Hi all, We have update our mail server from ISPConfig 3.2 to 3.2.1 Since, some sender account (use by scanner for example) could not send email with the error "Sender address rejected: User unknown in virtual mailbox table" After checking the account, the user account exist and is enable (only have receiving disable and POP/IMAP access). this account is only use to sent email. After many test, we have found that the directive "smtpd_reject_unlisted_sender=yes" cause this issue. Maybe other parameter must be fix to avoid this issue using this parameters. Thanks for help Yannick
Below master.cf Code: # # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master"). # # Do not forget to execute "postfix reload" after editing this file. # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== #smtp inet n - - - 1 postscreen #smtpd pass - - - - - smtpd #dnsblog unix - - - - 0 dnsblog #tlsproxy unix - - - - 0 tlsproxy smtp inet n - y - - smtpd # -o syslog_name=postfix/submission # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #smtps inet n - - - - smtpd # -o syslog_name=postfix/smtps # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #628 inet n - - - - qmqpd submission inet n - y - - smtpd -o syslog_name=postfix/submission # -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_helo_required=no -o smtpd_client_restrictions=permit_sasl_authenticated,reject slow unix - - n - - smtp -o syslog_name=postfix/slow pickup fifo n - y 60 1 pickup cleanup unix n - y - 0 cleanup qmgr fifo n - n 300 1 qmgr #qmgr fifo n - n 300 1 oqmgr tlsmgr unix - - y 1000? 1 tlsmgr rewrite unix - - y - - trivial-rewrite bounce unix - - y - 0 bounce defer unix - - y - 0 bounce trace unix - - y - 0 bounce verify unix - - y - 1 verify flush unix n - y 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - y - - smtp # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 relay unix - - y - - smtp showq unix n - y - - showq error unix - - y - - error retry unix - - y - - error discard unix - - y - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - y - - lmtp anvil unix - - y - 1 anvil # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual # pages of the non-Postfix software to find out what options it wants. # # Many of the following services use the Postfix pipe(8) delivery # agent. See the pipe(8) man page for information about ${recipient} # and other message envelope options. # ==================================================================== # # maildrop. See the Postfix MAILDROP_README file for details. # Also specify in main.cf: maildrop_destination_recipient_limit=1 # scache unix - - y - 1 scache maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -d vmail ${extension} ${recipient} ${user} ${nexthop} ${sender} # # ==================================================================== # # Recent Cyrus versions can use the existing "lmtp" master.cf entry. # # Specify in cyrus.conf: # lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 # # Specify in main.cf one or more of the following: # mailbox_transport = lmtp:inet:localhost # virtual_transport = lmtp:inet:localhost # # ==================================================================== # # Cyrus 2.1.5 (Amos Gouaux) # Also specify in main.cf: cyrus_destination_recipient_limit=1 # #cyrus unix - n n - - pipe # user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} # # ==================================================================== # Old example of delivery via Cyrus. # #old-cyrus unix - n n - - pipe # flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} # # ==================================================================== # # See the Postfix UUCP_README file for configuration details. # uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) # # Other external delivery methods. # ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} mailman unix - n n - - pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} dovecot unix - n n - - pipe flags=DROhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop} policy-spf unix - n n - - spawn user=nobody argv=/usr/sbin/postfix-policyd-spf-perl amavis unix - - - - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o smtp_bind_address= 127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_end_of_data_restrictions= -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes 127.0.0.1:10027 inet n - n - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_end_of_data_restrictions= -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks -o smtp_send_xforward_command=yes -o milter_default_action=accept -o milter_macro_daemon_name=ORIGINATING -o disable_dns_lookups=yes
and main.cf Code: # See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = /usr/share/doc/postfix # TLS parameters smtpd_tls_cert_file = /etc/postfix/smtpd.cert smtpd_tls_key_file = /etc/postfix/smtpd.key smtpd_use_tls = yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. myhostname = mail.ourdomain.net alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases myorigin = /etc/mailname mydestination = mailserver.internaldomain.local, localhost, localhost.localdomain, mail.ourdomain.net relayhost = mynetworks = 127.0.0.0/8 [::1]/128 10.250.0.22/32 10.250.255.31/32 10.250.255.32/32 10.0.0.93/32 10.255.0.0/16 172.16.1.153/32 10.0.0.12/32 mailbox_size_limit = 0 message_size_limit = 0 recipient_delimiter = + inet_interfaces = all html_directory = /usr/share/doc/postfix/html virtual_alias_domains = proxy:mysql:/etc/postfix/mysql-virtual_alias_domains.cf virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_alias_maps.