Loading ...
Sorry, an error occurred while loading the content.

Is a late header check possible?

Expand Messages
  • Titanus Eramius
    I m running SpamAssassin as a content_filter on incoming mail which ads 4 spam-headers, one of them being X-Spam-Level: . The precise header varies, depending
    Message 1 of 28 , Feb 7, 2013
    • 0 Attachment
      I'm running SpamAssassin as a content_filter on incoming mail which ads
      4 spam-headers, one of them being "X-Spam-Level:". The precise
      header varies, depending on the spamscore. SpamAssassin ads one "*" for
      each spampoint, so a example-header could be:

      X-Spam-Level: ********************

      I would like to have the ability to redirect mails with that header to
      a account where I can store them.

      So basically I *think* I'm asking if Postfix have a header_checks
      feature that runs after the content filters?

      Thanks

      titanus@ntdata:/etc/postfix$ sudo postconf -n

      (mail_version = 2.7.1)

      alias_maps = hash:/etc/aliases

      bounce_template_file = /etc/postfix/bounce.cf

      broken_sasl_auth_clients = yes

      config_directory = /etc/postfix

      delay_warning_time = 4

      disable_vrfy_command = yes

      inet_interfaces = all

      maximal_queue_lifetime = 15

      myhostname = ntdata.nt-data.dk

      mynetworks = 127.0.0.0/8

      recipient_canonical_classes = envelope_recipient

      recipient_canonical_maps = hash:/etc/postfix/pfix-no-srs.cf,
      tcp:127.0.0.1:10002

      relay_domains = proxy:mysql:/etc/postfix/relay_domains.cf

      relay_recipient_maps = proxy:mysql:/etc/postfix/relay_recipient_maps.cf

      sender_canonical_classes = envelope_sender

      sender_canonical_maps = hash:/etc/postfix/pfix-no-srs.cf,
      tcp:127.0.0.1:10001

      smtp_tls_security_level = may

      smtp_tls_session_cache_database =
      btree:$data_directory/smtp_tls_session_cache

      smtpd_data_restrictions =
      reject_unauth_pipelining
      reject_multi_recipient_bounce
      permit

      smtpd_helo_required = yes

      smtpd_recipient_restrictions =
      reject_unauth_destination
      reject_non_fqdn_sender
      reject_non_fqdn_recipient
      reject_unknown_sender_domain
      reject_unknown_recipient_domain
      reject_rbl_client
      truncate.gbudb.net
      permit

      smtpd_sasl_auth_enable = yes

      smtpd_sasl_exceptions_networks = $mynetworks

      smtpd_sasl_path = private/auth

      smtpd_sasl_security_options = noanonymous

      smtpd_sasl_type = dovecot

      smtpd_tls_ask_ccert = yes

      smtpd_tls_cert_file = /etc/ssl/self-signed/smtpd.crt

      smtpd_tls_key_file = /etc/ssl/self-signed/smtpd.key

      smtpd_tls_loglevel = 1

      smtpd_tls_received_header = yes

      smtpd_tls_security_level = may

      smtpd_tls_session_cache_database =
      btree:$data_directory/smtpd_tls_session_cache

      tls_random_source = dev:/dev/urandom

      transport_maps = hash:/etc/postfix/transport.cf

      virtual_alias_maps =
      proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf

      virtual_gid_maps = static:5000

      virtual_mailbox_base = /home/vmail

      virtual_mailbox_domains =
      proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf

      virtual_mailbox_maps =
      proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf

      virtual_minimum_uid = 5000

      virtual_transport = dovecot

      virtual_uid_maps = static:5000
    • Noel Jones
      ... I ll assume your content_filter reinjects mail to localhost:10025 after processing. Note: make sure your post-filter header checks don t ever reject mail.
      Message 2 of 28 , Feb 7, 2013
      • 0 Attachment
        On 2/7/2013 8:58 AM, Titanus Eramius wrote:
        > I'm running SpamAssassin as a content_filter on incoming mail which ads
        > 4 spam-headers, one of them being "X-Spam-Level:". The precise
        > header varies, depending on the spamscore. SpamAssassin ads one "*" for
        > each spampoint, so a example-header could be:
        >
        > X-Spam-Level: ********************
        >
        > I would like to have the ability to redirect mails with that header to
        > a account where I can store them.
        >
        > So basically I *think* I'm asking if Postfix have a header_checks
        > feature that runs after the content filters?

        I'll assume your content_filter reinjects mail to localhost:10025
        after processing.

        Note: make sure your post-filter header checks don't ever reject
        mail. That would make you a backscatter source and get you blacklisted.

        The cleanest way to do this is a separate postfix instance (not just
        a master.cf listener service) that listens on 10025, with its own
        header_checks. This also gives the very nice benefit of separation
        between pre-filter and post-filter mail.
        http://www.postfix.org/MULTI_INSTANCE_README.html



        Alternately, you can do some master.cf gyrations. This is likely
        easier to set up, but more confusing long-term. Something like:

        # master.cf
        # existing reinjection listener
        127.0.0.1:10025 inet n - n - - smtpd
        ... existing stuff ...
        -o cleanup_service_name=cleanup_filter

        # copy of the existing cleanup service
        cleanup_filter unix n - n - 0 cleanup
        -o header_checks=pcre:/etc/postfix/header_checks_filter
        -o body_checks=

        and then put your after-filter checks in header_checks_filter.




        -- Noel Jones
      • Titanus Eramius
        Thu, 07 Feb 2013 10:03:32 -0600 skrev Noel Jones ... Thank you for the reply Noel, it s very helpful as usual. The multi instance seems like the best solution,
        Message 3 of 28 , Feb 8, 2013
        • 0 Attachment
          Thu, 07 Feb 2013 10:03:32 -0600 skrev Noel Jones
          <njones@...>:

          > On 2/7/2013 8:58 AM, Titanus Eramius wrote:
          > > I'm running SpamAssassin as a content_filter on incoming mail which
          > > ads 4 spam-headers, one of them being "X-Spam-Level:". The precise
          > > header varies, depending on the spamscore. SpamAssassin ads one "*"
          > > for each spampoint, so a example-header could be:
          > >
          > > X-Spam-Level: ********************
          > >
          > > I would like to have the ability to redirect mails with that header
          > > to a account where I can store them.
          > >
          > > So basically I *think* I'm asking if Postfix have a header_checks
          > > feature that runs after the content filters?
          >
          > I'll assume your content_filter reinjects mail to localhost:10025
          > after processing.
          >
          > Note: make sure your post-filter header checks don't ever reject
          > mail. That would make you a backscatter source and get you
          > blacklisted.
          >
          > The cleanest way to do this is a separate postfix instance (not just
          > a master.cf listener service) that listens on 10025, with its own
          > header_checks. This also gives the very nice benefit of separation
          > between pre-filter and post-filter mail.
          > http://www.postfix.org/MULTI_INSTANCE_README.html

          Thank you for the reply Noel, it's very helpful as usual.

          The multi instance seems like the best solution, so I'll most likely go
          with that.
          And thanks for the warning.
        • Titanus Eramius
          Hi all Please note that the last time I asked about the behavior of Postfix it turned out I had misunderstood the concept of relaying mail. It might be the
          Message 4 of 28 , Feb 8, 2013
          • 0 Attachment
            Hi all

            Please note that the last time I asked about the behavior of Postfix it
            turned out I had misunderstood the concept of relaying mail. It might
            be the case again.

            I'm running the mailserver that serves this domain + a few others,
            the mailserver at ubuntudanmark.dk and the mailservers at nt-data.dk.

            So I'm running these servers, with this relation:
            mx01.aptget.dk <-- Not a backup MX
            mx01.ubuntudanmark.dk <-- Not a backup MX
            mx01.nt-data.dk <-- Backup MX for mx01.aptget.dk and
            mx01.ubuntudanmark.dk
            mx02.nt-data.dk <-- Backup MX for mx01.nt-data.dk

            The setup is entirely virtual, using MySQL to store aliases, addressees
            etc. The problem is, that *I think* the backup MX' can be used to
            spread backscatter. I routinely looks at the Postfix logging, and found
            these entries yesterday from mx01.nt-data.dk:

            ---
            titanus@ntdata:/var/log$ grep "048341743609" mail.log.1

            Feb 7 22:12:48 ntdata postfix/pickup[24843]: 048341743609: uid=5005
            from=<SRS0=3u76=L7=gmail.com=jimmiedcu949@...>

            Feb 7 22:12:48 ntdata postfix/cleanup[30176]: 048341743609:
            message-id=<GI63Z8-USKQ93-NH@...>

            Feb 7 22:12:48 ntdata postfix/qmgr[20252]: 048341743609:
            from=<SRS0=3u76=L7=gmail.com=jimmiedcu949@...>, size=5268,
            nrcpt=1 (queue active)

            Feb 7 22:12:48 ntdata postfix/smtp[30181]: 048341743609:
            to=<acer@...>,
            relay=mx01.ubuntudanmark.dk[31.192.231.5]:25, delay=0.71,
            delays=0/0.04/0.17/0.5, dsn=5.1.1, status=bounced (host
            mx01.ubuntudanmark.dk[31.192.231.5] said: 550 5.1.1
            <acer@...>: Recipient address rejected: User unknown in
            virtual mailbox table (in reply to RCPT TO command))

            Feb 7 22:12:48 ntdata postfix/bounce[30182]: 048341743609: sender
            non-delivery notification: B201D1743608

            Feb 7 22:12:48 ntdata postfix/qmgr[20252]: 048341743609: removed
            ---

            Then mx01.nt-data.dk tries to send a bounce to gmail:

            ---
            Feb 7 22:12:52 ntdata postfix/smtp[30183]: B201D1743608:
            to=<jimmiedcu949@...>,
            orig_to=<SRS0=3u76=L7=gmail.com=jimmiedcu949@...>,
            relay=gmail-smtp-in.l.google.com[173.194.71.26]:25, delay=3.4,
            delays=0.01/0.01/0.29/3, dsn=5.1.1, status=bounced (host
            gmail-smtp-in.l.google.com[173.194.71.26] said: 550-5.1.1 The email
            account that you tried to reach does not exist. Please try 550-5.1.1
            double-checking the recipient's email address for typos or 550-5.1.1
            unnecessary spaces. Learn more at 550 5.1.1
            http://support.google.com/mail/bin/answer.py?answer=6596
            bc7si9536557lbb.184 - gsmtp (in reply to RCPT TO command))
            ---

            The address acer@... does not exist - Neither at
            mx01.nt-data.dk nor at mx01.ubuntudanmark.dk, so I would like
            mx01.nt-data.dk to reject messages to it. I've tried with other
            non-existent addresses trough telnet, and mx01.nt-data.dk accepts them,
            as long as they are to one of the backup domains, and then bounces them
            (so currently they are disabled in the database).

