ispconfig_update.sh generates this file and adds it to "smtpd_recipient_restrictions". Can you please explain the logic behind this? I don't understand this SQL query, the column "reject_unverified_recipient" does not exist in the table "mail_domain". Code: query = SELECT 'reject_unverified_recipient' FROM mail_domain WHERE domain = '%s' AND active = 'y' AND server_id = 1 I'm running: Ubuntu 20.04.6 + Postfix, Dovecot, Amavisd, Sieve Ispconfig 3.3.1
This is not a column, it's a text string which gets returned. Columns in MySQL SQL are enclosed in backticks, text strings in quotes.
I see, thanks for the clarification. If I understand it correctly now, it means that every active mail_domain returns this string to postfix and postfix refuses to accept email for all active domains. I'm probably missing the point. Can you please help me understand the full meaning of this entry in smtpd_recipient_restrictions? This is what is generated by ispconfig_update.sh: Code: smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unlisted_recipient, check_recipient_access proxy:mysql:/etc/postfix/mysql-verify_recipients.cf, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf, check_policy_service unix:private/quota-status And this is what works for me and server accept emails: Code: smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unlisted_recipient, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf, check_policy_service unix:private/quota-status
This is nothing new in ISPConfig 3.3.1. We have been using this in the Postfix setup for many years now, and it works fine. You might be using a very old Postfix version. In this case, you can try to run: Code: postconf -e 'enable_original_recipient = yes' And then restore the original config to see if it works then. Or you keep your modified config as ISPConfig 3.3.1 requires Ubuntu 22.04 or later anyway, see release notes.
Thanks for the comprehensive answer, I really appreciate it. It's as you say, I'm using an older Ubuntu server 20.04.6 and an older Postfix 3.4.13. I am currently in the process of validating the server configuration before I start the upgrade process to Ubuntu 20.04 -> 22.04 -> 24.04. However, the option "enable_original_recipient" can be enabled. I tested it and enabled the default "smtpd_recipient_restrictions" values. Unfortunately, it didn't work as I imagined. Code: Jan 26 18:57:39 server01 postfix/smtps/smtpd[1443610]: NOQUEUE: filter: RCPT from [MY IPV6 IP]: <[email protected]>: Sender address triggers FILTER lmtp:[127.0.0.1]:10026; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<MY HELLO> Jan 26 18:57:39 server01 postfix/smtps/smtpd[1443610]: NOQUEUE: reject: RCPT from [MY IPV6 IP]: 450 4.1.1 <[email protected]>: Recipient address rejected: unverified address: host 127.0.0.1[127.0.0.1] said: 554 5.7.1 <[email protected]>: Recipient address rejected: Access denied (in reply to RCPT TO command); from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<MY HELLO> Do you have any idea what could be causing this?
Please correct me if my reasoning doesn’t make sense. Based on the Postfix documentation https://www.postfix.org/postconf.5.html#reject_unverified_recipient, my understanding is this: When Postfix receives the action reject_unverified_recipient, it triggers an address verification “probe”. This probe checks whether the recipient exists by sending a test RCPT TO to the backend/next hop for that address. In an ISPConfig setup, that next hop is Amavis (because of the content_filter). Amavis has no logic to verify whether a mailbox exists, so it responds with a generic 554 Access denied. Postfix interprets this as a failed verification, which explains the “unverified recipient” errors in the logs. Because of this, I believe the SQL query used by ISPConfig for reject_unverified_recipient is logically reversed. It currently returns reject_unverified_recipient for active domains, but according to the Postfix documentation, it would make more sense to me to return it only when the domain is inactive (e.g. AND active='n') or it doesn't exist in the table at all.. Another issue is that SASL clients are blocked before they have a chance to authenticate, because the verification happens too early in the restriction chain. As for why this appears to “work” on newer systems: Newer versions of Postfix and Amavis behave differently — Postfix has a more tolerant verify engine and fallback logic, and Amavis responds differently to RCPT probes. So the same ISPConfig configuration behaves differently depending on the underlying Postfix/Amavis versions.
I am now trying to solve the situation using a custom template. I placed the file here "/usr/local/ispconfig/server/conf-custom/install/postfix_custom.conf.master" and placed the modified smtpd_recipient_restrictions in it. However, every time I visit the UI and server configuration and update ISPConfig, smtpd_recipient_restrictions are overwritten to the default value. Code: # You can use this file for custom Postfix settings. The used settings will overrule the settings set by ISPConfig. # Use with caution! # Put this file in /usr/local/ispconfig/server/conf-custom/install/ and make your changes there. smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unlisted_recipient, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf, check_policy_service unix:private/quota-status Can you advise me how to officially override smtpd_recipient_restrictions using a custom template?
To test the functionality of this custom file "/usr/local/ispconfig/server/conf-custom/install/postfix_custom.conf.master", I added other lines and values there. These are overwritten correctly, but "smtpd_recipient_restrictions" is never overwritten. The postfix plugin either ignores them or always overwrites them with default values. Can someone please verify this?
