Home > Articles > Security > Network Security

  • Print
  • + Share This

Supporting Virtual Domains

Postfix natively supports virtual domain hosting styles, with two slightly different behaviors. The Postfix-style virtual domain has a unique namespace, meaning that you can have a sales@vdomain1.com, and a sales@vdomain2.com. In Postfix-style virtual hosting local alias maps and local user accounts are not visible in the virtual domain name space. Postfix will also reject unknown user addresses for Postfix-style virtual domains.

Sendmail-style virtual domains expose local aliases, mailing lists, and local account names to virtual domains. The obvious downside to this is that if you have a sales alias defined for your normal non-virtual domain, it will be exposed as sales@vdomain1.com, sales@vdomain2.com, etc. if no sales address is defined in either of those virtual domains. That behavior is probably not what you intended.

To use Postfix-style virtual hosting just add the virtual_map entries defining the virtual domain like so:

/etc/postfix/main.cf:
  virtual_maps =
    hash:/etc/postfix/virtual_vdomain1-com
    hash:/etc/postfix/virtual_vdomain2-com

Then, create each virtual domain map. For Postfix-style maps you must list the virtual domain on the first line. It actually does not matter what is on the right side of the virtual domain on the first line, so the domain name is duplicated just out of habit. Then, you can list individual addresses and aliases.

/etc/postfix/virtual_vdomain1-com:
  vdomain1.com           vdomain1.com
  postmaster@vdomain1.com     address1
  user1@vdomain1.com        address1
  info@vdomain1.com        address2, address3

/etc/postfix/virtual_vdomain2-com:
  vdomain2.com           vdomain2.com
  postmaster@vdomain1.com     address11
  user1@vdomain1.com        address11
  info@vdomain1.com        address12, address13

After creating the maps, remember to convert them to database lookup tables using the postmap command.

Sendmail-style virtual domains require the domain to be listed in the mydestinations parameter in main.cf, and should not be listed in the virtual map.

/etc/postfix/main.cf:
  mydestination = $myhostname, localhost.$mydomain, $mydomain
    vdomain1.com
    vdomain2.com
  virtual_maps =
    hash:/etc/postfix/virtual_vdomain1-com
    hash:/etc/postfix/virtual_vdomain2-com

The virtual maps are virtually identical, except the domain itself is not listed:

/etc/postfix/virtual_vdomain1-com:
  postmaster@vdomain1.com     address1
  user1@vdomain1.com        address1
  info@vdomain1.com        address2, address3

/etc/postfix/virtual_vdomain2-com:
  postmaster@vdomain1.com     address11
  user1@vdomain1.com        address11
  info@vdomain1.com        address12, address13

Each map must be converted from a text file to a database lookup table using the postmap command.

Both the Postfix-style and Sendmail-style virtual domain handling only rewrites the recipient address, not the entire message header. Message header rewriting has two components: domain masquerading and canonical maps.

Domain masquerading is used to remove (and thus masquerade) subdomains such as east.domain.com. When an email addressed from user@east.domain.com leaves the mail server, the email headers get rewritten as user@domain.com. To enable domain masquerading list, each domain to be masqueraded in the masquerade_domains parameter.

masquerade_domains =
  domain.com

Address rewriting, in the form of login to First.Last, can be enabled through the use of canonical maps. Canonical maps essentially provide reverse-map functionality.

canonical_maps =
    hash:/etc/postfix/canonical_vdomain1-com

The contents of the canonical map file can be any of the following:

/etc/postfix/canonical_vdomain1-com
  maryjo      mary.jo.bobbins
  dude       mr.big.vip
  mr.big.vip    vice.president
  vice.president  mary.jo.bobbins
  ceo        ricky.rat
  l33t-warez    software.development
  help       customer.support@vdomain2.com

Canonical address mapping is recursive, so when Mary Jo is promoted to CEO, only the vice.president and ceo mappings would need to be changed. Canonical address maps should not be confused with local aliases. Canonical address maps rewrite the addresses in both the message headers, and the message envelope.

  • + Share This
  • 🔖 Save To Your Account

Related Resources

There are currently no related titles. Please check back later.