            Following is postconf -n, the content of the 2 relay_* MySQL-files, and
            the structure of their database. If more is needed, then please let me
            know and I'll include it.

            Any pointers, examples or explanations will be appreciated. I've read
            in the documentation for virtual hosting and backup MX', but the answer
            seems to evades me.

            Thanks


            ntdata:/etc/postfix# postconf -n

            alias_maps = hash:/etc/aliases

            bounce_template_file = /etc/postfix/bounce.cf

            broken_sasl_auth_clients = yes

            config_directory = /etc/postfix

            delay_warning_time = 4

            disable_vrfy_command = yes

            inet_interfaces = all

            maximal_queue_lifetime = 15

            myhostname = ntdata.nt-data.dk

            mynetworks = 127.0.0.0/8

            recipient_canonical_classes = envelope_recipient

            recipient_canonical_maps = hash:/etc/postfix/pfix-no-srs.cf,
            tcp:127.0.0.1:10002

            relay_domains = proxy:mysql:/etc/postfix/relay_domains.cf

            relay_recipient_maps = proxy:mysql:/etc/postfix/relay_recipient_maps.cf

            sender_canonical_classes = envelope_sender

            sender_canonical_maps = hash:/etc/postfix/pfix-no-srs.cf,
            tcp:127.0.0.1:10001

            smtp_tls_security_level = may

            smtp_tls_session_cache_database =
            btree:$data_directory/smtp_tls_session_cache

            smtpd_data_restrictions =
            reject_unauth_pipelining,
            reject_multi_recipient_bounce,
            permit

            smtpd_helo_required = yes

            smtpd_recipient_restrictions =
            reject_non_fqdn_sender,
            reject_non_fqdn_recipient,
            reject_unknown_sender_domain,
            reject_unknown_recipient_domain,
            reject_rbl_client truncate.gbudb.net,
            reject_unauth_destination,
            permit

            smtpd_sasl_auth_enable = yes

            smtpd_sasl_exceptions_networks = $mynetworks

            smtpd_sasl_path = private/auth

            smtpd_sasl_security_options = noanonymous

            smtpd_sasl_type = dovecot

            smtpd_tls_ask_ccert = yes

            smtpd_tls_cert_file = /etc/ssl/self-signed/smtpd.crt

            smtpd_tls_key_file = /etc/ssl/self-signed/smtpd.key

            smtpd_tls_loglevel = 1

            smtpd_tls_received_header = yes

            smtpd_tls_security_level = may

            smtpd_tls_session_cache_database =
            btree:$data_directory/smtpd_tls_session_cache

            tls_random_source = dev:/dev/urandom

            transport_maps = hash:/etc/postfix/transport.cf

            virtual_alias_maps = proxy:mysql:/etc/postfix/virtual_alias_maps.cf

            virtual_gid_maps = static:5000

            virtual_mailbox_base = /home/vmail

            virtual_mailbox_domains =
            proxy:mysql:/etc/postfix/virtual_domains_maps.cf

            virtual_mailbox_maps = proxy:mysql:/etc/postfix/virtual_mailbox_maps.cf

            virtual_minimum_uid = 5000

            virtual_transport = dovecot

            virtual_uid_maps = static:5000


            ntdata:/etc/postfix# cat relay_domains.cf
            user = postfix
            password =
            dbname = postfix
            query = SELECT description FROM domain WHERE domain='%s' AND
            backupmx='1' AND active='1';

            ntdata:/etc/postfix# cat relay_recipient_maps.cf
            user = postfix
            password =
            dbname = postfix
            query = SELECT goto FROM alias WHERE address='%s' AND active='1';


            mysql> use postfix;
            mysql> desc domain;
            +-------------+--------------+------+-----+---------------------+------
            | Field | Type | Null | Key | Default | Extra
            +-------------+--------------+------+-----+---------------------+------
            | domain | varchar(255) | NO | PRI | NULL |
            | description | varchar(255) | NO | | NULL |
            | aliases | int(10) | NO | | 0 |
            | mailboxes | int(10) | NO | | 0 |
            | maxquota | bigint(20) | NO | | 0 |
            | quota | bigint(20) | NO | | 0 |
            | transport | varchar(255) | NO | | NULL |
            | backupmx | tinyint(1) | NO | | 0 |
            | created | datetime | NO | | 0000-00-00 00:00:00 |
            | modified | datetime | NO | | 0000-00-00 00:00:00 |
            | active | tinyint(1) | NO | | 1 |
            +-------------+--------------+------+-----+---------------------+------

            mysql> desc alias;
            +----------+--------------+------+-----+---------------------+-------+
            | Field | Type | Null | Key | Default | Extra |
            +----------+--------------+------+-----+---------------------+-------+
            | address | varchar(255) | NO | PRI | NULL | |
            | goto | text | NO | | NULL | |
            | domain | varchar(255) | NO | MUL | NULL | |
            | created | datetime | NO | | 0000-00-00 00:00:00 | |
            | modified | datetime | NO | | 0000-00-00 00:00:00 | |
            | active | tinyint(1) | NO | | 1 | |
            +----------+--------------+------+-----+---------------------+-------+
          • /dev/rob0
            ... pickup(8) picks up mail which was sent via sendmail(1). This is a local/system user s process (UID 5005, specifically) sending the mail. Your
            Message 5 of 28 , Feb 8, 2013
            • 0 Attachment
              On Fri, Feb 08, 2013 at 04:06:57PM +0100, Titanus Eramius wrote:
              > Please note that the last time I asked about the behavior of Postfix it
              > turned out I had misunderstood the concept of relaying mail. It might
              > be the case again.
              >
              > I'm running the mailserver that serves this domain + a few others,
              > the mailserver at ubuntudanmark.dk and the mailservers at nt-data.dk.
              >
              > So I'm running these servers, with this relation:
              > mx01.aptget.dk <-- Not a backup MX
              > mx01.ubuntudanmark.dk <-- Not a backup MX
              > mx01.nt-data.dk <-- Backup MX for mx01.aptget.dk and
              > mx01.ubuntudanmark.dk
              > mx02.nt-data.dk <-- Backup MX for mx01.nt-data.dk
              >
              > The setup is entirely virtual, using MySQL to store aliases, addressees
              > etc. The problem is, that *I think* the backup MX' can be used to
              > spread backscatter. I routinely looks at the Postfix logging, and found
              > these entries yesterday from mx01.nt-data.dk:
              >
              > ---
              > titanus@ntdata:/var/log$ grep "048341743609" mail.log.1
              >
              > Feb 7 22:12:48 ntdata postfix/pickup[24843]: 048341743609: uid=5005
              > from=<SRS0=3u76=L7=gmail.com=jimmiedcu949@...>

              pickup(8) picks up mail which was sent via sendmail(1). This is a
              local/system user's process (UID 5005, specifically) sending the
              mail. Your misunderstanding this time seems to be that you think it
              came from the network and could thus be rejected.

              If this seems to be some kind of abuse, it could be that something
              you're running on the server has been compromised; web/php scripts
              being the most common vector.

              > Feb 7 22:12:48 ntdata postfix/cleanup[30176]: 048341743609:
              > message-id=<GI63Z8-USKQ93-NH@...>
              >
              > Feb 7 22:12:48 ntdata postfix/qmgr[20252]: 048341743609:
              > from=<SRS0=3u76=L7=gmail.com=jimmiedcu949@...>, size=5268,
              > nrcpt=1 (queue active)
              >
              > Feb 7 22:12:48 ntdata postfix/smtp[30181]: 048341743609:
              > to=<acer@...>,
              > relay=mx01.ubuntudanmark.dk[31.192.231.5]:25, delay=0.71,
              > delays=0/0.04/0.17/0.5, dsn=5.1.1, status=bounced (host
              > mx01.ubuntudanmark.dk[31.192.231.5] said: 550 5.1.1
              > <acer@...>: Recipient address rejected: User unknown in
              > virtual mailbox table (in reply to RCPT TO command))
              >
              > Feb 7 22:12:48 ntdata postfix/bounce[30182]: 048341743609: sender
              > non-delivery notification: B201D1743608
              >
              > Feb 7 22:12:48 ntdata postfix/qmgr[20252]: 048341743609: removed
              > ---
              >
              > Then mx01.nt-data.dk tries to send a bounce to gmail:
              >
              > ---
              > Feb 7 22:12:52 ntdata postfix/smtp[30183]: B201D1743608:
              > to=<jimmiedcu949@...>,
              > orig_to=<SRS0=3u76=L7=gmail.com=jimmiedcu949@...>,

              Here you have virtually aliased this sender (now a bounce recipient)
              address to jimmiedcu949@....

              > relay=gmail-smtp-in.l.google.com[173.194.71.26]:25, delay=3.4,
              > delays=0.01/0.01/0.29/3, dsn=5.1.1, status=bounced (host
              > gmail-smtp-in.l.google.com[173.194.71.26] said: 550-5.1.1 The email
              > account that you tried to reach does not exist. Please try 550-5.1.1
              > double-checking the recipient's email address for typos or 550-5.1.1
              > unnecessary spaces. Learn more at 550 5.1.1
              > http://support.google.com/mail/bin/answer.py?answer=6596
              > bc7si9536557lbb.184 - gsmtp (in reply to RCPT TO command))
              > ---
              >
              > The address acer@... does not exist - Neither at
              > mx01.nt-data.dk nor at mx01.ubuntudanmark.dk, so I would like
              > mx01.nt-data.dk to reject messages to it. I've tried with other
              > non-existent addresses trough telnet, and mx01.nt-data.dk accepts them,
              > as long as they are to one of the backup domains, and then bounces them
              > (so currently they are disabled in the database).

