[Dovecot] Why deliver+usercheck? deliver+MTA?

Jerry dovecot.user at seibercom.net
Thu Oct 14 00:15:41 EEST 2010


On Wed, 13 Oct 2010 22:42:15 +0200
Lukas Haase <lukashaase at gmx.at> articulated:

> Am 13.10.2010 13:08, schrieb Daniel Luttermann:
> > Lukas Haase wrote on 10/13/2010:
> > [...]
> > By default, Postfix rejects mails for unknown local users.If Postfix
> > accepts mails for unknown users than it's a configuration problem or
> > you don't maintain a list of valid users.
> 
> Yes, but I am talking about virtual users.
> 
> >> Is there a special reason why there is no discussion about this?
> >
> > It's Postfix related - Dovecot does no checks about valid recipients
> > for Postfix but you can use the same data sources as for Dovecot -
> > no need to maintain user lists for Postfix and Dovecot.
> 
> But *why* would you want to let dovecot (deliver) check this?
> 
> In any reason the MTA *must* have validated the existance of the
> local part. I do not know any reason why deliver should do this.
> 
> And again: Both
> http://wiki.dovecot.org/LDA/Postfix
> http://wiki.dovecot.org/LDA/Exim
> 
> describe setups for virtual users. But none of these pages give a
> hint that the MTA needs to check the local part too.
> 
> > Because Postfix needs to check for valid recipients why should
> > there a special hint in the Dovecot Wiki about that?
> 
> Because if someone implements a system based on the WIKI above he
> builds up an insecure system (producing backscatter).
> 
> > You must first make sure
> > that Postfix works as expected - no other IMAP Server checks vor
> > valid recipients.
> 
> Yes but no other IMAP server (but I only know Courier!) checks the 
> validity of the user in the LDA. maildrop for example does not.
> 
> >> However, as postfix seems to be really too unflexible I have set
> >> up exim to handle incoming mail and do the usercheck in the router
> >> (with an LDAP query). But now the user is doubled-checked: Once
> >> when receiving with exim and a second time in deliver. This is not
> >> necessary, so I guess I can disable the LDAP query for deliver and
> >> set up a static userdb.
> >
> > Why is Postfix unflexible? Use reject_unverified_recipient for
> > dynamic verification of valid recipients and there's no need to
> > maintain static files. You could also use a LDAP query to retreive
> > a list of valid recipients before you accept the mail for
> > non-existing users.
> 
> Thank you! Does reject_unverified_recipient also work when the mail
> is passed to deliver as described in
> http://wiki.dovecot.org/LDA/Postfix "Virtual Users"? If this would be
> the case then this is exactly what I was looking for!
> 
> Until now I tried to use an LDAP query. But also deliver uses an LDAP 
> query to check the existance of the user. And this was my question if 
> both of them are necessary.
> 
> To the question why postfix is too unflexible: I found no way how to:
> 
> * Hook up *fully* virtual users with dovecot (using deliver) for
> domain example.com
> * Hook up mailing lists for domain example.com using mailman
> 
> The current setup uses system users and therefore this setup is no 
> problem. But now there are virtual users ...
> 
> >> Why does the Wiki recommened to verfify with deliver when the user
> >> needs to be checked at the MTA anyway?
> >
> > Checking of valid recipients is a Postfix job so you can use
> > relay_recipient_maps, reject_unverified_sender or
> > virtual_mailbox_maps (depending on your configuration).
> >
> > Btw: what does the Wiki recommend? Weblink?
> 
> Yes of course, it is a postfix job. But also postfix jobs are
> described in the Wiki: http://wiki.dovecot.org/LDA/Postfix. And I
> think a small hint that the user must make sure that local parts are
> validated would be fine.

A discussion on the use of Postfix should be directed to its forum.
With that said, I use virtual users exclusively in conjunction with
Postfix, Dovecot and MySQL. You really need to look up how virtual
users are implemented in Postfix. For starters, you need these two
directives:

virtual_mailbox_domains = 
virtual_mailbox_maps = 

Your domains and users are listed there. Ask you question on the
Postfix forum and you should receive any assistance you desire,
assuming you still want any.

In any event, mail recipients, whether real or virtual should be
ascertained by the MTA and not the LDA.

-- 
Jerry ✌
Dovecot.user at seibercom.net

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the Reply-To header.
__________________________________________________________________
Kramer's Law:
	You can never tell which way the train went by looking at the
tracks.


More information about the dovecot mailing list