Hi, i have a weird error with the current setup. The server was freshly setup one week ago with 3.1.15p2 on Debian Buster with rspamd config. Issue: Customer 1 (c1@example.net) sends and E-Mail to Customer 2 (c2@example.com) (both handled on the same email server). c2@example.com is a forwarder to sth.else@example.com When an email to c2@example.com is send from outside, the email is correctly delivered to sth.else@example.com When c1@example.net sends an email to c2@example.com, both handled on the same server i get the error "user unknown": Code: Nov 12 17:08:40 mail01 postfix/smtpd[14085]: 1B2B832509: client=unknown[x.x.x.x], sasl_method=PLAIN, [email protected] Nov 12 17:08:40 mail01 postfix/cleanup[14090]: 1B2B832509: message-id=<[email protected]> Nov 12 17:08:40 mail01 postfix/qmgr[14024]: 1B2B832509: from=<[email protected]>, size=766, nrcpt=1 (queue active) Nov 12 17:08:40 mail01 postfix/pipe[14091]: 1B2B832509: to=<[email protected]>, relay=dovecot, delay=0.1, delays=0.06/0.01/0/0.02, dsn=5.1.1, status=bounced (user unknown) Nov 12 17:08:40 mail01 postfix/cleanup[14090]: 2B99A32335: message-id=<[email protected]> Nov 12 17:08:40 mail01 postfix/bounce[14093]: 1B2B832509: sender non-delivery notification: 2B99A32335 Nov 12 17:08:40 mail01 postfix/qmgr[14024]: 1B2B832509: removed As i said, emails, which are send from outside are correctly delivered. Both domains are not configured as mydestination. postconf -n Code: alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no body_checks = regexp:/etc/postfix/body_checks bounce_template_file = /etc/postfix/bounce.de-de.cf broken_sasl_auth_clients = yes compatibility_level = 2 delay_warning_time = 1h dovecot_destination_recipient_limit = 1 greylisting = check_policy_service inet:127.0.0.1:10023 header_checks = regexp:/etc/postfix/header_checks html_directory = /usr/share/doc/postfix/html inet_interfaces = localhost, w.x.y.z inet_protocols = ipv4 mailbox_size_limit = 0 maildrop_destination_concurrency_limit = 1 maildrop_destination_recipient_limit = 1 message_size_limit = 0 milter_default_action = accept milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} milter_protocol = 6 mime_header_checks = regexp:/etc/postfix/mime_header_checks mydestination = mail01.XXXXXX.host, mail.XXXXXX.net, localhost, localhost.localdomain myhostname = mail.XXXXXX.net mynetworks = /etc/postfix/mynetworks myorigin = mail.XXXXXX.net nested_header_checks = regexp:/etc/postfix/nested_header_checks non_smtpd_milters = inet:localhost:11332 owner_request_special = no proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps readme_directory = /usr/share/doc/postfix receive_override_options = no_address_mappings recipient_delimiter = + relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf relayhost = mail-outbound.XXXXXX.host:26 sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf sender_dependent_relayhost_maps = hash:/etc/postfix/relay_maps smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtp_tls_CApath = /etc/ssl/certs smtp_tls_ciphers = medium smtp_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2 smtp_tls_mandatory_protocols = !SSLv2,!SSLv3 smtp_tls_protocols = !SSLv2,!SSLv3 smtp_tls_security_level = may smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = mail.XXXXXX.net ESMTP Postfix smtpd_client_message_rate_limit = 100 smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf smtpd_helo_required = yes smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, reject_invalid_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo smtpd_milters = inet:localhost:11332 smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client bl.score.senderscore.com, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client b.barracudacentral.org, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf smtpd_relay_restrictions = $smtpd_recipient_restrictions smtpd_restriction_classes = greylisting smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf smtpd_sender_restrictions = reject_unlisted_sender, reject_unknown_sender_domain, check_sender_access regexp:/etc/postfix/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, check_sender_access regexp:/etc/postfix/tag_as_foreign.re smtpd_tls_ask_ccert = yes smtpd_tls_auth_only = no smtpd_tls_cert_file = /etc/ssl/mail01.XXXXXX.net/cert.pem smtpd_tls_ciphers = medium smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem smtpd_tls_dh512_param_file = /etc/postfix/dh512.pem smtpd_tls_eecdh_grade = strong smtpd_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2 smtpd_tls_key_file = /etc/ssl/mail01.XXXXXX.net/privkey.pem smtpd_tls_loglevel = 1 smtpd_tls_mandatory_ciphers = medium smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3 smtpd_tls_protocols = !SSLv2,!SSLv3 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes tls_random_source = dev:/dev/urandom transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf virtual_alias_domains = virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf virtual_gid_maps = mysql:/etc/postfix/mysql-virtual_gids.cf virtual_mailbox_base = /var/vmail virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_transport = dovecot virtual_uid_maps = mysql:/etc/postfix/mysql-virtual_uids.cf Does anyone have an idea ?