              There is no possible mechanism within Postfix to reject mail
              submitted via the sendmail command.

              > Following is postconf -n, the content of the 2 relay_* MySQL-files, and
              > the structure of their database. If more is needed, then please let me
              > know and I'll include it.
              >
              > Any pointers, examples or explanations will be appreciated. I've read
              > in the documentation for virtual hosting and backup MX', but the answer
              > seems to evades me.

              FWIW, generally a backup MX is a bad idea. Why did you want it?

              [snip]
              --
              http://rob0.nodns4.us/ -- system administration and consulting
              Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
            • Titanus Eramius
              Fri, 8 Feb 2013 09:45:07 -0600 skrev /dev/rob0 : snip ... I m sorry, UID 5005 is SpamAssassin. The grep-command didn t got all ... Feb 7
              Message 6 of 28 , Feb 8, 2013
              • 0 Attachment
                Fri, 8 Feb 2013 09:45:07 -0600 skrev /dev/rob0 <rob0@...>:

                snip
                > > ---
                > > titanus@ntdata:/var/log$ grep "048341743609" mail.log.1
                > >
                > > Feb 7 22:12:48 ntdata postfix/pickup[24843]: 048341743609: uid=5005
                > > from=<SRS0=3u76=L7=gmail.com=jimmiedcu949@...>
                >
                > pickup(8) picks up mail which was sent via sendmail(1). This is a
                > local/system user's process (UID 5005, specifically) sending the
                > mail. Your misunderstanding this time seems to be that you think it
                > came from the network and could thus be rejected.
                >
                > If this seems to be some kind of abuse, it could be that something
                > you're running on the server has been compromised; web/php scripts
                > being the most common vector.

                I'm sorry, UID 5005 is SpamAssassin. The grep-command didn't got all
                the lines, so here they are:
                ---
                Feb 7 22:12:46 ntdata postfix/smtpd[30171]: connect from
                c-50-151-186-224.hsd1.in.comcast.net[50.151.186.224]

                Feb 7 22:12:47 ntdata postfix/smtpd[30171]: 39E441743607:
                client=c-50-151-186-224.hsd1.in.comcast.net[50.151.186.224]

                Feb 7 22:12:47 ntdata postfix/cleanup[30176]: 39E441743607:
                message-id=<GI63Z8-USKQ93-NH@...>

                Feb 7 22:12:47 ntdata postfix/qmgr[20252]: 39E441743607:
                from=<SRS0=3u76=L7=gmail.com=jimmiedcu949@...>, size=2182,
                nrcpt=1 (queue active)

                Feb 7 22:12:47 ntdata spamd[6887]: spamd: connection from
                localhost.localdomain [127.0.0.1] at port 58896 Feb 7 22:12:47 ntdata
                spamd[6887]: spamd: processing message
                <GI63Z8-USKQ93-NH@...> for
                acer@...:5005

                Feb 7 22:12:47 ntdata postfix/smtpd[30171]:
                disconnect from c-50-151-186-224.hsd1.in.comcast.net[50.151.186.224]

                Feb 7 22:12:48 ntdata spamd[6887]: spamd: identified spam (11.6/5.0)
                for acer@...:5005 in 0.4 seconds, 2200 bytes.

                Feb 7 22:12:48 ntdata spamd[6887]: spamd: result: Y 11 -
                FH_HELO_EQ_D_D_D_D,HELO_DYNAMIC_IPADDR,RCVD_IN_BRBL_LASTEXT,RCVD_IN_PBL,RCVD_IN_XBL,RDNS_DYNAMIC,SPF_FAIL
                scantime=0.4,size=2200,user=acer@...,uid=5005,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=58896,mid=<GI63Z8-USKQ93-NH@...>,autolearn=no

                Feb 7 22:12:48 ntdata postfix/pickup[24843]: 048341743609: uid=5005
                from=<SRS0=3u76=L7=gmail.com=jimmiedcu949@...>

                Feb 7 22:12:48 ntdata postfix/pipe[30177]: 39E441743607:
                to=<acer@...>, relay=spamassassin, delay=0.95,
                delays=0.53/0/0/0.41, dsn=2.0.0, status=sent (delivered via
                spamassassin service)

                Feb 7 22:12:48 ntdata postfix/qmgr[20252]: 39E441743607: removed

                Feb 7 22:12:48 ntdata postfix/cleanup[30176]: 048341743609:
                message-id=<GI63Z8-USKQ93-NH@...>

                Feb 7 22:12:48 ntdata postfix/qmgr[20252]: 048341743609:
                from=<SRS0=3u76=L7=gmail.com=jimmiedcu949@...>, size=5268,
                nrcpt=1 (queue active)

                Feb 7 22:12:48 ntdata spamd[6886]: prefork: child states: II

                Feb 7 22:12:48 ntdata postfix/smtp[30181]: certificate verification
                failed for mx01.ubuntudanmark.dk[31.192.231.5]:25: self-signed
                certificate

                Feb 7 22:12:48 ntdata postfix/smtp[30181]: 048341743609:
                to=<acer@...>,
                relay=mx01.ubuntudanmark.dk[31.192.231.5]:25, delay=0.71,
                delays=0/0.04/0.17/0.5, dsn=5.1.1, status=bounced (host
                mx01.ubuntudanmark.dk[31.192.231.5] said: 550 5.1.1
                <acer@...>: Recipient address rejected: User unknown in
                virtual mailbox table (in reply to RCPT TO command))

                Feb 7 22:12:48 ntdata postfix/cleanup[30176]: B201D1743608:
                message-id=<20130207211248.B201D1743608@...-data.dk>

                Feb 7 22:12:48 ntdata postfix/bounce[30182]: 048341743609: sender
                non-delivery notification: B201D1743608

                Feb 7 22:12:48 ntdata postfix/qmgr[20252]: B201D1743608: from=<>,
                size=7699, nrcpt=1 (queue active)

                Feb 7 22:12:48 ntdata postfix/qmgr[20252]: 048341743609: removed

                Feb 7 22:12:49 ntdata postfix/smtp[30183]: certificate verification
                failed for gmail-smtp-in.l.google.com[173.194.71.26]:25: untrusted
                issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority

                Feb 7 22:12:52 ntdata postfix/smtp[30183]: B201D1743608:
                to=<jimmiedcu949@...>,
                orig_to=<SRS0=3u76=L7=gmail.com=jimmiedcu949@...>,
                relay=gmail-smtp-in.l.google.com[173.194.71.26]:25, delay=3.4,
                delays=0.01/0.01/0.29/3, dsn=5.1.1, status=bounced (host
                gmail-smtp-in.l.google.com[173.194.71.26] said: 550-5.1.1 The email
                account that you tried to reach does not exist. Please try 550-5.1.1
                double-checking the recipient's email address for typos or 550-5.1.1
                unnecessary spaces. Learn more at 550 5.1.1
                http://support.google.com/mail/bin/answer.py?answer=6596
                bc7si9536557lbb.184 - gsmtp (in reply to RCPT TO command))

                Feb 7 22:12:52 ntdata postfix/qmgr[20252]: B201D1743608: removed
                ---

                snip

                >
                > FWIW, generally a backup MX is a bad idea. Why did you want it?
                >
                > [snip]

                Yeah, I start to see why. nt-data is my (soon to be) hosting company,
                and when handling other peoples mail, I think it's wise to have some
                sort of a backup system in place.

                I've been searching high and low for alternatives, but short of setting
                something fancy up there don't seem to be any.

                Thank you for the reply.
              • Jeroen Geilman
                ... So you are...not re-injecting spamassassin traffic, but instead re-submitting it via sendmail ? That s weird. ... THIS is a send to spamassassin, but
                Message 7 of 28 , Feb 8, 2013
                • 0 Attachment
                  On 02/08/2013 06:02 PM, Titanus Eramius wrote:

                  > Feb 7 22:12:48 ntdata postfix/pickup[24843]: 048341743609: uid=5005
                  > from=<SRS0=3u76=L7=gmail.com=jimmiedcu949@...>

                  So you are...not re-injecting spamassassin traffic, but instead
                  re-submitting it via sendmail ?
                  That's weird.

                  > Feb 7 22:12:48 ntdata postfix/pipe[30177]: 39E441743607:
                  > to=<acer@...>, relay=spamassassin, delay=0.95,
                  > delays=0.53/0/0/0.41, dsn=2.0.0, status=sent (delivered via
                  > spamassassin service)

                  THIS is a send to spamassassin, but delayed in logging for almost a second.

                  It looks very much as if you're doing in-line spamassassin checks, but
                  then not re-injecting it via SMTP.

                  Why are you doing such a strange thing ?


                  --
                  J.
                • Titanus Eramius
                  ... To be honest I ve read quite a lot about Postfix, Dovecot, SA ... , but my experience is very limited and contained to about 3 months of running time. So
                  Message 8 of 28 , Feb 9, 2013
                  • 0 Attachment
                    Fri, 08 Feb 2013 21:54:02 +0100 skrev Jeroen Geilman <jeroen@...>:

                    > On 02/08/2013 06:02 PM, Titanus Eramius wrote:
                    >
                    > > Feb 7 22:12:48 ntdata postfix/pickup[24843]: 048341743609: uid=5005
                    > > from=<SRS0=3u76=L7=gmail.com=jimmiedcu949@...>
                    >
                    > So you are...not re-injecting spamassassin traffic, but instead
                    > re-submitting it via sendmail ?
                    > That's weird.
                    >
                    > > Feb 7 22:12:48 ntdata postfix/pipe[30177]: 39E441743607:
                    > > to=<acer@...>, relay=spamassassin, delay=0.95,
                    > > delays=0.53/0/0/0.41, dsn=2.0.0, status=sent (delivered via
                    > > spamassassin service)
                    >
                    > THIS is a send to spamassassin, but delayed in logging for almost a
                    > second.
                    >
                    > It looks very much as if you're doing in-line spamassassin checks,
                    > but then not re-injecting it via SMTP.
                    >
                    > Why are you doing such a strange thing ?
                    >

                    To be honest I've read quite a lot about Postfix, Dovecot, SA ... , but
                    my experience is very limited and contained to about 3 months of
                    running time.

