Home / server / Questions / 644306
Accepted
Neel
Asked: 2014-11-15 01:07:49 +0800 CST

Confused about alias_maps and virtual_alias_maps

  • 772

I have already re-read the docs on this as well as other posts here and this is still very unclear to me. I have been testing various things to understand the difference between alias_maps and virtual_alias_maps and I don't see the use of these 2 separate settings in postfix. This is what I found so far (Note - I am using postfix in the same server as my web server as null client to send emails only):

1) /etc/aliases file:

root: [email protected]

When I add the above to the alias_maps, I noticed that some services like fail2ban are able to pick this and it sends root emails to the alias email addresses mentioned. However, I also noticed that some other services (like mail command) does not respect this and tries to send the email directly to [email protected] which does not exist (I think its the postfix myorigin setting that is adding the @mydomain.com). To fix this I then added the virtual_alias_maps

2) /etc/postfix/virtual

root     [email protected]

When the above is added, all services uses this virtual aliases email. I also noticed that once I add the above, even fail2ban begins to ignore my initial settings in /etc/aliases/ file and starts to follow the email address given in virtual file.

Now this has confused me even more -

  1. Why do we need /etc/aliases/ when having the email inside virtual aliases map seems to override it?

  2. What is the purpose of having these 2 separate aliases mapping and when do we decide when to use what?

  3. Why did fail2ban (which is configured to email to root@localhost) first follow email address given in alias_maps (/etc/aliases/) and later decides to ignore that once virtual_alias_maps was added?

  4. Why doesn't all services read email aliases mentioned in /etc/aliases and they only work when the email aliases are added in virtual alias map?

I have spend several hours since yesterday and still unsure. Can someone help me clear my confusion?

EDIT: This is the mail log when email is sent to root using mail root command. The aliases email for root is mentioned in /etc/aliases/. But mail does not work until I move this root aliases email from aliases_maps to virtual_aliases_maps

Log when root email alias is mentioned in /etc/aliases/:

Nov 14 16:39:27 Debian postfix/pickup[4339]: 0F12643432: uid=0 from=<root>

Nov 14 16:39:27 Debian postfix/cleanup[4495]: 0F12643432: message-id=<[email protected]>

Nov 14 16:39:27 Debian postfix/qmgr[4338]: 0F12643432: from=<[email protected]>, size=517, nrcpt=1 (queue active)

Nov 14 16:39:27 Debian postfix/error[4496]: 0F12643432: to=<[email protected]>, orig_to=<root>, relay=none, delay=0.04, delays=0.03/0/0/0.01, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to domainname.com[128.199.147.136]:25: Connection refused)

This is the log after the email aliases for root is moved from /etc/aliases/ to /etc/postfix/virtual where the email delivery is successful after the change:

Nov 14 16:44:58 Debian postfix/pickup[4545]: ADD9A43436: uid=0 from=<root>

Nov 14 16:44:58 Debian postfix/cleanup[4563]: ADD9A43436: message-id=<[email protected]>

Nov 14 16:44:58 Debian postfix/qmgr[4544]: ADD9A43436: from=<[email protected]>, size=453, nrcpt=1 (queue active)

Nov 14 16:45:00 Debian postfix/smtp[4551]: ADD9A43436: to=<[email protected]>, orig_to=<root>, relay=somesite.com[108.160.157.120]:25, delay=1.9, delays=0.03/0/0.97/0.88, dsn=2.0.0, status=sent (250 OK id=1XpEqC-0002ry-9s)

Nov 14 16:45:00 Debian postfix/qmgr[4544]: ADD9A43436: removed
debian

2 Answers

  1. Best Answer

    Some background

    Postfix inherited some features from older sendmail like milter and aliases. The file /etc/aliases is part of aliases inheritance and implemented by alias_maps. On the other side, postfix has virtual_maps/virtual_alias_maps for handle email aliasing. So what's the difference between them?

    Parameter alias_maps

    • Used only for local(8) delivery

    • According to address class in postfix, email will delivery by local(8) if the recipient domain names are listed in the mydestination

    • The lookup input was only local parts from full email addres (e.g myuser from [email protected]). It discard domain parts of recipient.

    • The lookup result can contains one or more of the following:

      • email address: email will forwarded to email address
      • /file/name: email will be appended to /file/name
      • |command: mail piped to the command
      • :include:/file/name: include alias from /file/name

    Parameter virtual_alias_maps

    • Used by virtual(5) delivery

    • Always invoked first time before any other address classes. It doesn't care whether the recipient domain was listed in mydestination, virtual_mailbox_domains or other places. It will override the address/alias defined in other places.

    • The lookup input has some format

      • user@domain: it will match user@domain literally

      • user: it will match user@site when site is equal to $myorigin, when site is listed in $mydestination, or when it is listed in $inet_interfaces or $proxy_interfaces. This functionality overlaps with functionality of the local aliases(5) database.

      • @domain: it will match any email intended for domain regardless of local parts

    • The lookup result must be

      • valid email address
      • user without domain. Postfix will append $myorigin if append_at_myorigin set yes

    Why do we need /etc/aliases when having the email inside virtual aliases map seems to override it?

    As you can see above, alias_maps(/etc/aliases) has some additional features (beside forwarding) like piping to command. In contrast with virtual_alias_maps that just forwards emails.

    What is the purpose of having these 2 separate aliases mapping and when do we decide when to use what?

    The alias_maps drawback is that you cannot differentiate if the original recipient has [email protected] or [email protected]. Both will be mapped to root entry in alias_maps. In other words, you can define different forwarding address with virtual_alias_maps.

    Why did fail2ban (which is configured to email to root@localhost) first follow email address given in alias_maps (/etc/aliases/) and later decides to ignore that once virtual_alias_maps was added?

    Before virtual_alias_maps added: root@localhost was aliased by alias_maps because localhost was listed in mydestination.

    After virtual_alias_maps defined: The entry root (in virtual_alias_maps) doesn't have domain parts and localhost was listed in mydestination, so it will match root [email protected].

    Why doesn't all services read email aliases mentioned in /etc/aliases and they only work when the email aliases are added in virtual alias map?

    Command mail root will send email to root. Because lacks of domain parts, postfix trivial-rewrite will append myorigin to domain parts. So, mail will be send to root@myorigin.

    Before virtual_alias_maps added: Unfortunately, myorigin isn't listed in mydestination, so it won't be processed by alias_maps.

    After virtual_alias_maps added: The entry root (in virtual_alias_maps) doesn't have domain parts and myorigin (obviously) same as myorigin, so it will match root [email protected].

    • 49

    1. /etc/aliases is there primarily for local delivery, for example, mail to root from cron, etc, it's nice to keep your local aliases separate, virtual_alias_maps can also be used with SQL DBs, and so on.

    2. virtual_alias_maps is for when you have virtual users (and virtual domains), often that do not map to system users, but if you don't have virtual domains, and very few users, that sort of functionality may not be necessary.

    3. fail2ban doesn't care, it just submits email to the MTA.

    4. You need to be more specific, which services, how and where do they submit mail?

    • 1