help me understand mysql-verify_recipients.cf

ispconfig_update.sh generates this file and adds it to "smtpd_recipient_restrictions". Can you please explain the logic behind this?

I don't understand this SQL query, the column "reject_unverified_recipient" does not exist in the table "mail_domain".

Code:

query = SELECT 'reject_unverified_recipient' FROM mail_domain WHERE domain = '%s' AND active = 'y' AND server_id = 1

I'm running:
Ubuntu 20.04.6 + Postfix, Dovecot, Amavisd, Sieve
Ispconfig 3.3.1

 

I see, thanks for the clarification. If I understand it correctly now, it means that every active mail_domain returns this string to postfix and postfix refuses to accept email for all active domains. I'm probably missing the point. Can you please help me understand the full meaning of this entry in smtpd_recipient_restrictions?

This is what is generated by ispconfig_update.sh:

Code:

smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unlisted_recipient, check_recipient_access proxy:mysql:/etc/postfix/mysql-verify_recipients.cf, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf, check_policy_service unix:private/quota-status

And this is what works for me and server accept emails:

Code:

smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unlisted_recipient, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf, check_policy_service unix:private/quota-status

 

Thanks for the comprehensive answer, I really appreciate it.

It's as you say, I'm using an older Ubuntu server 20.04.6 and an older Postfix 3.4.13. I am currently in the process of validating the server configuration before I start the upgrade process to Ubuntu 20.04 -> 22.04 -> 24.04.

However, the option "enable_original_recipient" can be enabled. I tested it and enabled the default "smtpd_recipient_restrictions"
values. Unfortunately, it didn't work as I imagined.

Code:

Jan 26 18:57:39 server01 postfix/smtps/smtpd[1443610]: NOQUEUE: filter: RCPT from [MY IPV6 IP]: <[email protected]>: Sender address triggers FILTER lmtp:[127.0.0.1]:10026; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<MY HELLO>
Jan 26 18:57:39 server01 postfix/smtps/smtpd[1443610]: NOQUEUE: reject: RCPT from [MY IPV6 IP]: 450 4.1.1 <[email protected]>: Recipient address rejected: unverified address: host 127.0.0.1[127.0.0.1] said: 554 5.7.1 <[email protected]>: Recipient address rejected: Access denied (in reply to RCPT TO command); from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<MY HELLO>

Do you have any idea what could be causing this?

 

Please correct me if my reasoning doesn’t make sense.

Based on the Postfix documentation https://www.postfix.org/postconf.5.html#reject_unverified_recipient, my understanding is this:

When Postfix receives the action reject_unverified_recipient, it triggers an address verification “probe”. This probe checks whether the recipient exists by sending a test RCPT TO to the backend/next hop for that address.

In an ISPConfig setup, that next hop is Amavis (because of the content_filter). Amavis has no logic to verify whether a mailbox exists, so it responds with a generic 554 Access denied. Postfix interprets this as a failed verification, which explains the “unverified recipient” errors in the logs.

Because of this, I believe the SQL query used by ISPConfig for reject_unverified_recipient is logically reversed. It currently returns reject_unverified_recipient for active domains, but according to the Postfix documentation, it would make more sense to me to return it only when the domain is inactive (e.g. AND active='n') or it doesn't exist in the table at all..

Another issue is that SASL clients are blocked before they have a chance to authenticate, because the verification happens too early in the restriction chain.

As for why this appears to “work” on newer systems: Newer versions of Postfix and Amavis behave differently — Postfix has a more tolerant verify engine and fallback logic, and Amavis responds differently to RCPT probes. So the same ISPConfig configuration behaves differently depending on the underlying Postfix/Amavis versions.

 

I am now trying to solve the situation using a custom template. I placed the file here "/usr/local/ispconfig/server/conf-custom/install/postfix_custom.conf.master" and placed the modified smtpd_recipient_restrictions in it. However, every time I visit the UI
and server configuration and update ISPConfig, smtpd_recipient_restrictions are overwritten to the default value.

Code:

# You can use this file for custom Postfix settings. The used settings will overrule the settings set by ISPConfig.
# Use with caution!
# Put this file in /usr/local/ispconfig/server/conf-custom/install/ and make your changes there.
smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unlisted_recipient, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf, check_policy_service unix:private/quota-status

Can you advise me how to officially override smtpd_recipient_restrictions using a custom template?

 

To test the functionality of this custom file "/usr/local/ispconfig/server/conf-custom/install/postfix_custom.conf.master", I added other lines and values there. These are overwritten correctly, but "smtpd_recipient_restrictions" is never overwritten. The postfix plugin either ignores them or always overwrites them with default values.

Can someone please verify this?