[Avcheck] postfix+cyrus+avcheck = virtual users problem

[Michael Tokarev]

[Replying on-list]

Ok.  As I see, you rely on fallback_transport for your cyrus users.
And that's the problem.  In fact, the whole configuration is quite
strange and not nice.

--
myhostname = host.example.com
mydomain = example.com
myorigin = $myhostname
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, example.org
local_recipient_maps = $alias_maps unix:passwd.byname
virtual_maps = pgsql:/etc/postfix/pgsql_valiases
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mailbox_transport = lmtp:127.0.0.1
fallback_transport = lmtp:127.0.0.1
--

and your virtual addresses gets rewritten to bare "username"
by pgsql -- If I got that correctly (there is no info in your
config about this). So:

original recipient is e.g. foo@virtual.example.com.  It gets rewritten
by virtual map to e.g. bar, that becomes bar@host.example.com.  Now
there is no such local user on your system, and this isn't an alias.
That to say - it isn't in local_recipient_maps, so smtpd will reject
such address in a first place if it will be used.  Only cyrus has info
about this user.  Well, this is almost ok because your local cyrus
accounts are protected.  Hm.  Maybe I was wrong saying your config
isn't nice.  Well, let it be so.  But think: isn't that strange you
have both mailbox_transport and fallback_transport defined to the
same value?  For local delivery to cyrus, it *may* be *almost* ok
(but it may be better to just try local_transport=lmtp:127.0.0.1
instead or something like that).  But what about e.g. failed smtp
delivery to outside world?  Postfix will fall back to your fallback_
transport, and your cyrus may return "user unknown".  Errm... ;)

This issue, I think, should be discussed further on postfix-users.
I have no expirience with cyrus.  Maybe it's better to NOT rewrite
your virtual domains to local accounts but use original addresses
(and original domains) in cyrus instead (hm, if you don't use virtual
delivery agent, virtual_mailbox_maps may be abused nicely here).

For your current situation, it is the best to follow my suggestion:
set up your localhost's smtpd (reinjection point) so smtpd will not
try to look up whenether user/address exists or not.  The problem is
that your smtpd assumes that bar@host.example.com does not exists
because it's not in local_recipient_maps (and this is good since
this way this address will not be used from outside -- something
like protecting your internal mailinglists, as in postfix FAQ),
but since internally such addres is used, and since it actually
works due to fallback_transport setting, your internal smtpd
should accept it.

            V do not use 1025!
localhost:10025 inet n - n - - smtpd
  -ocontent_filter=           -- obvious
  -olocal_recipient_maps=     -- stop looking for existance of local addresses
  -ovirtual_maps=             -- do not bother looking to virtual maps
  -osmtpd_recipient_restrictions=static:OK,reject -- do not waste CPU on UCE.

That is, second internal smtpd may be safely configured so it will
accept anything, with the assumption that anything going to it is
from the same mail system on the same host.

Regards,
 Michael.