We too had this problem. Analyzing the traffic on port 10025 with tcpdump we found that the traffic started from the local IP (ex: 10.1.1.250) and not from 127.0.0.1. This is due to our specific local network configuration and perimetral firewall rules, so we have set a dedicate VIP IP on the server, that is different from the real local network IP. To manage the outgoing smtp connection we had set the bind with the VIP IP in master.cf adding '-o smtp_bind_address=10.1.1.250' to smtp session. This change caused the "Access Denied" error, due to the restriction '-o mynetworks=127.0.0.1/8' configuration for 10025 session in master.cf We fixed this issue adding the server's VIP IP to the mynetworks option for ports 10025 and 10027 into master.cf (-o mynetworks=127.0.0.0/8,10.1.1.250) Now all works fine.
Thx @DarioL , thanks for the hint. I have a similar setup with VIP on the server including the bind address parameter. When you edited "mynetworks=127.0.0.0/8,10.1.1.250" for port 10025 and 10027 did it start working for you even with the default "mtpd_recipient_restrictions" setting generated by ISPConfig? Code: smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unlisted_recipient, check_recipient_access proxy:mysql:/etc/postfix/mysql-verify_recipients.cf, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf, check_policy_service unix:private/quota-status
Today I finished upgrading the system to Ubuntu 24.04. + ispconfig 3.3.1p1 and with the above configuration the emails are not coming in. Adding VIP to my ntworks in master.cf for ports 10025, 10027 did not help either. Anyone have any other ideas?
Example: Code: 2026-06-21T16:06:57.792049+02:00 s1 postfix/smtpd[498011]: NOQUEUE: reject: RCPT from mxd.seznam.cz[77.75.78.210]: 450 4.1.1 <[email protected]>: Recipient address rejected: unverified address: host 127.0.0.1[127.0.0.1] said: 554 5.7.1 <[email protected]>: Recipient address rejected: Access denied (in reply to RCPT TO command); from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mxd.seznam.cz>
As soon as I replace the "NEW" line from ispconfig with the "OK" line in main.cf, the emails start coming in. The problem is that ispconfig overwrites this line every time it upgrades and reconfigures services, and there is no way to apply it from the template. Code: #new #smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unlisted_recipient, check_recipient_access proxy:mysql:/etc/postfix/mysql-verify_recipients.cf, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf, check_policy_service unix:private/quota-status #ok #smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unlisted_recipient, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf, check_policy_service unix:private/quota-status
Then you have not made your changes in a proper update-safe way. You can override this using a master template in ISPConfig in conf-custom/install/ folder.
What exactly does update-safe way mean? I basically followed these instructions. https://www.howtoforge.com/ubuntu-20-04-to-22-04-upgrade/ https://www.howtoforge.com/update-the-ispconfig-perfect-server-from-ubuntu-20-04-to-ubuntu-22-04/ https://www.howtoforge.com/ubuntu-22-04-to-24-04-upgrade/ https://www.howtoforge.com/update-the-ispconfig-perfect-server-from-ubuntu-22-04-to-ubuntu-24-04/ And I tried it with the template too. I've tried to explain it here before, but the "smtpd_recipient_restrictions" from the custom template never gets applied. The other lines do, but this one specific one doesn't. Custom template location: /usr/local/ispconfig/server/conf-custom/install/postfix_custom.conf.master I would really like to set up postifx and the mail server in general to match the default ispconfig configuration, but first I need to understand where the problem is.
I have resolve my problem analyzing the tcp traffic on port 10025 when client do a RCPT command with this command: Code: sudo tcpdump -nn -iany port 10025 Before, you must remove /var/lib/postfix/verify_cache.db and restart postfix, or use a new local account that you have never used before. You can see which IP it used during communication. "Access denied" error seem a access denied problem for several reasons, in my case due to the restriction on the localhost IP 127.0.0.1
Thanks for the help, I ended up with a different setup even though I had the same symptoms as you. Because I have multiple IPv4/6 IP addresses on one host, I had to specify the IP for the SMTP client. I set: main.cf Code: smtp_bind_address = myipv4ip 4 mail server smtp_bind_address6 = myipv6ip 4 mail server master.cf Code: smtp unix - - y - - smtp -o smtp_bind_address6=myipv6ip 4 mail server -o smtp_bind_address=myipv4ip 4 mail server -o smtp_bind_address=127.0.0.1 From then on, the smtp client can access port 10025 from the 127.0.0.1 IP. Well I finally set "smtpd_recipient_restrictions" to ispconfig default value. main.cf Code: smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unlisted_recipient, check_recipient_access proxy:mysql:/etc/postfix/mysql-verify_recipients.cf, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf, check_policy_service unix:private/quota-status I'm monitoring the server and so far everything seems to be working.
