Postfix Alias Maps – Understanding Alias Maps and Virtual Alias Maps in Postfix

aliasdebianemailpostfixsendmail

I have already re-read the docs on this as well as other posts here and this is still very unclear to me. I have been testing various things to understand the difference between alias_maps and virtual_alias_maps and I don't see the use of these 2 separate settings in postfix. This is what I found so far (Note – I am using postfix in the same server as my web server as null client to send emails only):

1) /etc/aliases file:

root: me@somedomain.com

When I add the above to the alias_maps, I noticed that some services like fail2ban are able to pick this and it sends root emails to the alias email addresses mentioned. However, I also noticed that some other services (like mail command) does not respect this and tries to send the email directly to root@mydomain.com which does not exist (I think its the postfix myorigin setting that is adding the @mydomain.com). To fix this I then added the virtual_alias_maps

2) /etc/postfix/virtual

root     me@someotherdomain.com

When the above is added, all services uses this virtual aliases email. I also noticed that once I add the above, even fail2ban begins to ignore my initial settings in /etc/aliases/ file and starts to follow the email address given in virtual file.

Now this has confused me even more –

  1. Why do we need /etc/aliases/ when having the email inside virtual aliases map seems to override it?

  2. What is the purpose of having these 2 separate aliases mapping and when do we decide when to use what?

  3. Why did fail2ban (which is configured to email to root@localhost) first follow email address given in alias_maps (/etc/aliases/) and later decides to ignore that once virtual_alias_maps was added?

  4. Why doesn't all services read email aliases mentioned in /etc/aliases and they only work when the email aliases are added in virtual alias map?

I have spend several hours since yesterday and still unsure. Can someone help me clear my confusion?

EDIT:
This is the mail log when email is sent to root using mail root command. The aliases email for root is mentioned in /etc/aliases/. But mail does not work until I move this root aliases email from aliases_maps to virtual_aliases_maps

Log when root email alias is mentioned in /etc/aliases/:

Nov 14 16:39:27 Debian postfix/pickup[4339]: 0F12643432: uid=0 from=<root>

Nov 14 16:39:27 Debian postfix/cleanup[4495]: 0F12643432: message-id=<20141114110927.0F12643432@Debian.domainname.com>

Nov 14 16:39:27 Debian postfix/qmgr[4338]: 0F12643432: from=<root@domainname.com>, size=517, nrcpt=1 (queue active)

Nov 14 16:39:27 Debian postfix/error[4496]: 0F12643432: to=<root@domainname.com>, orig_to=<root>, relay=none, delay=0.04, delays=0.03/0/0/0.01, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to domainname.com[128.199.147.136]:25: Connection refused)

This is the log after the email aliases for root is moved from /etc/aliases/ to /etc/postfix/virtual where the email delivery is successful after the change:

Nov 14 16:44:58 Debian postfix/pickup[4545]: ADD9A43436: uid=0 from=<root>

Nov 14 16:44:58 Debian postfix/cleanup[4563]: ADD9A43436: message-id=<20141114111458.ADD9A43436@Debian.domainname.com>

Nov 14 16:44:58 Debian postfix/qmgr[4544]: ADD9A43436: from=<root@domainname.com>, size=453, nrcpt=1 (queue active)

Nov 14 16:45:00 Debian postfix/smtp[4551]: ADD9A43436: to=<admin@somesite.com>, orig_to=<root>, relay=somesite.com[108.160.157.120]:25, delay=1.9, delays=0.03/0/0.97/0.88, dsn=2.0.0, status=sent (250 OK id=1XpEqC-0002ry-9s)

Nov 14 16:45:00 Debian postfix/qmgr[4544]: ADD9A43436: removed

Best Answer

Some background

Postfix inherited some features from older sendmail like milter and aliases. The file /etc/aliases is part of aliases inheritance and implemented by alias_maps. On the other side, postfix has virtual_maps/virtual_alias_maps for handle email aliasing. So what's the difference between them?

Parameter alias_maps

  • Used only for local(8) delivery

  • According to address class in postfix, email will delivery by local(8) if the recipient domain names are listed in the mydestination

  • The lookup input was only local parts from full email addres (e.g myuser from myuser@example.com). It discard domain parts of recipient.

  • The lookup result can contains one or more of the following:

    • email address: email will forwarded to email address
    • /file/name: email will be appended to /file/name
    • |command: mail piped to the command
    • :include:/file/name: include alias from /file/name

Parameter virtual_alias_maps

  • Used by virtual(5) delivery

  • Always invoked first time before any other address classes. It doesn't care whether the recipient domain was listed in mydestination, virtual_mailbox_domains or other places. It will override the address/alias defined in other places.

  • The lookup input has some format

    • user@domain: it will match user@domain literally

    • user: it will match user@site when site is equal to $myorigin, when site is listed in $mydestination, or when it is listed in $inet_interfaces or $proxy_interfaces. This functionality overlaps with functionality of the local aliases(5) database.

    • @domain: it will match any email intended for domain regardless of local parts

  • The lookup result must be

    • valid email address
    • user without domain. Postfix will append $myorigin if append_at_myorigin set yes

Why do we need /etc/aliases when having the email inside virtual aliases map seems to override it?

As you can see above, alias_maps(/etc/aliases) has some additional features (beside forwarding) like piping to command. In contrast with virtual_alias_maps that just forwards emails.

What is the purpose of having these 2 separate aliases mapping and when do we decide when to use what?

The alias_maps drawback is that you cannot differentiate if the original recipient has root@example.com or root@example.net. Both will be mapped to root entry in alias_maps. In other words, you can define different forwarding address with virtual_alias_maps.

Why did fail2ban (which is configured to email to root@localhost) first follow email address given in alias_maps (/etc/aliases/) and later decides to ignore that once virtual_alias_maps was added?

Before virtual_alias_maps added: root@localhost was aliased by alias_maps because localhost was listed in mydestination.

After virtual_alias_maps defined: The entry root (in virtual_alias_maps) doesn't have domain parts and localhost was listed in mydestination, so it will match root me@example.com.

Why doesn't all services read email aliases mentioned in /etc/aliases and they only work when the email aliases are added in virtual alias map?

Command mail root will send email to root. Because lacks of domain parts, postfix trivial-rewrite will append myorigin to domain parts. So, mail will be send to root@myorigin.

Before virtual_alias_maps added: Unfortunately, myorigin isn't listed in mydestination, so it won't be processed by alias_maps.

After virtual_alias_maps added: The entry root (in virtual_alias_maps) doesn't have domain parts and myorigin (obviously) same as myorigin, so it will match root me@example.com.

Related Topic