[clue-admin] More Postfixing

[David L. Anselmi]

Jed S. Baer wrote:
> On Wed, 23 Jul 2008 22:15:37 -0600
> David L. Anselmi wrote:
> 
>> Jed S. Baer wrote:
>>> Really, I see no reason for 90% of those aliases, and I'm tempted to
>>> just eliminate them altogether. Except that I think if I eliminated
>>> them, then mail to them would get accepted and then bounced, as
>>> opposed to rejected at SMTP time, and the latter is more efficient.
>>> No idea how much junk comes in for some of those.
>> I think if they weren't in aliases mail would get accepted for them and 
>> put on the spool.  The aliases are a way to send mail to those users to 
>> an account that might get read.
> 
> Okay, 90% was the wrong figure. But some of them really don't exist
> in /etc/passwd.

Sounds like CentOS doesn't manage aliases very well.

So if there's no account for an alias, just delete it.  Mail will be 
rejected at SMTP (and if it isn't then our config needs fixing).

I see you can alias to /dev/null so for the entries that do match 
accounts you can do that.  (Mail will get accepted for those users but 
that may be easier than figuring out how to reject it.)

>> So what you really want is a way to tell postfix "these users don't 
>> exist" even though they have entries in the passwd file.
>>
>> It looks like some clues are here:
>>
>> http://www.postfix.org/LOCAL_RECIPIENT_README.html
> 
> Well, sort of. That's actually coming at "these users don't exist" from
> the backside, by not specifying them as users that *do* exist. Which will
> work. Main thing would be that if we add, e.g., another mailing list,
> then someone has to remember to put all the Mailman aliases into the
> local recipient list.

Maybe not.  If you use $alias_maps and that comes from the alias file it 
will already be done.  Even so you already have to add them to aliases 
so it's easy to put a reminder there.  (Exim is more elegant about 
mailman lists.)

> 
>> but I don't know how old that is.  Instead of the default "look in 
>> passwd" you could make your own list of real users (or perhaps there's
>> a programmatic way to reject users less than the UID the daemons use).
> 
> Well, from what I can tell, the filtering capabilities operate on strings
> that are available either in the headers or body of the message.

Or in HELO, MAIL FROM, or RCPT TO.

> Of course, I've only stuck my toe in the water so far. I think one
> could write a custom milter to filter on UID of recipient(s), but I
> haven't gotten into that stuff yet. That sort of thing couldn't be
> used, AFIAK, to do a reject at SMPT time.

At SMTP time you use the values in the SMTP, not the message.

> It'd be possible to write a script to generate entries in, maybe, the
> access list for UIDs below some number.

I was thinking postfix would call the script to get the list for 
$local_recipient_maps.  It looks like that may not work, but that it can 
do database queries.  So then you script generating the database.

> I think I'll find the "psuedo" aliases that don't correspond to real
> accounts, and either remove them or make them reject.

Both will have the same effect, I think.

> Part of what I hope to do is not generate bounces, because that could
> backfire into a ton of backscatter spam.

I don't think that will happen.  But it's easy to test.

Dave