                    So SA is integrated as I found best after reading docs and guides, and
                    it's more than likely it can be done in a better way. Normally though,
                    the running time of SA is around ~200ms per text-mail.

                    It's integrated as a content_filter on smtp like so:
                    smtp inet n - - - - smtpd -o content_filter=spamassassin

                    And then on it's own lines:
                    spamassassin unix - n n - - pipe
                    flags=Rq user=spamd argv=/usr/bin/spamc -u ${user}@${domain}
                    -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}

                    The sendmail-method seems to be preferred by the SA-folks
                    https://wiki.apache.org/spamassassin/IntegratedSpamdInPostfix

                    All of those examples uses sendmail. But again, in relation to Postfix,
                    it might very well be possible to integrate SA in a better way. Maybe
                    the method suggested by the docs on content_filters?
                    http://www.postfix.org/FILTER_README.html#advanced_filter
                  • James Griffin
                    ... Integrating SA with amavisd-new is a better approach IMO. You might consider that in your setup? -- Primary Key: 4096R/1D31DC38 2011-12-03 Key Fingerprint:
                    Message 9 of 28 , Feb 9, 2013
                    • 0 Attachment
                      --> Titanus Eramius <titanus@...> [2013-02-09 12:23:38 +0100]:

                      > All of those examples uses sendmail. But again, in relation to Postfix,
                      > it might very well be possible to integrate SA in a better way. Maybe
                      > the method suggested by the docs on content_filters?
                      > http://www.postfix.org/FILTER_README.html#advanced_filter

                      Integrating SA with amavisd-new is a better approach IMO. You might
                      consider that in your setup?

                      --
                      Primary Key: 4096R/1D31DC38 2011-12-03
                      Key Fingerprint: A4B9 E875 A18C 6E11 F46D B788 BEE6 1251 1D31 DC38
                    • Noel Jones
                      ... Nothing wrong with this setup. It s very easy to configure, requires no third-party software or additional packages, and it s easy to understand where
                      Message 10 of 28 , Feb 9, 2013
                      • 0 Attachment
                        On 2/9/2013 5:23 AM, Titanus Eramius wrote:
                        > Fri, 08 Feb 2013 21:54:02 +0100 skrev Jeroen Geilman <jeroen@...>:
                        >
                        >> On 02/08/2013 06:02 PM, Titanus Eramius wrote:
                        >>
                        >>> Feb 7 22:12:48 ntdata postfix/pickup[24843]: 048341743609: uid=5005
                        >>> from=<SRS0=3u76=L7=gmail.com=jimmiedcu949@...>
                        >>
                        >> So you are...not re-injecting spamassassin traffic, but instead
                        >> re-submitting it via sendmail ?
                        >> That's weird.
                        >>
                        >>> Feb 7 22:12:48 ntdata postfix/pipe[30177]: 39E441743607:
                        >>> to=<acer@...>, relay=spamassassin, delay=0.95,
                        >>> delays=0.53/0/0/0.41, dsn=2.0.0, status=sent (delivered via
                        >>> spamassassin service)
                        >>
                        >> THIS is a send to spamassassin, but delayed in logging for almost a
                        >> second.
                        >>
                        >> It looks very much as if you're doing in-line spamassassin checks,
                        >> but then not re-injecting it via SMTP.
                        >>
                        >> Why are you doing such a strange thing ?
                        >>
                        >
                        > To be honest I've read quite a lot about Postfix, Dovecot, SA ... , but
                        > my experience is very limited and contained to about 3 months of
                        > running time.
                        >
                        > So SA is integrated as I found best after reading docs and guides, and
                        > it's more than likely it can be done in a better way. Normally though,
                        > the running time of SA is around ~200ms per text-mail.
                        >
                        > It's integrated as a content_filter on smtp like so:
                        > smtp inet n - - - - smtpd -o content_filter=spamassassin
                        >
                        > And then on it's own lines:
                        > spamassassin unix - n n - - pipe
                        > flags=Rq user=spamd argv=/usr/bin/spamc -u ${user}@${domain}
                        > -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}
                        >
                        > The sendmail-method seems to be preferred by the SA-folks
                        > https://wiki.apache.org/spamassassin/IntegratedSpamdInPostfix
                        >
                        > All of those examples uses sendmail. But again, in relation to Postfix,
                        > it might very well be possible to integrate SA in a better way.

                        Nothing wrong with this setup. It's very easy to configure,
                        requires no third-party software or additional packages, and it's
                        easy to understand where your mail goes. I expect that's why it's
                        used as an example on the spamassassin wiki, and doesn't necessarily
                        mean it's the recommended or preferred method.

                        It's not necessarily the highest performance or the most flexible,
                        but if it suits your needs, no need to change.

                        Folks who need more usually pick some third-party filtering software
                        that can run pre-queue as an smtpd_proxy_filter or milter. These
                        are, without exception, more complicated than the setup you
                        currently have. The big advantage of a pre-queue filter is you can
                        safely REJECT unwanted mail.

                        Amavisd-new is a popular choice for pre-queue filtering since it's
                        fast, reliable, flexible, and can integrate both SpamAssassin and
                        antivirus.


                        -- Noel Jones
                      • Titanus Eramius
                        Sat, 09 Feb 2013 10:25:31 -0600 skrev Noel Jones : ... Sorry for the late response, it took some time to dig through all the
                        Message 11 of 28 , Feb 16, 2013
                        • 0 Attachment
                          Sat, 09 Feb 2013 10:25:31 -0600 skrev Noel Jones
                          <njones@...>:

                          ...

                          > Nothing wrong with this setup. It's very easy to configure,
                          > requires no third-party software or additional packages, and it's
                          > easy to understand where your mail goes. I expect that's why it's
                          > used as an example on the spamassassin wiki, and doesn't necessarily
                          > mean it's the recommended or preferred method.
                          >
                          > It's not necessarily the highest performance or the most flexible,
                          > but if it suits your needs, no need to change.
                          >
                          > Folks who need more usually pick some third-party filtering software
                          > that can run pre-queue as an smtpd_proxy_filter or milter. These
                          > are, without exception, more complicated than the setup you
                          > currently have. The big advantage of a pre-queue filter is you can
                          > safely REJECT unwanted mail.
                          >
                          > Amavisd-new is a popular choice for pre-queue filtering since it's
                          > fast, reliable, flexible, and can integrate both SpamAssassin and
                          > antivirus.
                          >
                          >
                          > -- Noel Jones

                          Sorry for the late response, it took some time to dig through all the
                          information. The use of pre-queue filtering would solve another problem
                          I've been working on: What to do with mail from (user)blacklisted
                          senders.

                          I plan on upgrading Debians stable Postfix to the current stable
                          version of 2.10 so I may benefit from postscreen, and that will
                          probably be a good time to install amavisd-new as a pre-queue filter.

                          Thank you for the help once again.
                        • DTNX Postmaster
                          ... A possible shortcut to getting postscreen is using the 2.9.3 version available in the Debian backports repository. That s what we currently use, instead of
                          Message 12 of 28 , Feb 16, 2013
                          • 0 Attachment
                            On Feb 16, 2013, at 12:18, Titanus Eramius <titanus@...> wrote:

                            > I plan on upgrading Debians stable Postfix to the current stable
                            > version of 2.10 so I may benefit from postscreen, and that will
                            > probably be a good time to install amavisd-new as a pre-queue filter.
                            >
                            > Thank you for the help once again.

                            A possible shortcut to getting postscreen is using the 2.9.3 version
                            available in the Debian backports repository. That's what we currently
                            use, instead of building custom packages.

                            HTH,
                            Jona
                          • Titanus Eramius
                            Sat, 16 Feb 2013 12:39:24 +0100 skrev DTNX Postmaster ... Thank you for pointing the obvious out. I don t know why I didn t thought of backports, but I will
                            Message 13 of 28 , Feb 16, 2013
                            • 0 Attachment
                              Sat, 16 Feb 2013 12:39:24 +0100 skrev DTNX Postmaster
                              <postmaster@...>:

                              > On Feb 16, 2013, at 12:18, Titanus Eramius <titanus@...> wrote:
                              >
                              > > I plan on upgrading Debians stable Postfix to the current stable
                              > > version of 2.10 so I may benefit from postscreen, and that will
                              > > probably be a good time to install amavisd-new as a pre-queue
                              > > filter.
                              > >
                              > > Thank you for the help once again.
                              >
                              > A possible shortcut to getting postscreen is using the 2.9.3 version
                              > available in the Debian backports repository. That's what we
                              > currently use, instead of building custom packages.
                              >
                              > HTH,
                              > Jona
                              >

                              Thank you for pointing the obvious out.
                              I don't know why I didn't thought of backports, but I will surely be
                              using 2.9.3 from there instead of building from source.
                            • Titanus Eramius
                              Thinking about this, I might have been to specific in my question. At the fundamental level I would like to have 2 or more Postfix servers capable of receiving
                              Message 14 of 28 , Feb 19, 2013
                              • 0 Attachment
                                Thinking about this, I might have been to specific in my question.

                                At the fundamental level I would like to have 2 or more Postfix servers
                                capable of receiving virtual mail for multiple domains, where one of
                                the servers also handles relaying and local delivery. The rest should
                                function as backup MX.

                                I've tried with relay_domains, but it matches on domain-level which is
                                too much. I then applied relay_recipient_maps, but it don't seem to
                                have any effect, which means that addresses is still matched on domain
                                basis.

                                Every Postfix will have access to a complete list of recipients
                                through MySQL.

                                So the question becomes two-part:
                                Why can't I get relay_recipient_maps to work?

