Sender address rejected: User unknown in virtual mailbox table; from=<[email protected]

Create the mailbox [email protected] for those domains that send using that address, or disable smtpd_reject_unlisted_sender.

 

You can use a custom template and put it in conf-custom, but if the template has important changes you will have to do manual changes anyway - keep that in mind.

 

The [email protected] address should always exist if you follow the RFC (just a note). You can send using a different address that exists, and, most importantly, if this is incoming mail, the address should exist otherwise it is rejected.

 

So two ready solutions are to create the address or send from a different one that does exist (set sendmail_path in php directives).

Seems that would almost be worth a setting in the site for the email address to use (default to webmaster); might be there an existing issue for that?

 

External servers would be unaffected by that setting. It certainly shouldn't be up to a customer if your mail server should allow sending from invalid addresses, that's an administrator/policy decision. Spammers would prefer you disable it, though.

 

See https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/4573

 

No, there is not, and you can read the discussion on it there.

According to the RFC (haven't got the exact doc at hand) every domain should have a [email protected], [email protected], etc address.

 

That is the case. Or disable the setting in postfix.

 

If you send authenticated using a single sasl login for your entire web server, you will need to adjust smtpd_sender_login_maps on the mail server to allow that address to use/forge all of your domain addrs.

If you put your webserver address in mynetworks you should be allowed to send from addresses that do not exist as previously (that is what you're wanting?)

I've been thinking a little about what good solutions would be for this, so this is jotting some thoughts down for discussion.

The 3.2.x changes make it so you can't send unauthenticated mail claiming to be from non-existent local domain addresses; this seems like a good and reasonable thing to do; so, if an option were added to set "smtpd_reject_unlisted_sender = no" defaulting to off (ie. maintain 3.2.2 behavior) would probably be good.

Such a setting could even be a select list to allow (with better verbage for the choices) "always yes", "yes, but allow overrides", "no, but allow overrides" and "always no". Either of the two middle options would allow clients to choose per email domain if spoofing non-existent addresses for the domain should be allowed. It would be a little more work, but we could have a select list for "yes", "no" and "only specified addresses" and let the client enter a limited set of sender addresses that bypass reject_unlisted_sender.

Moving mysql-virtual_sender.cf ahead of 'reject_sender_login_mismatch' in smtpd_sender_restrictions might make sense, either on it's own or as part of the behavior of the preceding setting. Doing so would allow the admin (not client) to add sender addresses which are exempt from both reject_sender_login_mismatch and permit_sasl_authenticated tests (so anyone on the internet could send from those addresses, too). (This isn't the same "unlisted sender" issue as above, but is quick/simple and could have some use cases.)

Adding a means to manually add/manage smtpd_sender_login_maps entries could be done. This would cover the "entire web server uses single sasl account" scenario above, and also let an admin (or client?) specify an address (ie. sasl username) that can spoof mail (for a specific domain if added by the client, and optionally for any domain if added by the admin).

 

Individual addresses can already be handled via mail alias/forwards (with allow_send_as field) and mail_user's (auth as cc address, with delivery disabled); I believe the only piece that is missing is specifying a sender for an entire domain. Simply adding a field to the catchall ui to set the allow_send_as flag for catchall addresses should allow this to work.

Something like this seems pretty doable. The postfix whitelist is currently only available for the admin, but with a little work it could function for clients as well. It should do the same thing as a client but only allow Sender and Recipient types, and only accept addresses which belong to one of the client's mail domains. Admin could still add Client ip addrs, and enter arbitrary addresses.

There would be a new lookup table (or maybe two, one before and one after permit_sasl_authenticated) to output the appropriate response ('reject_unlisted_sender', 'reject_sender_login_mismatch' or nothing) according to whitelist addrs and domain/server settings.

 

Not quite done, but underway: https://git.ispconfig.org/ispconfig/ispconfig3/-/merge_requests/1390