[SOLVED] how to map local addresses to FQDN addresses with postfix

sneakyimp · 08-01-2011, 04:37 AM

I'm hoping there's a postfix wiz out there who might spare a moment to help me sort a problem. I've got an Amazon EC2 instance with postfix set up to use Amazon SES for mail delivery (which is a total pain). The particular problem I'm having is that samhain (a security tool) cannot send its email notifications. Some important things about this configuration:
1) I don't want any mail at all being delivered to a mailbox on this machine. All mail destined for mydomain should be sent to Google Apps.
2) I DO want mail sent to 'root' or 'root@localhost' to be emailed to a real FQDN address, e.g., admin@mydomain.com
3) I don't want this machine accepting any remote mail connections via SMTP or otherwise.
4) Any email sent out to the internet from this machine must be sent via Amazon SES because Amazon puts all their EC2 IP addresses on a 'policy block list' -- in other words they don't really permit outgoing mail to be sent directly from these EC2 instances.

How can I make sure that mail sent from this server to root@localhost is sent to admin@mydomain.com?
Right now, with my current config (see below), sending mail to root@localhost gets an error. I use sendmail thusly:

Code:

$ sendmail -t
To: root@localhost
Subject: test email
Here is a test mail 
.

The mail log shows this error:

Code:

Aug  1 09:24:36 ip-10-100-237-252 postfix/error[32027]: 00EE97214B: to=<root@localhost.mydomain.com>, orig_to=<root@localhost>, relay=none, delay=20, delays=20/0.01/0/0.01, dsn=5.0.0, status=bounced (local delivery is disabled)

Interestingly, just sending mail to 'root' using sendmail results in mail being successfully delivered to root@mydomain.com:

Code:

$ sendmail -t
To: root
Subject: just 'root' my brutha
Testing mail from the server here.  This just send to 'root'.
.

HOWEVER, samhain somehow fails when I set 'root' as the target email address. From the samhain log:

Code:

ERROR  :  [2011-08-01T08:49:56+0000] msg=<Timeout on SMTP session init>, subroutine=<sh_mail_start_conn>, service=<mail>, host=<ip-WWW-XXX-YYY-ZZZ.ec2.internal>
F2C9747FC601DD241C1A6C1E4EB204F66551F01EADAE619F
ERROR  :  [2011-08-01T08:49:56+0000] msg=<Service failure>, service=<mail>, obj=<root>
2D4295AB3335E918BDD097884A103A04A37620285A5924B1

I'm hoping that I can solve this problem by altering my postfix configuration. Any emails sent to either "root", "root@localhost", or "root@mydomain.com" should all get sent out on the internet from this server to root@mydomain.com. I've been consulting the postfix docs and find them confusing. Here is some detail on my setup:

Code:

$ sudo postconf -n
config_directory = /etc/postfix
default_transport = aws-email
inet_interfaces = loopback-only
local_transport = error:local delivery is disabled
mydomain = mydomain.com
mynetworks_style = host
myorigin = $mydomain
relayhost = $mydomain
smtp_generic_maps = hash:/etc/postfix/generic
smtpd_banner = $myhostname ESMTP $mail_name

Note that I added aws-email to master.cf as described in the Amazon Docs.

Any help would be extremely welcome.

kbp · 08-01-2011, 06:44 AM

I'm not a wiz but I'll have a go, I have no experience with aws but here's a few suggestions (you may want to start with the default /etc/postfix/main.cf):-

To redirect mail for root:

Code:

perl -pi -e 's/.*root:.*/root:    user\@domain.tld/' /etc/aliases
newaliases

To prevent the host accepting mail from other hosts:

Code:

postconf -e "inet_interfaces = localhost"
service postfix restart

Forward all outbound email via a relay:

Code:

postconf -e "relayhost = [somehost.somedomain.tld]"
service postfix restart

To forward mail for a specific destination domain to a specific server:

Code:

postconf -e "transport_maps = hash:/etc/postfix/transport"
cat <'EOF' > /etc/postfix/transport
mydomain.tld           :[googleapps.server.google.com]
EOF
postmap /etc/postfix/transport
service postfix restart

I usually just restart postfix because some commands don't kick in with only a reload but I can never remember which ones

cheers

sneakyimp · 08-01-2011, 01:46 PM

Thanks for your post.

That first one sounds very promising for redirecting root. Could you explain to me what it does? Looks to me like you are putting some text in /etc/aliases but I'm not sure exactly what's going on there.