                                How would you recommend to set up a backup MX?
                                One obvious way is not to do it, but some of the mail is not mine,
                                which is why I at least would like the option to run a backup MX.
                              • Viktor Dukhovni
                                ... http://www.postfix.org/DEBUG_README.html#mail http://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup Wildcard entries in canonical_maps and
                                Message 15 of 28 , Feb 19, 2013
                                • 0 Attachment
                                  On Tue, Feb 19, 2013 at 12:21:35PM +0100, Titanus Eramius wrote:

                                  > I've tried with relay_domains, but it matches on domain-level which is
                                  > too much. I then applied relay_recipient_maps, but it don't seem to
                                  > have any effect, which means that addresses is still matched on domain
                                  > basis.
                                  >
                                  > Every Postfix will have access to a complete list of recipients
                                  > through MySQL.
                                  >
                                  > So the question becomes two-part:
                                  > Why can't I get relay_recipient_maps to work?

                                  http://www.postfix.org/DEBUG_README.html#mail
                                  http://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup

                                  Wildcard entries in canonical_maps and virtual_alias_maps are the
                                  most common reason for recipient validation failing to distinguish
                                  between valid and invalid recipients.

                                  --
                                  Viktor.
                                • Titanus Eramius
                                  Tue, 19 Feb 2013 16:31:05 +0000 skrev Viktor Dukhovni ... Thank you for the response and sorry for the slow reply. The problem seems to be related with the
                                  Message 16 of 28 , Mar 22, 2013
                                  • 0 Attachment
                                    Tue, 19 Feb 2013 16:31:05 +0000 skrev Viktor Dukhovni
                                    <postfix-users@...>:

                                    > On Tue, Feb 19, 2013 at 12:21:35PM +0100, Titanus Eramius wrote:
                                    >
                                    > > I've tried with relay_domains, but it matches on domain-level which
                                    > > is too much. I then applied relay_recipient_maps, but it don't seem
                                    > > to have any effect, which means that addresses is still matched on
                                    > > domain basis.
                                    > >
                                    > > Every Postfix will have access to a complete list of recipients
                                    > > through MySQL.
                                    > >
                                    > > So the question becomes two-part:
                                    > > Why can't I get relay_recipient_maps to work?
                                    >
                                    > http://www.postfix.org/DEBUG_README.html#mail
                                    > http://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup
                                    >
                                    > Wildcard entries in canonical_maps and virtual_alias_maps are the
                                    > most common reason for recipient validation failing to distinguish
                                    > between valid and invalid recipients.
                                    >

                                    Thank you for the response and sorry for the slow reply.

                                    The problem seems to be related with the virtual setup, but I'm not
                                    sure how to best describe and document it.

                                    Besides aptget.dk this server also hosts cogky.dk (among others), and
                                    while unknown recipients is being correctly rejected with a 550 when
                                    sent to aptget.dk, they are not when sent to the other virtual domains.
                                    Instead they are accepted and then returned by the MAILER_DAEMON, which
                                    in turn opens the server to backscatter.

                                    I have tried setting "local_recipient_maps = $virtual_mailbox_maps"
                                    in main.cf, but without any apparent effect. To be honest, I'm unsure if
                                    I have set "virtual_mailbox_maps" correct, but when testing it with
                                    postalias it seems to work
                                    titanus@aptget:/etc/postfix$ sudo postalias -q titanus@...
                                    mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
                                    aptget.dk/titanus/

                                    When I test mysql_virtual_mailbox_maps.cf with a non-existent address,
                                    nothing is returned and the exit status is 1.

                                    What I would like to achieve, is that Postfix rejects mail to
                                    non-existent recipients before accepting mail.

                                    Thanks again, Titanus


                                    postconf -n
                                    alias_maps = hash:/etc/aliases

                                    bounce_template_file = /etc/postfix/bounce.cf

                                    broken_sasl_auth_clients = yes

                                    config_directory = /etc/postfix

                                    delay_warning_time = 4

                                    disable_vrfy_command = yes

                                    dovecot_destination_recipient_limit = 1

                                    inet_interfaces = 46.21.105.38

                                    local_recipient_maps = $virtual_mailbox_maps

                                    mailman_destination_recipient_limit = 1

                                    maximal_queue_lifetime = 15

                                    message_size_limit = 26214400

                                    mydestination = localhost

                                    mydomain = aptget.dk

                                    myhostname = aptget.aptget.dk

                                    mynetworks = 127.0.0.0/8

                                    postscreen_dnsbl_action = enforce

                                    postscreen_dnsbl_sites = truncate.gbudb.net*2 b.barracudacentral.org*1
                                    zen.spamhaus.org*1 bl.spamcop.net*1

                                    postscreen_dnsbl_threshold = 2

                                    postscreen_greet_action = enforce

                                    recipient_canonical_classes = envelope_recipient

                                    recipient_canonical_maps = hash:/etc/postfix/pfix-no-srs.cf,
                                    tcp:127.0.0.1:10002

                                    sender_canonical_classes = envelope_sender

                                    sender_canonical_maps = hash:/etc/postfix/pfix-no-srs.cf,
                                    tcp:127.0.0.1:10001

                                    smtp_tls_security_level = may

                                    smtp_tls_session_cache_database =
                                    btree:$data_directory/smtp_tls_session_cache

                                    smtpd_data_restrictions = reject_unauth_pipelining,
                                    reject_multi_recipient_bounce,

                                    smtpd_helo_required = yes

                                    smtpd_recipient_restrictions = reject_non_fqdn_sender,
                                    reject_non_fqdn_recipient, reject_unknown_sender_domain,
                                    reject_unknown_recipient_domain, reject_unauth_destination,

                                    smtpd_sasl_auth_enable = yes

                                    smtpd_sasl_exceptions_networks = $mynetworks

                                    smtpd_sasl_path = private/auth

                                    smtpd_sasl_security_options = noanonymous

                                    smtpd_sasl_type = dovecot

                                    smtpd_tls_ask_ccert = yes

                                    smtpd_tls_cert_file = /etc/ssl/self-signed/smtpd.crt

                                    smtpd_tls_key_file = /etc/ssl/self-signed/smtpd.key

                                    smtpd_tls_loglevel = 1

                                    smtpd_tls_received_header = yes

                                    smtpd_tls_security_level = may

                                    smtpd_tls_session_cache_database =
                                    btree:$data_directory/smtpd_tls_session_cache

                                    spamassassin_destination_recipient_limit = 1

                                    tls_random_source = dev:/dev/urandom

                                    transport_maps = hash:/etc/postfix/transport.cf

                                    virtual_alias_maps =
                                    proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf

                                    virtual_gid_maps = static:5000

                                    virtual_mailbox_base = /home/vmail

                                    virtual_mailbox_domains =
                                    proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf

                                    virtual_mailbox_maps =
                                    proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf

                                    virtual_transport = dovecot

                                    virtual_uid_maps = static:5000
                                  • Wietse Venema
                                    ... Where is cogky.dk defined: mydestination, virtual_alias_domains, virtual_mailbox_domains, relay_domains? It must be only one. This answer determines where
                                    Message 17 of 28 , Mar 22, 2013
                                    • 0 Attachment
                                      Titanus Eramius:
                                      > Besides aptget.dk this server also hosts cogky.dk (among others), and
                                      > while unknown recipients is being correctly rejected with a 550 when
                                      > sent to aptget.dk, they are not when sent to the other virtual domains.
                                      > Instead they are accepted and then returned by the MAILER_DAEMON, which
                                      > in turn opens the server to backscatter.

                                      Where is cogky.dk defined: mydestination, virtual_alias_domains,
                                      virtual_mailbox_domains, relay_domains? It must be only one.

                                      This answer determines where the "known" recipients must be listed:
                                      local_recipient_maps, virtual_alias_maps,m virtual_mailbox_maps,
                                      relay_recipients. If you list the domain or recipients in the wrong
                                      place then mail will be rejected.

                                      See http://www.postfix.org/ADDRESS_CLASS_README.html

                                      Wietse
                                    • Titanus Eramius
                                      Fri, 22 Mar 2013 16:55:21 -0400 (EDT) skrev Wietse Venema ... The goal is a virtual only mailserver, so the domains is stored in MySQL and fetched through
                                      Message 18 of 28 , Mar 22, 2013
                                      • 0 Attachment
                                        Fri, 22 Mar 2013 16:55:21 -0400 (EDT) skrev Wietse Venema
                                        <wietse@...>:

                                        > Titanus Eramius:
                                        > > Besides aptget.dk this server also hosts cogky.dk (among others),
                                        > > and while unknown recipients is being correctly rejected with a 550
                                        > > when sent to aptget.dk, they are not when sent to the other virtual
                                        > > domains. Instead they are accepted and then returned by the
                                        > > MAILER_DAEMON, which in turn opens the server to backscatter.
                                        >
                                        > Where is cogky.dk defined: mydestination, virtual_alias_domains,
                                        > virtual_mailbox_domains, relay_domains? It must be only one.
                                        >
                                        > This answer determines where the "known" recipients must be listed:
                                        > local_recipient_maps, virtual_alias_maps,m virtual_mailbox_maps,
                                        > relay_recipients. If you list the domain or recipients in the wrong
                                        > place then mail will be rejected.
                                        >
                                        > See http://www.postfix.org/ADDRESS_CLASS_README.html
                                        >
                                        > Wietse

                                        The goal is a "virtual only" mailserver, so the domains is stored
                                        in MySQL and fetched through virtual_mailbox_domains. Besides
                                        virtual_mailbox_domains, I use virtual_mailbox_maps and
                                        virtual_alias_maps.

                                        The documentation is among the best documentation I have seen, but I
                                        can't seem to find the solution, even though I have read most of what I
                                        could find in relation to virtual handling.

                                        One more "clue" is the error messages when sending to non-existent
                                        users. When sending to aptget.dk Postfix responds with
                                        "550 5.1.1 <non_existent@...>: Recipient address rejected: User
                                        unknown in virtual mailbox table".