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_mailbox_base = /var/vmail virtual_uid_maps = proxy:mysql:/etc/postfix/mysql-virtual_uids.cf virtual_gid_maps = proxy:mysql:/etc/postfix/mysql-virtual_gids.cf inet_protocols = all smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes # Renforce la protection contre le spam smtpd_helo_required = yes # smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname smtpd_helo_restrictions = permit_mynetworks, check_helo_access regexp:/etc/postfix/custom-conf/helo_access, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, check_helo_access regexp:/etc/postfix/bl$ strict_rfc821_envelopes = yes smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit smtpd_delay_reject = yes smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unlisted_recipient, check_recipient_access proxy:mysql:/etc/postfix/mysql-verify_recipients.cf, permit_sasl_authenticated, reject_non_fqdn_recipie$ smtpd_tls_security_level = may transport_maps = hash:/var/lib/mailman/data/transport-mailman, hash:/etc/postfix/custom-conf/slow-transport, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf relay_domains = proxy:mysql:/etc/postfix/mysql-virtual_relaydomains.cf relay_recipient_maps = proxy:mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_map$ smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, check_sender_access regexp:/etc/postfix/tag_as_foreign.re, check_sender_access proxy:mysql:/etc/po$ smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, reject_rbl_client b.barracudacentral.org, reject_rbl_client dsn.rfc-$ smtpd_client_message_rate_limit = 100 maildrop_destination_concurrency_limit = 1 maildrop_destination_recipient_limit = 1 virtual_transport = dovecot header_checks = regexp:/etc/postfix/header_checks mime_header_checks = regexp:/etc/postfix/mime_header_checks nested_header_checks = regexp:/etc/postfix/nested_header_checks body_checks = regexp:/etc/postfix/body_checks owner_request_special = no dovecot_destination_recipient_limit = 1 smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth content_filter = amavis:[127.0.0.1]:10024 receive_override_options = no_address_mappings #message_size_limit = 0 smtp_tls_security_level = dane smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_protocols = !SSLv2,!SSLv3 smtp_tls_protocols = !SSLv2,!SSLv3 policy-spf_time_limit = 3600s # Limite le nombre de destinataire qu'un client SMTP peut adresser par minute smtpd_client_recipient_rate_limit = 100 # Limite le nombre maximal de connexion simultanée qu'un client peut réaliser smtpd_client_connection_count_limit = 20 # Limite le nombre de destinataire qu'un client SMTP peut adresser dans un seul mail default_destination_recipient_limit = 50 # smtpd_recipient_limit = smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf smtpd_restriction_classes = greylisting # greylisting = check_policy_service inet:127.0.0.1:10023 greylisting = check_policy_service inet:127.0.0.1:10023 # Limiter le nombre de mails envoyés à un même domaine: requis pour Orange (à minima) slow_destination_concurrency_limit = 3 slow_destination_rate_delay = 3s smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf smtpd_tls_exclude_ciphers = RC4, aNULL smtp_tls_exclude_ciphers = RC4, aNULL smtpd_etrn_restrictions = permit_mynetworks, reject smtpd_tls_mandatory_ciphers = medium tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES2$ tls_preempt_cipherlist = yes address_verify_negative_refresh_time = 60s enable_original_recipient = no smtpd_forbidden_commands = CONNECT,GET,POST,USER,PASS address_verify_sender_ttl = 15686s smtp_dns_support_level = dnssec # smtpd_reject_unlisted_sender = yes
Are you using alternative login names? There is a fix in https://git.ispconfig.org/ispconfig/ispconfig3/-/merge_requests/1334 you'll need if so.
Nope, sender are not alternative (alias ?) they are full account only with sending enable (receiving, pop or imap are disable).
Do you get the email address returned with 'postmap -q [email protected] mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf'?
We also have the same problem - when we uncheck the box "Enable receiving" it also disables sending. Setting "smtpd_reject_unlisted_sender = no" fixes the problem. Here's the entry in /var/log/maillog: Code: Feb 3 11:14:26 server postfix/smtpd[3103932]: connect from localhost[::1] Feb 3 11:14:27 server postfix/smtpd[3103932]: NOQUEUE: filter: RCPT from localhost[::1]: <sender@localdomain>: Sender address triggers FILTER amavis:[127.0.0.1]:10026; from=<sender@localdomain> to=<recipient@externaldomain> proto=ESMTP helo=<localdomain> Feb 3 11:14:27 server postfix/smtpd[3103932]: NOQUEUE: reject: RCPT from localhost[::1]: 550 5.1.0 <sender@localdomain>: Sender address rejected: User unknown in virtual mailbox table; from=<sender@localdomain> to=<recipient@externaldomain> proto=ESMTP helo=<localdomain> Feb 3 11:14:27 server postfix/smtpd[3103932]: disconnect from localhost[::1] ehlo=1 auth=1 mail=1 rcpt=0/1 data=0/1 quit=1 commands=4/6 When I run "postmap -q sender@localdomain mysql:/etc/postfix/mysql-virtual_mailboxes.cf" I get this: localdomain/sender/ But when I run "postmap -q sender@localdomain mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf" I get nothing.
@Paulmw, try editing mysql-virtual_email2email.cf and change both instances of `postfix' = 'y'` to `disablesmtp = 'n'` (https://git.ispconfig.org/ispconfig/ispconfig3/-/merge_requests/1402/diffs) - do you then see the expected behavior?
Thanks for the reply, I changed my copy of that file to this: Code: query = SELECT email FROM mail_user WHERE email = '%s' AND forward_in_lda = 'n' AND disabledeliver = 'n' AND disablesmtp = 'n' AND server_id = 1 AND EXISTS (SELECT domain_id FROM mail_domain WHERE domain = SUBSTRING_INDEX('%s', '@', -1) AND active = 'y' AND server_id = 1) UNION SELECT cc AS email FROM mail_user WHERE email = '%s' AND cc != '' AND (forward_in_lda = 'n' OR disabledeliver = 'y') AND disablesmtp = 'n' AND server_id = 1 AND EXISTS (SELECT domain_id FROM mail_domain WHERE domain = SUBSTRING_INDEX('%s', '@', -1) AND active = 'y' AND server_id = 1) Enabled smtpd_reject_unlisted_sender again in main.cf and reloaded postfix. Unfortunately I still get the same response from both postmap queries and trying to send from one of my affected mailboxes gives the same error as above. I restarted postfix just in case but it didn't help. I'm on ISPConfig 3.2.2. This particular server used to be on a dev branch at one point though, I don't know if that's a possible problem. I'm in the process of standing up another mail server that I'm going to add to this cluster in the next few hours from the stable branch so I can use that to test when it's ready.
That is expected, as you didn't change either if the queued files; if you query for the sender address using mysql-virtual_email2email.cf, it should now have a response where before your changes it did not. You might verify you don't have 'disable sending' set for the mailbox.
