32

I have already re-read the docs on this as well as other posts here and this is still very unclear to me. I have been testing various things to understand the difference between alias_maps and virtual_alias_maps and I don't see the use of these 2 separate settings in postfix. This is what I found so far (Note - I am using postfix in the same server as my web server as null client to send emails only):

1) /etc/aliases file:

root: me@somedomain.com

When I add the above to the alias_maps, I noticed that some services like fail2ban are able to pick this and it sends root emails to the alias email addresses mentioned. However, I also noticed that some other services (like mail command) does not respect this and tries to send the email directly to root@mydomain.com which does not exist (I think its the postfix myorigin setting that is adding the @mydomain.com). To fix this I then added the virtual_alias_maps

2) /etc/postfix/virtual

root     me@someotherdomain.com

When the above is added, all services uses this virtual aliases email. I also noticed that once I add the above, even fail2ban begins to ignore my initial settings in /etc/aliases/ file and starts to follow the email address given in virtual file.

Now this has confused me even more -

  1. Why do we need /etc/aliases/ when having the email inside virtual aliases map seems to override it?

  2. What is the purpose of having these 2 separate aliases mapping and when do we decide when to use what?

  3. Why did fail2ban (which is configured to email to root@localhost) first follow email address given in alias_maps (/etc/aliases/) and later decides to ignore that once virtual_alias_maps was added?

  4. Why doesn't all services read email aliases mentioned in /etc/aliases and they only work when the email aliases are added in virtual alias map?

I have spend several hours since yesterday and still unsure. Can someone help me clear my confusion?

EDIT: This is the mail log when email is sent to root using mail root command. The aliases email for root is mentioned in /etc/aliases/. But mail does not work until I move this root aliases email from aliases_maps to virtual_aliases_maps

Log when root email alias is mentioned in /etc/aliases/:

Nov 14 16:39:27 Debian postfix/pickup[4339]: 0F12643432: uid=0 from=<root>

Nov 14 16:39:27 Debian postfix/cleanup[4495]: 0F12643432: message-id=<20141114110927.0F12643432@Debian.domainname.com>

Nov 14 16:39:27 Debian postfix/qmgr[4338]: 0F12643432: from=<root@domainname.com>, size=517, nrcpt=1 (queue active)

Nov 14 16:39:27 Debian postfix/error[4496]: 0F12643432: to=<root@domainname.com>, orig_to=<root>, relay=none, delay=0.04, delays=0.03/0/0/0.01, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to domainname.com[128.199.147.136]:25: Connection refused)

This is the log after the email aliases for root is moved from /etc/aliases/ to /etc/postfix/virtual where the email delivery is successful after the change:

Nov 14 16:44:58 Debian postfix/pickup[4545]: ADD9A43436: uid=0 from=<root>

Nov 14 16:44:58 Debian postfix/cleanup[4563]: ADD9A43436: message-id=<20141114111458.ADD9A43436@Debian.domainname.com>

Nov 14 16:44:58 Debian postfix/qmgr[4544]: ADD9A43436: from=<root@domainname.com>, size=453, nrcpt=1 (queue active)

Nov 14 16:45:00 Debian postfix/smtp[4551]: ADD9A43436: to=<admin@somesite.com>, orig_to=<root>, relay=somesite.com[108.160.157.120]:25, delay=1.9, delays=0.03/0/0.97/0.88, dsn=2.0.0, status=sent (250 OK id=1XpEqC-0002ry-9s)

Nov 14 16:45:00 Debian postfix/qmgr[4544]: ADD9A43436: removed
Neel
  • 1,421
  • 7
  • 21
  • 35
  • `I also noticed that some other services (like mail command) does not respect this` --> please show the maillog entry related to this condition – masegaloeh Nov 14 '14 at 10:00
  • @masegaloeh Have updated my post with the mail log – Neel Nov 14 '14 at 11:21

2 Answers2

49

Some background

Postfix inherited some features from older sendmail like milter and aliases. The file /etc/aliases is part of aliases inheritance and implemented by alias_maps. On the other side, postfix has virtual_maps/virtual_alias_maps for handle email aliasing. So what's the difference between them?

Parameter alias_maps

  • Used only for local(8) delivery

  • According to address class in postfix, email will delivery by local(8) if the recipient domain names are listed in the mydestination

  • The lookup input was only local parts from full email addres (e.g myuser from myuser@example.com). It discard domain parts of recipient.