                                        When sending to cogky.dk the response is only "<non_existent@...>:
                                        user unknown"

                                        Thank you for your time, Titanus
                                      • Wietse Venema
                                        ... With the domain defined in virtual_mailbox_domains, mail will fail with user unknown in virtual mailbox table when the recipient is not found in
                                        Message 19 of 28 , Mar 22, 2013
                                        • 0 Attachment
                                          Titanus Eramius:
                                          > Fri, 22 Mar 2013 16:55:21 -0400 (EDT) skrev Wietse Venema
                                          > > Where is cogky.dk defined: mydestination, virtual_alias_domains,
                                          > > virtual_mailbox_domains, relay_domains? It must be only one.
                                          > >
                                          > > This answer determines where the "known" recipients must be listed:
                                          > > local_recipient_maps, virtual_alias_maps,m virtual_mailbox_maps,
                                          > > relay_recipients. If you list the domain or recipients in the wrong
                                          > > place then mail will be rejected.
                                          > >
                                          > > See http://www.postfix.org/ADDRESS_CLASS_README.html
                                          >
                                          > The goal is a "virtual only" mailserver, so the domains is stored
                                          > in MySQL and fetched through virtual_mailbox_domains. Besides
                                          > virtual_mailbox_domains, I use virtual_mailbox_maps and
                                          > virtual_alias_maps.

                                          With the domain defined in virtual_mailbox_domains, mail will fail
                                          with "user unknown in virtual mailbox table" when the recipient is
                                          not found in virtual_mailbox_maps. This is described in agonizing
                                          detail in ADDRESS_CLASS_README.

                                          Test your lookups:

                                          postmap -q cogky.dk the-virtual_mailbox_domains-table
                                          This should return a result (the value does not matter).

                                          postmap -q real-user@... the-virtual_mailbox_maps-table
                                          This should return a result (the mailbox file name).

                                          postmap -q bogus-user@... the-virtual_mailbox_maps-table
                                          This should return no result (Postfix treats this as "user unknown
                                          in virtual mailbox table").

                                          Wietse
                                        • mouss
                                          ... one possible reason is that you configured a wildcard alias: @cogky.dk == @aptget.dk (that is anything to cogky maps to same address in aptget.dk). if so,
                                          Message 20 of 28 , Mar 24, 2013
                                          • 0 Attachment
                                            Le 23/03/2013 00:02, Titanus Eramius a écrit :
                                            > [snip]
                                            > The goal is a "virtual only" mailserver, so the domains is stored
                                            > in MySQL and fetched through virtual_mailbox_domains. Besides
                                            > virtual_mailbox_domains, I use virtual_mailbox_maps and
                                            > virtual_alias_maps.
                                            >
                                            > The documentation is among the best documentation I have seen, but I
                                            > can't seem to find the solution, even though I have read most of what I
                                            > could find in relation to virtual handling.
                                            >
                                            > One more "clue" is the error messages when sending to non-existent
                                            > users. When sending to aptget.dk Postfix responds with
                                            > "550 5.1.1 <non_existent@...>: Recipient address rejected: User
                                            > unknown in virtual mailbox table".
                                            >
                                            > When sending to cogky.dk the response is only "<non_existent@...>:
                                            > user unknown"
                                            >

                                            one possible reason is that you configured a wildcard alias:
                                            @... ==> @...
                                            (that is anything to cogky maps to same address in aptget.dk).

                                            if so, that's your problem. you need to configure mappings only for
                                            existing users.
                                            since you use mysql, this should be easy to do.
                                          • Titanus Eramius
                                            Fri, 22 Mar 2013 19:12:40 -0400 (EDT) skrev Wietse Venema ... aptget:~# postalias -q cogky.dk mysql:/etc/postfix/mysql_virtual_mailbox_domains.cf cogky.dk ...
                                            Message 21 of 28 , Mar 25, 2013
                                            • 0 Attachment
                                              Fri, 22 Mar 2013 19:12:40 -0400 (EDT) skrev Wietse Venema
                                              <wietse@...>:

                                              > Test your lookups:
                                              >
                                              > postmap -q cogky.dk the-virtual_mailbox_domains-table
                                              > This should return a result (the value does not matter).

                                              aptget:~# postalias -q cogky.dk
                                              mysql:/etc/postfix/mysql_virtual_mailbox_domains.cf
                                              cogky.dk

                                              > postmap -q real-user@... the-virtual_mailbox_maps-table
                                              > This should return a result (the mailbox file name).

                                              aptget:~# postalias -q real-user@...
                                              mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
                                              cogky.dk/real-user/

                                              > postmap -q bogus-user@... the-virtual_mailbox_maps-table
                                              > This should return no result (Postfix treats this as "user unknown
                                              > in virtual mailbox table").

                                              And this does not return a result. Bash gives a error-status of 1.


                                              Sun, 24 Mar 2013 09:36:03 +0100 skrev mouss <mouss@...>:

                                              > one possible reason is that you configured a wildcard alias:
                                              > @... ==> @...
                                              > (that is anything to cogky maps to same address in aptget.dk).

                                              As far as I can see that should not be the case. All addresses and
                                              aliases in the database have a left hand side to it. Is there a way to
                                              test this?


                                              I'm using Dovecot 2 as LDA for final delivery and IMAP-services, so
                                              "virtual_transport" is set to "dovecot" in main.cf and the following
                                              lines are in master.cf:

                                              dovecot unix - n n - - pipe
                                              flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -d
                                              ${recipient}


                                              When looking through the log, it looks like the "user unknown"
                                              response comes from Dovecot and not Postfix:

                                              Mar 25 13:43:53 aptget postfix/smtpd[24133]: connect from
                                              unknown[92.243.255.38]

                                              Mar 25 13:43:54 aptget postfix/smtpd[24133]:
                                              Anonymous TLS connection established from unknown[92.243.255.38]: TLSv1
                                              with cipher DHE-RSA-AES128-SHA (128/128 bits)

                                              Mar 25 13:43:54 aptget dovecot: auth-worker(24136): mysql(localhost):
                                              Connected to database postfix

                                              Mar 25 13:43:54 aptget postfix/smtpd[24133]: BB6AD371DDC4:
                                              client=unknown[92.243.255.38], sasl_method=LOGIN,
                                              sasl_username=HIDDEN_USER@...

                                              Mar 25 13:43:54 aptget postfix-policyd: connection from: 127.0.0.1
                                              port: 48937 slots: 0 of 4096 used

                                              Mar 25 13:43:54 aptget postfix-policyd: connecting to mysql database:
                                              localhost

                                              Mar 25 13:43:54 aptget postfix-policyd: connected..

                                              Mar 25 13:43:54 aptget postfix-policyd: rcpt=16, throttle=clear(a),
                                              host=92.243.255.38, from=titanus@..., to=unknown-user@...,
                                              size=365/26214400, quota=365/1800000000, count=1/125(10),
                                              rcpt=1/600(11), threshold=0%|0%|0%, sasl_username=HIDDEN_USER@...

                                              Mar 25 13:43:54 aptget postfix/cleanup[24138]: BB6AD371DDC4:
                                              message-id=<20130325134351.5c2e026f@...>

                                              Mar 25 13:43:54 aptget postfix/qmgr[23982]: BB6AD371DDC4:
                                              from=<titanus@...>, size=663, nrcpt=1 (queue active)

                                              Mar 25 13:43:55 aptget postfix/pipe[24140]: BB6AD371DDC4:
                                              to=<unknown-user@...>, relay=dovecot, delay=0.38,
                                              delays=0.26/0.03/0/0.09, dsn=5.1.1, status=bounced (user unknown)

                                              Mar 25 13:43:55 aptget postfix/cleanup[24138]: 16228371DE3E:
                                              message-id=<20130325124355.16228371DE3E@...>

                                              Mar 25 13:43:55 aptget postfix/bounce[24142]: BB6AD371DDC4: sender
                                              non-delivery notification: 16228371DE3E

                                              Mar 25 13:43:55 aptget postfix/qmgr[23982]: 16228371DE3E: from=<>,
                                              size=2673, nrcpt=1 (queue active)

                                              Mar 25 13:43:55 aptget postfix/qmgr[23982]: BB6AD371DDC4: removed

                                              Mar 25 13:43:55 aptget postfix/smtpd[24133]: disconnect from
                                              unknown[92.243.255.38]


                                              Thank you again for helping
                                              Titanus


                                              postconf -n
                                              alias_maps = hash:/etc/aliases

                                              bounce_template_file = /etc/postfix/bounce.cf

                                              broken_sasl_auth_clients = yes

                                              config_directory = /etc/postfix

                                              delay_warning_time = 4

                                              disable_vrfy_command = yes

                                              dovecot_destination_recipient_limit = 1

                                              inet_interfaces = 46.21.105.38

                                              local_recipient_maps = $virtual_mailbox_maps

                                              mailman_destination_recipient_limit = 1

                                              maximal_queue_lifetime = 15

                                              message_size_limit = 26214400

                                              mydestination = localhost

                                              mydomain = aptget.dk

                                              myhostname = aptget.aptget.dk

                                              mynetworks = 127.0.0.0/8

                                              postscreen_dnsbl_action = enforce
                                              postscreen_dnsbl_sites = truncate.gbudb.net*2 b.barracudacentral.org*1
                                              zen.spamhaus.org*1 bl.spamcop.net*1

                                              postscreen_dnsbl_threshold = 2

                                              postscreen_greet_action = enforce

                                              recipient_canonical_classes = envelope_recipient

                                              recipient_canonical_maps = hash:/etc/postfix/pfix-no-srs.cf,
                                              tcp:127.0.0.1:10002

                                              sender_canonical_classes = envelope_sender

                                              sender_canonical_maps = hash:/etc/postfix/pfix-no-srs.cf,
                                              tcp:127.0.0.1:10001

                                              smtp_tls_security_level = may

                                              smtp_tls_session_cache_database =
                                              btree:$data_directory/smtp_tls_session_cache

                                              smtpd_data_restrictions = reject_unauth_pipelining,
                                              reject_multi_recipient_bounce,

