Sender address rejected: User unknown in virtual mailbox table; from=<[email protected]

Discussion in 'Installation/Configuration' started by Steffan, Dec 24, 2020.

  1. Steffan

    Steffan Member

    Multiserver setup ispconfig 3.2.1
    After upgrading the mailserver all emails from websites comming from the webserver are blocked
    Sender address rejected: User unknown in virtual mailbox table; from=<[email protected]

    This worked before.
    Any idees what the update kan have cjhanged?
     
  2. Steffan

    Steffan Member

    hm
    smtpd_reject_unlisted_sender = yes
    Is what blokking the emails from local domains.
    ispconfig is using the default [email protected] adress for php
    So how to prevent this in the future?
     
  3. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Create the mailbox [email protected] for those domains that send using that address, or disable smtpd_reject_unlisted_sender.
     
  4. Steffan

    Steffan Member

    creating it is not an option.
    there is no way for me to tell with client is using php forms
    And ispconfig is prefenting the fifth argumant to use in forms..

    How to prevent smtpd_reject_unlisted_sender. being added in a future update?
     
  5. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    You can use a custom template and put it in conf-custom, but if the template has important changes you will have to do manual changes anyway - keep that in mind.
     
  6. Steffan

    Steffan Member

    but.

    Any costumer using ispconfig wil have the same problem as that i have with php forms.
    so is everybody adding manualy [email protected] as a alias email??
     
  7. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    The [email protected] address should always exist if you follow the RFC (just a note). You can send using a different address that exists, and, most importantly, if this is incoming mail, the address should exist otherwise it is rejected.
     
  8. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    So two ready solutions are to create the address or send from a different one that does exist (set sendmail_path in php directives).

    Seems that would almost be worth a setting in the site for the email address to use (default to webmaster); might be there an existing issue for that?
     
    Last edited: Jan 11, 2021
  9. SupuS

    SupuS Member HowtoForge Supporter

    Hi,
    I faced the same problem after upgrading to 3.2.2 on our multisterver setup yesterday. Removing
    Code:
    smtpd_reject_unlisted_sender = yes
    in /etc/postfix/main.cf solved this problem.

    This option should be optional because it caused undeliverability of mails on some wordpress and prestashop installations with using php mail().

    Set some existing mail in sendmail_path is an option but what about customers which use external mail server? And how to set it? Will it be available as option for customers in ispconfig?
     
  10. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    External servers would be unaffected by that setting. It certainly shouldn't be up to a customer if your mail server should allow sending from invalid addresses, that's an administrator/policy decision. Spammers would prefer you disable it, though. :)
     
  11. Steffan

    Steffan Member

    so but the defaulkt behaviur of ISPconfig is to create [email protected] for every new website
    So that mean that you allways have to create manualy a [email protected] for every domain on a multi server setup.
    Is there no way that ISPCONFIG saves this to the database directly??
    everybody with a multiserver setup will have the same problem, or there is something wrong in my config...

    even when relay the email from the websrver to the mailserver the emails are getting blocked
    also the webserver is in the local network ipadres range

    relayhost = mail01.xxx.com
    smtp_sasl_auth_enable = yes
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
    smtp_sasl_security_options = noanonymous
     
  12. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    See https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/4573
     
  13. Steffan

    Steffan Member

    so what you mean is that there is a fix on his way?
    the ticket is 3 months old.
     
  14. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    No, there is not, and you can read the discussion on it there.

    According to the RFC (haven't got the exact doc at hand) every domain should have a [email protected], [email protected], etc address.
     
  15. Steffan

    Steffan Member

    yes... so now with the New update all costumers have to manualy add the [email protected] adress thais is used by ispconfig for php...
     
  16. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    That is the case. Or disable the setting in postfix.
     
  17. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    If you send authenticated using a single sasl login for your entire web server, you will need to adjust smtpd_sender_login_maps on the mail server to allow that address to use/forge all of your domain addrs.

    If you put your webserver address in mynetworks you should be allowed to send from addresses that do not exist as previously (that is what you're wanting?)

    I've been thinking a little about what good solutions would be for this, so this is jotting some thoughts down for discussion.

    The 3.2.x changes make it so you can't send unauthenticated mail claiming to be from non-existent local domain addresses; this seems like a good and reasonable thing to do; so, if an option were added to set "smtpd_reject_unlisted_sender = no" defaulting to off (ie. maintain 3.2.2 behavior) would probably be good.

    Such a setting could even be a select list to allow (with better verbage for the choices) "always yes", "yes, but allow overrides", "no, but allow overrides" and "always no". Either of the two middle options would allow clients to choose per email domain if spoofing non-existent addresses for the domain should be allowed. It would be a little more work, but we could have a select list for "yes", "no" and "only specified addresses" and let the client enter a limited set of sender addresses that bypass reject_unlisted_sender.

    Moving mysql-virtual_sender.cf ahead of 'reject_sender_login_mismatch' in smtpd_sender_restrictions might make sense, either on it's own or as part of the behavior of the preceding setting. Doing so would allow the admin (not client) to add sender addresses which are exempt from both reject_sender_login_mismatch and permit_sasl_authenticated tests (so anyone on the internet could send from those addresses, too). (This isn't the same "unlisted sender" issue as above, but is quick/simple and could have some use cases.)

    Adding a means to manually add/manage smtpd_sender_login_maps entries could be done. This would cover the "entire web server uses single sasl account" scenario above, and also let an admin (or client?) specify an address (ie. sasl username) that can spoof mail (for a specific domain if added by the client, and optionally for any domain if added by the admin).
     
  18. Steffan

    Steffan Member

    if have tested some settings i found out that you can bypass the settings if it is in mynetwork

    Instead of making this a global directive, place reject_unlisted_sender in smtpd_sender_restrictions (it must appear after permit_mynetworks and permit_sasl_authenticated, if you used that).

    Now you can add the sender's IP address to mynetworks = to whitelist it and cause it to bypass this check.

    An example from my live mail server:

    smtpd_sender_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_non_fqdn_sender,
    reject_unlisted_sender,
    check_sender_access proxy:mysql:/etc/postfix/mysql-virtual_sender.cf
     
    Jesse Norell likes this.
  19. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Individual addresses can already be handled via mail alias/forwards (with allow_send_as field) and mail_user's (auth as cc address, with delivery disabled); I believe the only piece that is missing is specifying a sender for an entire domain. Simply adding a field to the catchall ui to set the allow_send_as flag for catchall addresses should allow this to work.

    Something like this seems pretty doable. The postfix whitelist is currently only available for the admin, but with a little work it could function for clients as well. It should do the same thing as a client but only allow Sender and Recipient types, and only accept addresses which belong to one of the client's mail domains. Admin could still add Client ip addrs, and enter arbitrary addresses.

    There would be a new lookup table (or maybe two, one before and one after permit_sasl_authenticated) to output the appropriate response ('reject_unlisted_sender', 'reject_sender_login_mismatch' or nothing) according to whitelist addrs and domain/server settings.
     
  20. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

Share This Page