Problem: Create an alias that expands to several outside server email addresses.
Solution: Use virtual file with virtual_alias_domains set to empty and virtual_alias_maps pointing to your virtual file.
There are several very well written articles about how to do this and one of the best that I found was from https://datacadamia.com/marketing/email/postfix/virtual_aliasing.
Most of the articles – like the one I mentioned above – assume that your setup is such that you actually use virtual domains or that your virtual_alias_domains is set by default to empty. This is not always the case – at least with CentOS 7 and most likely with other Red Hat based distributions. You can lose part of your sanity and valuable time trying to figure out why user is not found.
Example background
The aliases file defines info to be an alias for my local address, so when people send email to either info@example.(com|net) or info@default.com it reaches me instead. But in my case I want group@example.com, group@example.net and group@default.com to resolve group of external addresses and I also want info@example.com to resolve to a group of external addresses.
/etc/postfix/main.cf
There are several settings that affect how your virtual file is interpreted. You can find them from the manual page. In my case I wanted to have four outside aliases inside my otherwise destination server.
mydestination = $myhostname, localhost.$mydomain, localhost, example.com, example.net, default.com, mail.default.com
To do what I want, we keep the $mydestination intact but we add two lines at the end of the configuration file:
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_alias_domains =
By leaving virtual_alias_domains blank, we tell postfix that we don’t actually use virtual_domains but just want to use the outside destination aliases.
After changing the config-file we do a reload for the server.
/etc/postfix/virtual
Then we need the source aliases:
group my.name@gmail.com, friend@gmail.com, other.friend@gmail.com
info@example.com my.name@gmail.com, friend@gmail.com, other.friend@gmail.com
The syntax of the virtual file is described very well on the datacadamia-article but what this basically says is that all email that has username part of ”group” will be sent to the three gmail addresses and only info@example.com is sent to the same three gmail addresses. info@default.com and info@example.net are still resolved using /etc/aliases. As we are not using the virtual_alias_domains then the $myorigin is automatically appended to all aliases without the domain part. If we wanted group@default.com to resolve locally then we could have written two aliases like the first one expect adding @example.com and @example.net as domains after the group.
After modifying the virtual file you need to run postconf against it and I’m not actually sure if you need to do postfix reload after that or does the postconf that for you. I’ve never bothered to find out and I always do systemctl reload postfix after changing anything except /etc/aliases.
Caveat with Google
If you are like me, then ”Shoemakers children go barefoot” and you have made sure that all of the email servers you get paid one way or other to administer have SPF and in some cases DKIM enabled but your own doesn’t. And what is even worse, your meager means mean that your server is a virtual server on someone else’s hardware and they own the reverse dns ip. In such cases you might get hit by this:
relay=gmail-smtp-in.l.google.com[64.233.165.27]:25, delay=0.54, delays=0.06/0/0.05/0.43, dsn=5.7.26, status=bounced (host gmail-smtp-in.l.google.com[64.233.165.27] said: 550-5.7.26 This mail is unauthenticated, which poses a security risk to the 550-5.7.26 sender and Gmail users, and has been blocked. The sender must 550-5.7.26 authenticate with at
least one of SPF or DKIM. For this message, 550-5.7.26 DKIM checks did not pass
and SPF check for….
Then I hope you can add spf-record, which is a txt-record in your dns zone. You could have something like this for example.com:
v=spf1 ip4:123.34.56.78/24 ip6:abcd:efab:1234:0:123a:a4bc:def5:67ab/64 a mx -all
as txt-record. It says that email coming from either given ip4 or ip6 address is valid, all addresses that translate to something.example.com are valid and all servers listed as email servers – having mx records in the dns for this domain – are accepted senders but everyone else is not allowed to send email for us.
Fuula-täti 