                                              smtpd_helo_required = yes

                                              smtpd_recipient_restrictions = reject_non_fqdn_sender,
                                              reject_non_fqdn_recipient, reject_unknown_sender_domain,
                                              reject_unknown_recipient_domain, reject_unauth_destination,

                                              smtpd_sasl_auth_enable = yes

                                              smtpd_sasl_exceptions_networks = $mynetworks

                                              smtpd_sasl_path = private/auth

                                              smtpd_sasl_security_options = noanonymous

                                              smtpd_sasl_type = dovecot

                                              smtpd_tls_ask_ccert = yes

                                              smtpd_tls_cert_file = /etc/ssl/self-signed/smtpd.crt

                                              smtpd_tls_key_file = /etc/ssl/self-signed/smtpd.key

                                              smtpd_tls_loglevel = 1

                                              smtpd_tls_received_header = yes

                                              smtpd_tls_security_level = may

                                              smtpd_tls_session_cache_database =
                                              btree:$data_directory/smtpd_tls_session_cache

                                              spamassassin_destination_recipient_limit = 1

                                              tls_random_source = dev:/dev/urandom

                                              transport_maps = hash:/etc/postfix/transport.cf

                                              virtual_alias_maps =
                                              proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf

                                              virtual_gid_maps = static:5000

                                              virtual_mailbox_base = /home/vmail

                                              virtual_mailbox_domains =
                                              proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf

                                              virtual_mailbox_maps =
                                              proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf

                                              virtual_transport = dovecot

                                              virtual_uid_maps = static:5000
                                            • Wietse Venema
                                              ... OK, the table is working as it should. Now let s find out why the bogus recipient is accepted: Next step: - Connect to the public (not content
                                              Message 22 of 28 , Mar 25, 2013
                                              • 0 Attachment
                                                Titanus Eramius:
                                                > Fri, 22 Mar 2013 19:12:40 -0400 (EDT) skrev Wietse Venema
                                                > <wietse@...>:
                                                >
                                                > > Test your lookups:
                                                > >
                                                > > postmap -q cogky.dk the-virtual_mailbox_domains-table
                                                > > This should return a result (the value does not matter).
                                                >
                                                > aptget:~# postalias -q cogky.dk
                                                > mysql:/etc/postfix/mysql_virtual_mailbox_domains.cf
                                                > cogky.dk
                                                >
                                                > > postmap -q real-user@... the-virtual_mailbox_maps-table
                                                > > This should return a result (the mailbox file name).
                                                >
                                                > aptget:~# postalias -q real-user@...
                                                > mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
                                                > cogky.dk/real-user/
                                                >
                                                > > postmap -q bogus-user@... the-virtual_mailbox_maps-table
                                                > > This should return no result (Postfix treats this as "user unknown
                                                > > in virtual mailbox table").
                                                >
                                                > And this does not return a result. Bash gives a error-status of 1.

                                                OK, the table is working as it should. Now let's find out
                                                why the bogus recipient is accepted:

                                                Next step:

                                                - Connect to the public (not content re-injection) SMTP port and try

                                                $ telnet hostname 25
                                                ehlo ...
                                                mail from:<>
                                                rcpt to:<real-user@...>
                                                rcpt to:<bogus-user@...>
                                                quit

                                                One recipient should be accepted, the other not.

                                                - Same experiment for mail over the submission port, if you have one:

                                                $ openssl s_client -starttls smtp -connect hostname:587
                                                ehlo ...
                                                mail from:<>
                                                rcpt to:<real-user@...>
                                                rcpt to:<bogus-user@...>
                                                quit

                                                This is just in case.

                                                Wietse
                                              • Titanus Eramius
                                                Mon, 25 Mar 2013 11:30:41 -0400 (EDT) skrev Wietse Venema ... Both RCPT TOs are successful titanus@asrock:~$ telnet 46.21.105.38 25 Trying 46.21.105.38...
                                                Message 23 of 28 , Mar 25, 2013
                                                • 0 Attachment
                                                  Mon, 25 Mar 2013 11:30:41 -0400 (EDT) skrev Wietse Venema
                                                  <wietse@...>:

                                                  > Titanus Eramius:
                                                  > > Fri, 22 Mar 2013 19:12:40 -0400 (EDT) skrev Wietse Venema
                                                  > > <wietse@...>:
                                                  > >
                                                  > > > Test your lookups:
                                                  > > >
                                                  > > > postmap -q cogky.dk the-virtual_mailbox_domains-table
                                                  > > > This should return a result (the value does not matter).
                                                  > >
                                                  > > aptget:~# postalias -q cogky.dk
                                                  > > mysql:/etc/postfix/mysql_virtual_mailbox_domains.cf
                                                  > > cogky.dk
                                                  > >
                                                  > > > postmap -q real-user@... the-virtual_mailbox_maps-table
                                                  > > > This should return a result (the mailbox file name).
                                                  > >
                                                  > > aptget:~# postalias -q real-user@...
                                                  > > mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
                                                  > > cogky.dk/real-user/
                                                  > >
                                                  > > > postmap -q bogus-user@... the-virtual_mailbox_maps-table
                                                  > > > This should return no result (Postfix treats this as "user unknown
                                                  > > > in virtual mailbox table").
                                                  > >
                                                  > > And this does not return a result. Bash gives a error-status of 1.
                                                  >
                                                  > OK, the table is working as it should. Now let's find out
                                                  > why the bogus recipient is accepted:
                                                  >
                                                  > Next step:
                                                  >
                                                  > - Connect to the public (not content re-injection) SMTP port and try
                                                  >
                                                  > $ telnet hostname 25
                                                  > ehlo ...
                                                  > mail from:<>
                                                  > rcpt to:<real-user@...>
                                                  > rcpt to:<bogus-user@...>
                                                  > quit
                                                  >
                                                  > One recipient should be accepted, the other not.
                                                  >
                                                  > - Same experiment for mail over the submission port, if you have one:
                                                  >
                                                  > $ openssl s_client -starttls smtp -connect hostname:587
                                                  > ehlo ...
                                                  > mail from:<>
                                                  > rcpt to:<real-user@...>
                                                  > rcpt to:<bogus-user@...>
                                                  > quit
                                                  >
                                                  > This is just in case.
                                                  >
                                                  > Wietse

                                                  Both RCPT TOs are successful

                                                  titanus@asrock:~$ telnet 46.21.105.38 25
                                                  Trying 46.21.105.38...
                                                  Connected to 46.21.105.38.
                                                  Escape character is '^]'.
                                                  220 aptget.aptget.dk ESMTP Postfix
                                                  EHLO Hej
                                                  250-aptget.aptget.dk
                                                  250-PIPELINING
                                                  250-SIZE 26214400
                                                  250-ETRN
                                                  250-STARTTLS
                                                  250-AUTH PLAIN LOGIN
                                                  250-AUTH=PLAIN LOGIN
                                                  250-ENHANCEDSTATUSCODES
                                                  250-8BITMIME
                                                  250 DSN
                                                  MAIL FROM:<>
                                                  250 2.1.0 Ok
                                                  RCPT TO:<real-user@...>
                                                  250 2.1.5 Ok
                                                  RCPT TO:<non-existent@...>
                                                  250 2.1.5 Ok
                                                  QUIT
                                                  221 2.0.0 Bye
                                                  Connection closed by foreign host.

                                                  If non-existent@... is substituted with non-existent@...,
                                                  then it is still rejected with "... unknown in virtual mailbox table".

                                                  When trying with submission through telnet, I'm afraid I can't get the
                                                  syntax right. But when using the mail client Claws Mail, Postfix
                                                  accepts non-existent addresses for cogky.dk

                                                  ...
                                                  [17:51:52] ESMTP< 235 2.7.0 Authentication successful
                                                  [17:51:52] ESMTP> MAIL FROM:<nicky@...> SIZE=371
                                                  [17:51:52] SMTP< 250 2.1.0 Ok
                                                  [17:51:52] SMTP> RCPT TO:<non-existent@...>
                                                  [17:51:52] SMTP< 250 2.1.5 Ok
                                                  ...

                                                  Thank you, Titanus
                                                • Wietse Venema
                                                  ... You appear to have a wild-card rule that replaces @cogky.dk with @aptget.dk. Such a rule matches all addresses including invalid ones. Instead use a MySQL
                                                  Message 24 of 28 , Mar 25, 2013
                                                  • 0 Attachment
                                                    Titanus Eramius:
                                                    > > OK, the table is working as it should. Now let's find out
                                                    > > why the bogus recipient is accepted:
                                                    > >
                                                    > > Next step:
                                                    > >
                                                    > > - Connect to the public (not content re-injection) SMTP port and try
                                                    ...
                                                    > MAIL FROM:<>
                                                    > 250 2.1.0 Ok
                                                    > RCPT TO:<real-user@...>
                                                    > 250 2.1.5 Ok
                                                    > RCPT TO:<non-existent@...>
                                                    > 250 2.1.5 Ok

                                                    > If non-existent@... is substituted with non-existent@...,
                                                    > then it is still rejected with "... unknown in virtual mailbox table".

                                                    You appear to have a wild-card rule that replaces @... with
                                                    @.... Such a rule matches all addresses including invalid ones.

                                                    Instead use a MySQL query as decribed in
                                                    http://tech.groups.yahoo.com/group/postfix-users/message/247913

                                                    Wietse
                                                  • Titanus Eramius
                                                    Mon, 25 Mar 2013 14:09:04 -0400 (EDT) skrev Wietse Venema ... Thank you for the link, it was very informative, but didn t solve the problem. I also tried
                                                    Message 25 of 28 , Apr 5, 2013
                                                    • 0 Attachment
                                                      Mon, 25 Mar 2013 14:09:04 -0400 (EDT) skrev Wietse Venema
                                                      <wietse@...>:

                                                      > Titanus Eramius:

                                                      > > MAIL FROM:<>
                                                      > > 250 2.1.0 Ok
                                                      > > RCPT TO:<real-user@...>
                                                      > > 250 2.1.5 Ok
                                                      > > RCPT TO:<non-existent@...>
                                                      > > 250 2.1.5 Ok
                                                      >
                                                      > > If non-existent@... is substituted with non-existent@...,
                                                      > > then it is still rejected with "... unknown in virtual mailbox
                                                      > > table".
                                                      >
                                                      > You appear to have a wild-card rule that replaces @... with
                                                      > @.... Such a rule matches all addresses including invalid ones.
                                                      >
                                                      > Instead use a MySQL query as decribed in
                                                      > http://tech.groups.yahoo.com/group/postfix-users/message/247913
                                                      >
                                                      > Wietse

                                                      Thank you for the link, it was very informative, but didn't solve the
                                                      problem. I also tried making a virtual_mailbox_maps MySQL query that
                                                      always returned false, but Postfix still accepted all mail, and then
                                                      bounced it after Dovecot rejected it.