  • The lookup result can contains one or more of the following:

    • email address: email will forwarded to email address
    • /file/name: email will be appended to /file/name
    • |command: mail piped to the command
    • :include:/file/name: include alias from /file/name

Parameter virtual_alias_maps

  • Used by virtual(5) delivery

  • Always invoked first time before any other address classes. It doesn't care whether the recipient domain was listed in mydestination, virtual_mailbox_domains or other places. It will override the address/alias defined in other places.

  • The lookup input has some format

    • user@domain: it will match user@domain literally

    • user: it will match user@site when site is equal to $myorigin, when site is listed in $mydestination, or when it is listed in $inet_interfaces or $proxy_interfaces. This functionality overlaps with functionality of the local aliases(5) database.

    • @domain: it will match any email intended for domain regardless of local parts

  • The lookup result must be

    • valid email address
    • user without domain. Postfix will append $myorigin if append_at_myorigin set yes

Why do we need /etc/aliases when having the email inside virtual aliases map seems to override it?

As you can see above, alias_maps(/etc/aliases) has some additional features (beside forwarding) like piping to command. In contrast with virtual_alias_maps that just forwards emails.

What is the purpose of having these 2 separate aliases mapping and when do we decide when to use what?

The alias_maps drawback is that you cannot differentiate if the original recipient has root@example.com or root@example.net. Both will be mapped to root entry in alias_maps. In other words, you can define different forwarding address with virtual_alias_maps.

Why did fail2ban (which is configured to email to root@localhost) first follow email address given in alias_maps (/etc/aliases/) and later decides to ignore that once virtual_alias_maps was added?

Before virtual_alias_maps added: root@localhost was aliased by alias_maps because localhost was listed in mydestination.

After virtual_alias_maps defined: The entry root (in virtual_alias_maps) doesn't have domain parts and localhost was listed in mydestination, so it will match root me@example.com.

Why doesn't all services read email aliases mentioned in /etc/aliases and they only work when the email aliases are added in virtual alias map?

Command mail root will send email to root. Because lacks of domain parts, postfix trivial-rewrite will append myorigin to domain parts. So, mail will be send to root@myorigin.

Before virtual_alias_maps added: Unfortunately, myorigin isn't listed in mydestination, so it won't be processed by alias_maps.

After virtual_alias_maps added: The entry root (in virtual_alias_maps) doesn't have domain parts and myorigin (obviously) same as myorigin, so it will match root me@example.com.

Community
  • 1
masegaloeh
  • 17,978
  • 9
  • 56
  • 104
1

  1. /etc/aliases is there primarily for local delivery, for example, mail to root from cron, etc, it's nice to keep your local aliases separate, virtual_alias_maps can also be used with SQL DBs, and so on.

  2. virtual_alias_maps is for when you have virtual users (and virtual domains), often that do not map to system users, but if you don't have virtual domains, and very few users, that sort of functionality may not be necessary.

  3. fail2ban doesn't care, it just submits email to the MTA.

  4. You need to be more specific, which services, how and where do they submit mail?

NickW
  • 10,183
  • 1
  • 18
  • 26
  • Thank you @NickW couple of things: (1) For No:4, mail command is one of the service that does this. I mean if /etc/aliases is primarily for local delivery to local users, shouldnt `mail root` command should actually fall under this category? Why isint this service considering the info in /etc/aliases when its a local delivery? (2) Considering these for my scenario, is it then a good practice to have the user aliases email addresses mentioned in both `/etc/aliases` as well as `virtual_alias_maps` so they work for everything? – Neel Nov 14 '14 at 11:35
  • 1
    1. Ok, the mail command should use `/etc/aliases` by default, a really stupid question, you did run `newaliases` after updating the file, right? 2. I would say that is overkill, if people will be receiving mail from the local machine, it would be worth configuring the scripts to use their proper email address, that way it will be routed through postfix, and delivered to the correct destination. – NickW Nov 14 '14 at 12:29
  • hi @NickW yes I did rebuilt aliases using `newaliases` after change. The only thing I can think for why its not using aliases is maybe due to the postfix setting that adds `@$domain_name` after the user and hence `virtual_alias_maps` is needed to redirect those emails. I read this in postfix docs and maybe thats why `mail` command to root is not working with `aliases`: http://www.postfix.org/STANDARD_CONFIGURATION_README.html#some_local Anyhow, thank you so much for helping me understand this better Nick. I really appreciate it.. :) – Neel Nov 14 '14 at 13:50
  • Glad to have helped :) – NickW Nov 14 '14 at 13:59