That would have been my first guess. Is on of the domains listed in /etc/mailname or /etc/hosts ? http://www.postfix.org/DEBUG_README.html
Can you please post your master.cf and /etc/postfix/relay_maps. What port did [email protected] send from (25, 465 or 587)?
Hi, mails are ususally send through submission, Port 587 master.cf Code: smtp inet n - y - - smtpd submission inet n - y - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject smtps inet n - y - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject #628 inet n - y - - qmqpd pickup unix n - y 60 1 pickup cleanup unix n - y - 0 cleanup qmgr unix n - n 300 1 qmgr #qmgr unix n - n 300 1 oqmgr tlsmgr unix - - y 1000? 1 tlsmgr rewrite unix - - y - - trivial-rewrite bounce unix - - y - 0 bounce defer unix - - y - 0 bounce trace unix - - y - 0 bounce verify unix - - y - 1 verify flush unix n - y 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - y - - smtp relay unix - - y - - smtp -o syslog_name=postfix/$service_name # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - y - - showq error unix - - y - - error retry unix - - y - - error discard unix - - y - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - y - - lmtp anvil unix - - y - 1 anvil scache unix - - y - 1 scache postlog unix-dgram n - n - 1 postlogd maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -d vmail ${extension} ${recipient} ${user} ${nexthop} ${sender} uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} mailman unix - n n - - pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail [email protected] argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop} x.x.x.x:smtp inet n - n - - smtpd -o content_filter= -o syslog_name=postfix/smtp/office365 -o smtpd_restriction_classes= -o smtpd_client_restrictions=check_client_access,hash:/etc/postfix/access -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=check_client_access,hash:/etc/postfix/access,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_sender_domain,reject_unknown_recipient_domain,reject_unknown_client,reject_unauth_destination,reject_unverified_recipient,permit_mynetworks,reject -o smtpd_relay_restrictions=check_client_access,hash:/etc/postfix/access,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_sender_domain,reject_unknown_recipient_domain,reject_unknown_client,reject_unauth_destination,reject_unverified_recipient,permit_mynetworks,reject -o strict_rfc821_envelopes=yes -o receive_override_options=no_header_body_checks -o smtp_send_xforward_command=yes -o milter_default_action=accept -o milter_macro_daemon_name=ORIGINATING -o disable_dns_lookups=yes -o sender_dependent_relayhost_maps= -o myhostname=office365-gateway.xxxxx.net -o smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt -o smtp_tls_CApath=/etc/ssl/certs -o smtpd_tls_cert_file=/etc/ssl/mail01.XXXXXX.net/fullchain.pem -o smtpd_tls_key_file=/etc/ssl/mail01.XXXXXX.net/privkey.pem -o smtpd_use_tls=yes -o smtpd_tls_session_cache_database=btree:${data_directory}/smtpd_scache -o smtpd_tls_security_level=may -o smtpd_tls_dh1024_param_file=/etc/postfix/dh2048.pem -o smtpd_tls_dh512_param_file=/etc/postfix/dh512.pem -o smtpd_milters= -o non_smtpd_milters= y.y.y.y:submission inet n - y - - smtpd -o content_filter= -o syslog_name=postfix/submission/spamcloud -o smtpd_restriction_classes= -o smtpd_tls_security_level=encrypt -o smtpd_client_restrictions=check_client_access,hash:/etc/postfix/access,permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=check_client_access,hash:/etc/postfix/access,permit_mynetworks,reject -o smtpd_relay_restrictions=check_client_access,hash:/etc/postfix/access,permit_mynetworks,reject -o strict_rfc821_envelopes=yes -o receive_override_options=no_header_body_checks -o smtp_send_xforward_command=yes -o milter_default_action=accept -o milter_macro_daemon_name=ORIGINATING -o disable_dns_lookups=yes -o sender_dependent_relayhost_maps= -o smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt -o smtp_tls_CApath=/etc/ssl/certs -o smtpd_tls_cert_file=/etc/ssl/mail01.XXXXXX.net/fullchain.pem -o smtpd_tls_key_file=/etc/ssl/mail01.XXXXXX.net/privkey.pem -o smtpd_use_tls=yes -o smtpd_tls_session_cache_database=btree:${data_directory}/smtpd_scache -o smtpd_tls_security_level=may -o smtpd_tls_dh1024_param_file=/etc/postfix/dh2048.pem -o smtpd_tls_dh512_param_file=/etc/postfix/dh512.pem -o myhostname=spamcloud-gateway.xxxx.net -o smtpd_milters= -o non_smtpd_milters= 172.16.19.102:submission inet n - y - - smtpd -o content_filter= -o syslog_name=postfix/submission/proxmox -o smtpd_restriction_classes= -o smtpd_tls_security_level=encrypt -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_relay_restrictions=permit_mynetworks,reject -o strict_rfc821_envelopes=yes -o receive_override_options=no_header_body_checks -o smtp_send_xforward_command=yes -o milter_default_action=accept -o milter_macro_daemon_name=ORIGINATING -o disable_dns_lookups=yes -o sender_dependent_relayhost_maps= -o smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt -o smtp_tls_CApath=/etc/ssl/certs -o smtpd_tls_cert_file=/etc/ssl/mail01.XXXXXX.net/fullchain.pem -o smtpd_tls_key_file=/etc/ssl/mail01.XXXXXX.net/privkey.pem -o smtpd_use_tls=yes -o smtpd_tls_session_cache_database=btree:${data_directory}/smtpd_scache -o smtpd_tls_security_level=may -o smtpd_tls_dh1024_param_file=/etc/postfix/dh2048.pem -o smtpd_tls_dh512_param_file=/etc/postfix/dh512.pem -o myhostname=mail01.xxxxx.net -o smtpd_milters= -o non_smtpd_milters= relay_maps relay maps are used to connect domains with office365 in a hybrid mode. Some Accounts are on office365, some in ispconfig. With the Exchange connector setting, i can send emails through office365 Upfront: both domains (example.net and example.com are not listed in the relay_maps) Code: @domain1.de [domain1.mail.protection.outlook.com]:25 @domain2.de [domain2.mail.protection.outlook.com]:25 @domain3.de [domain3.mail.protection.outlook.com]:25
I suspect in the logs you posted above that it was a port 25 connection, as all your 587 ('submission') entries in main.cf have a syslog_name which does not show in your log example: So to clarify, `[email protected]` created under 'Email Forward' and `[email protected]` is a 'Email Mailbox' ? Then `postmap -q [email protected] proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf` returns `[email protected]`, `postmap -q example.com proxy:mysql:/etc/postfix/mysql-virtual_domains.cf` returns `example.com`, and `postmap -q [email protected] proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf` returns `example.com/sth.else` ? Right offhand I don't see where the problem is. Turn up verbosity, and enable debugging as @Steini86 indicated. See the debugging section of http://www.postfix.org/ADDRESS_REWRITING_README.html too. Clarify for certain what ip address and port the client is connecting to (though from what I see, it should be port 25 on any address except x.x.x.x).
First, my exmaple was wrong! sorry for it. Port 587 was used. Code: Nov 12 15:19:29 mail01 postfix/submission/smtpd[32740]: 7477631A72: client=176.198.0.0, sasl_method=PLAIN, [email protected] Answer for all 4 questions -> YES The weird thing is, that the same setup worked on the previous server, totally weird. I'll check if i find sth. with the debug.
@Jesse Norell The reason was: receive_override_options = no_address_mappings after i disabled this line, everything works again like a chram. BUT: This option comes from the standard ispconfig configuration. I guess the option is necessary when the server uses amavis as content_filter, because before filtering, no mapping should happen. But rspamd is connected as milter, not as content_filter. So i'm not sure if this is a bug which comes with the 3.1.15 config or if postfix still behaves wrongly. On the old setup (with amavis) this option was set as well, and the server worked for 3 years. ? @till - maybe sth. you know ? Is this option relevant when rspamd is in place ? Best, Andre
That sounds correct to me, that when using a content filter (amavis), the address mappings happen downstream of the filter (port 10025 or 10027), and removing that setting for a milter (rspamd) is the solution. The one thing that doesn't add up is that you claim different behavior for emails which are sent from outside (which normally means anonymous delivery to port 25) than what your clients saw sending on port 587; from my look at your config, both should behave the same in that respect. You would have different behavior for the smtpd listeners postfix/smtp/office365, postfix/submission/spamcloud and postfix/submission/proxmox, but not from general "outside" mail traffic. Or perhaps all your "outside" mail is delivered to those specially configured listeners, and there is no "outside" mail in the usual meaning of anonymous delivery to port 25?
@aballi2, could you respond to https://git.ispconfig.org/ispconfig/ispconfig3/issues/5453#note_69334 (ie. how/when did you set rspamd as the content_filter)? (response here is fine if you don't have a gitlab account)