                                                      I have converted virtual_mailbox_maps and virtual_mailbox_domains to
                                                      textfiles, so it should be easier to debug on the setup. Please note
                                                      that I had to change server to experiment like this, since I depend
                                                      on the other server.

                                                      The servername is nt-data.dk, and the hosted domain (which all mail is
                                                      accepted for) is nt-backup.dk. The behavior is the same, so mail sent
                                                      to non_existent@... is rejected, while mail sent to
                                                      non_existent@... is accepted, and then bounced.

                                                      In main.cf (please see the bottom for postconf -n) is
                                                      virtual_mailbox_domains =
                                                      hash:/etc/postfix/virtual_mailbox_domains.cf
                                                      virtual_mailbox_maps =
                                                      hash:/etc/postfix/virtual_mailbox_maps.cf

                                                      And the content of those files is
                                                      virtual_mailbox_domains.cf:
                                                      nt-backup.dk OK
                                                      nt-data.dk OK

                                                      virtual_mailbox_maps.cf:
                                                      test@... OK
                                                      info@... OK

                                                      It all works like a charm, besides the point that Postfix accepts
                                                      mail to non-existent users on the hosted domain.

                                                      In addition I have read through the relevant documentation again, but I
                                                      still can't figure out where or what the problem might be.

                                                      Thanks again


                                                      postconf -n
                                                      alias_maps = hash:/etc/aliases

                                                      bounce_template_file = /etc/postfix/bounce.cf

                                                      broken_sasl_auth_clients = yes

                                                      config_directory = /etc/postfix

                                                      delay_warning_time = 4

                                                      disable_vrfy_command = yes

                                                      inet_interfaces = all

                                                      local_recipient_maps = $virtual_mailbox_maps

                                                      maximal_queue_lifetime = 15

                                                      mydestination =

                                                      myhostname = ntdata.nt-data.dk

                                                      mynetworks = 127.0.0.0/8

                                                      recipient_canonical_classes = envelope_recipient

                                                      recipient_canonical_maps = hash:/etc/postfix/pfix-no-srs.cf,
                                                      tcp:127.0.0.1:10002

                                                      sender_canonical_classes = envelope_sender

                                                      sender_canonical_maps = hash:/etc/postfix/pfix-no-srs.cf,
                                                      tcp:127.0.0.1:10001

                                                      smtp_tls_security_level = may

                                                      smtp_tls_session_cache_database =
                                                      btree:$data_directory/smtp_tls_session_cache

                                                      smtpd_data_restrictions =
                                                      reject_unauth_pipelining,
                                                      reject_multi_recipient_bounce,
                                                      permit

                                                      smtpd_helo_required = yes

                                                      smtpd_recipient_restrictions =
                                                      reject_non_fqdn_sender,
                                                      reject_non_fqdn_recipient,
                                                      reject_unknown_sender_domain,
                                                      reject_unknown_recipient_domain,
                                                      reject_rbl_client truncate.gbudb.net,
                                                      reject_unauth_destination,
                                                      permit

                                                      smtpd_sasl_auth_enable = yes

                                                      smtpd_sasl_exceptions_networks = $mynetworks

                                                      smtpd_sasl_path = private/auth

                                                      smtpd_sasl_security_options = noanonymous

                                                      smtpd_sasl_type = dovecot

                                                      smtpd_tls_ask_ccert = yes

                                                      smtpd_tls_cert_file = /etc/ssl/self-signed/smtpd.crt

                                                      smtpd_tls_key_file = /etc/ssl/self-signed/smtpd.key

                                                      smtpd_tls_loglevel = 1

                                                      smtpd_tls_received_header = yes

                                                      smtpd_tls_security_level = may

                                                      smtpd_tls_session_cache_database =
                                                      btree:$data_directory/smtpd_tls_session_cache

                                                      tls_random_source = dev:/dev/urandom

                                                      transport_maps = hash:/etc/postfix/transport.cf

                                                      virtual_mailbox_domains = hash:/etc/postfix/virtual_mailbox_domains.cf

                                                      virtual_mailbox_maps = hash:/etc/postfix/virtual_mailbox_maps.cf

                                                      virtual_transport = dovecot
                                                    • Brian Evans
                                                      ... You say you return false ? Postfix expects to receive no results (a.k.a. 0 rows) if a virtual_mailbox_maps address in mysql does not exist. Do not return
                                                      Message 26 of 28 , Apr 5, 2013
                                                      • 0 Attachment
                                                        On 4/5/2013 6:56 AM, Titanus Eramius wrote:
                                                        > Mon, 25 Mar 2013 14:09:04 -0400 (EDT) skrev Wietse Venema
                                                        > <wietse@...>:
                                                        >
                                                        >> Titanus Eramius:
                                                        >>> MAIL FROM:<>
                                                        >>> 250 2.1.0 Ok
                                                        >>> RCPT TO:<real-user@...>
                                                        >>> 250 2.1.5 Ok
                                                        >>> RCPT TO:<non-existent@...>
                                                        >>> 250 2.1.5 Ok
                                                        >>> If non-existent@... is substituted with non-existent@...,
                                                        >>> then it is still rejected with "... unknown in virtual mailbox
                                                        >>> table".
                                                        >> You appear to have a wild-card rule that replaces @... with
                                                        >> @.... Such a rule matches all addresses including invalid ones.
                                                        >>
                                                        >> Instead use a MySQL query as decribed in
                                                        >> http://tech.groups.yahoo.com/group/postfix-users/message/247913
                                                        >>
                                                        >> Wietse
                                                        > Thank you for the link, it was very informative, but didn't solve the
                                                        > problem. I also tried making a virtual_mailbox_maps MySQL query that
                                                        > always returned false, but Postfix still accepted all mail, and then
                                                        > bounced it after Dovecot rejected it.

                                                        You say you return "false"?
                                                        Postfix expects to receive no results (a.k.a. 0 rows) if a
                                                        virtual_mailbox_maps address in mysql does not exist.
                                                        Do not return "false", empty string, null, or any other value if it does
                                                        not exist.

                                                        Brian
                                                      • Titanus Eramius
                                                        Fri, 05 Apr 2013 08:49:39 -0400 skrev Brian Evans ... False may be the wrong word, and I m sorry if it is. What I mean is, virtual_mailbox_maps always returns
                                                        Message 27 of 28 , Apr 5, 2013
                                                        • 0 Attachment
                                                          Fri, 05 Apr 2013 08:49:39 -0400 skrev Brian Evans
                                                          <grknight@...>:

                                                          > > Thank you for the link, it was very informative, but didn't solve
                                                          > > the problem. I also tried making a virtual_mailbox_maps MySQL query
                                                          > > that always returned false, but Postfix still accepted all mail,
                                                          > > and then bounced it after Dovecot rejected it.
                                                          >
                                                          > You say you return "false"?
                                                          > Postfix expects to receive no results (a.k.a. 0 rows) if a
                                                          > virtual_mailbox_maps address in mysql does not exist.
                                                          > Do not return "false", empty string, null, or any other value if it
                                                          > does not exist.

                                                          False may be the wrong word, and I'm sorry if it is. What I mean is,
                                                          virtual_mailbox_maps always returns nothing from MySQL, like so:

                                                          titanus@ntdata:/etc/postfix$ sudo postmap -q test@...
                                                          mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
                                                          titanus@ntdata:/etc/postfix$ echo $?
                                                          1
                                                          (this user exists)

                                                          titanus@ntdata:/etc/postfix$ sudo postmap -q non_existent@...
                                                          mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
                                                          titanus@ntdata:/etc/postfix$ echo $?
                                                          1
                                                          (this user does not)

                                                          I did this because I had some trouble constructing the query-string
                                                          Wietse recommended, and thought this would be a simple and easy way to
                                                          test if virtual_mailbox_maps was the problem.

                                                          When trying the syntax within the MySQL CLI, a "Empty set" is returned
                                                          when querying for a non-existent user

                                                          mysql> SELECT username FROM mailbox
                                                          -> WHERE username = 'non_existent@...';
                                                          Empty set (0.00 sec)


                                                          I hope this better explains what I meant
                                                          Cheers
                                                        • Titanus Eramius
                                                          Solved it :-) When sending to unknown users, Postfix now rejects the mail with User unknown in virtual mailbox table , and it does so for hosted (that is,
                                                          Message 28 of 28 , Apr 6, 2013
                                                          • 0 Attachment
                                                            Solved it :-)

                                                            When sending to unknown users, Postfix now rejects the mail with "User
                                                            unknown in virtual mailbox table", and it does so for hosted (that is,
                                                            virtual mailbox domains) domains as well.

                                                            It seems the SRS-daemon* I have been using with the main.cf parameters
                                                            recipient_canonical_maps
                                                            recipient_canonical_classes
                                                            sender_canonical_maps
                                                            sender_canonical_classes

                                                            was the root of the problem. I have just commented them out to solve
                                                            it. Reading through the documentation for those four parameters, does
                                                            not seem to indicate why they would mess with Postfix' ability to use
                                                            virtual_mailbox_maps.

                                                            But I guess my lack of understanding about Postfix internals is a
                                                            problem as well. I am sorry for the wasted time, and would like to
                                                            thank all who helped out.

                                                            Have a nice weekend


                                                            * https://github.com/Fruneau/pfixtools
                                                          Your message has been successfully submitted and would be delivered to recipients shortly.