As for the second one, you can see from my original post that I have inet_interfaces set to "loopback-only". I wonder if this might be causing the problem with samhain trying to deliver mail to "root". The samhain error mentions SMTP so I can't help but wonder if samhain is trying to access some host via SMTP rather than using sendmail. I'm not sure of the difference between "localhost" and "loopback-only".

Your third item I think doesn't work all that well with the Amazon SES configuration as mail needs to be sent via Amazon SES which AFAIK is not an SMTP gateway. I have set this up and it's working properly for the most part and is set as the default delivery transport.

sneakyimp · 08-01-2011, 03:49 PM

OK so I tried adding some aliases to the file /etc/aliases. This has not helped. Adding root and postmaster aliases and mapping them to admin@mydomain.com doesn't really help -- this is working fine without the aliases table thanks to my smtp_generic_maps. Adding 'root@localhost' to the aliases file is rejected when I enter the newaliases command. Apparently the presence of "@localhost" causes a complaint. For example, here's my /etc/aliases file:

Code:

# See man 5 aliases for format
postmaster:     postmaster@mydomain.com
root:           root@mydomain.com
root@localhost: root@mydomain.com

When I run sudo newaliases then there's a complaint:

Code:

postalias: warning: /etc/aliases, line 7: name must be local

This is confusing as there are only 4 lines in my aliases file. There is no line 7. Removing the root@localhost entry eliminates the error, but I still have my problem getting mail delivered to root@localhost (see my original post).

This is probably due to a combination of settings that I have, in particular:

Code:

inet_interfaces = loopback-only
local_transport = error:local delivery is disabled

For some reason, root@localhost gets turned into root@localhost.myplan.com and then is rejected with the message "status=bounced (local delivery is disabled)". This is even more confusing because user "root" (which is OBVIOUSLY a local address) gets properly turned into root@mydomain.com and sent on its merry way and delivered successfully.

I find myself wondering if I need to set local_recipient_maps or have some different value for local_transport.

sneakyimp · 08-01-2011, 06:45 PM

RE suggestion #1: Tried this, does not solve the problem. Emails to "root" are delivered. Emails to "root@localhost" fail with "local delivery disabled" message. Interesting mail log appears to attempt delivery to root@localhost.mydomain.com

RE Suggestion #2: I believe setting inet_interfaces to loopback-only is the same thing as setting it to localhost, but am not sure. The docs are vague on this point.

RE Suggestion #3: As you can see from my original post, relayhost is set to mydomain.com.

RE Suggestion #4: I've been thinking hard about this and wondering if we could use the aws-email transport that I've defined in master.cf somehow. My thoughts are pretty muddled on this given the zillions of postfix configuration options, but I'm thinking the following:
a) emailing "root" results in successful delivery. Somehow postfix appends @mydomain.com to it and sends it on its merry way.
b) emailing "root@localhost" fails. Somehow postfix appends @mydomain.com to it and then FAILS it because "local delivery is disabled." Weird to me that root doesn't fail as local delivery and root@localhost does. WTF?
c) aliases does not permit remapping of anything with hostname or full domain.
d) I tried adding root@localhost.mydomain.com to /etc/postfix/generic with no luck
e) the mere presence of 'localhost' seems to trigger local delivery regardless of whether other FQDN aspects seem involved.
f) As part of my config effort for a null client, i commented out the 'local' transport in master.cf.

I hope someone might be able to chime in on this. I'm running out of trial and error options here...

sneakyimp · 08-04-2011, 03:18 PM

Ok so I visited the #postfix IRC chat on freenode and got a nudge in the right direction. The Postfix documentation on rewriting Proved very helpful.

To prevent delivery of any email at all to localhost, it was necessary to disable local transport. That is not enough, though. To tell postfix that this machine is not the destination for any mailboxes at all you must change main.cf so that mydestination has an empty value:

Code:

# in /etc/postfix/main.cf
# no quotes, nothing
mydestination =

This prevents postfix from trying to deliver anything using local transport because it tells postfix that there are NO DOMAINS local or otherwise that should use local transport.

The other issue was that root@localhost was becoming root@localhost.mydomain.com which could cause problems. Postfix offers a couple of values that let you rewrite domains. In particular, masquerade_domains and masquerade_classes. The former allows you to set rules to rewrite certain subdomains into other ones -- it's helpful for canonicalising domains, the cost being that you may prevent delivery to specific machines within the domain. The latter is required if you are to apply this rewriting not just to from addresses but also on to addresses. My settings:

Code:

masquerade_classes = envelope_sender, envelope_recipient, header_sender, header_recipient
masquerade_domains = $mydomain

This appears to have solved the problems I was having.