not explicitly documented, I’ve learned by this thread.

Therefore, your first regexp map (/^.+$/ hijacked@example.com) and configuration is problematic, because the map matches everything, so hijacked@example.com is still in virtual_alias_domains and gets bounced.

You could avoid it by specifying nothing in virtual_alias_domains, or use another regexp map that doesn’t match a single domain string (/^.+@.+$/ hijacked@example.com).

But either of them don’t look to me the correct configuration, but a kind of unintuitive workaround. There would be more suitable solution for your purpose, I think.

Answered By: yaegashi
Categories: Answers Tags:
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.