[SOLVED] Error virtual alias maps user unkown - postfix, rspamd, ispconfig 3.1.15p2

Discussion in 'Installation/Configuration' started by aballi2, Nov 12, 2019.

  1. aballi2

    aballi2 New Member

    Hi,
    i have a weird error with the current setup. The server was freshly setup one week ago with 3.1.15p2 on Debian Buster with rspamd config.
    Issue:
    When an email to [email protected]com is send from outside, the email is correctly delivered to [email protected]com
    When [email protected]net sends an email to [email protected]com, both handled on the same server i get the error "user unknown":

    Code:
    Nov 12 17:08:40 mail01 postfix/smtpd[14085]: 1B2B832509: client=unknown[x.x.x.x], sasl_method=PLAIN, [email protected]
    Nov 12 17:08:40 mail01 postfix/cleanup[14090]: 1B2B832509: message-id=<[email protected]>
    Nov 12 17:08:40 mail01 postfix/qmgr[14024]: 1B2B832509: from=<[email protected]>, size=766, nrcpt=1 (queue active)
    Nov 12 17:08:40 mail01 postfix/pipe[14091]: 1B2B832509: to=<[email protected]>, relay=dovecot, delay=0.1, delays=0.06/0.01/0/0.02, dsn=5.1.1, status=bounced (user unknown)
    Nov 12 17:08:40 mail01 postfix/cleanup[14090]: 2B99A32335: message-id=<[email protected]>
    Nov 12 17:08:40 mail01 postfix/bounce[14093]: 1B2B832509: sender non-delivery notification: 2B99A32335
    Nov 12 17:08:40 mail01 postfix/qmgr[14024]: 1B2B832509: removed
    As i said, emails, which are send from outside are correctly delivered.
    Both domains are not configured as mydestination.
    postconf -n
    Code:
    alias_database = hash:/etc/aliases
    alias_maps = hash:/etc/aliases
    append_dot_mydomain = no
    biff = no
    body_checks = regexp:/etc/postfix/body_checks
    bounce_template_file = /etc/postfix/bounce.de-de.cf
    broken_sasl_auth_clients = yes
    compatibility_level = 2
    delay_warning_time = 1h
    dovecot_destination_recipient_limit = 1
    greylisting = check_policy_service inet:127.0.0.1:10023
    header_checks = regexp:/etc/postfix/header_checks
    html_directory = /usr/share/doc/postfix/html
    inet_interfaces = localhost, w.x.y.z
    inet_protocols = ipv4
    mailbox_size_limit = 0
    maildrop_destination_concurrency_limit = 1
    maildrop_destination_recipient_limit = 1
    message_size_limit = 0
    milter_default_action = accept
    milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
    milter_protocol = 6
    mime_header_checks = regexp:/etc/postfix/mime_header_checks
    mydestination = mail01.XXXXXX.host, mail.XXXXXX.net, localhost, localhost.localdomain
    myhostname = mail.XXXXXX.net
    mynetworks = /etc/postfix/mynetworks
    myorigin = mail.XXXXXX.net
    nested_header_checks = regexp:/etc/postfix/nested_header_checks
    non_smtpd_milters = inet:localhost:11332
    owner_request_special = no
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
    readme_directory = /usr/share/doc/postfix
    receive_override_options = no_address_mappings
    recipient_delimiter = +
    relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
    relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
    relayhost = mail-outbound.XXXXXX.host:26
    sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf
    sender_dependent_relayhost_maps = hash:/etc/postfix/relay_maps
    smtp_sasl_auth_enable = yes
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
    smtp_sasl_security_options = noanonymous
    smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
    smtp_tls_CApath = /etc/ssl/certs
    smtp_tls_ciphers = medium
    smtp_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2
    smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
    smtp_tls_protocols = !SSLv2,!SSLv3
    smtp_tls_security_level = may
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    smtpd_banner = mail.XXXXXX.net ESMTP Postfix
    smtpd_client_message_rate_limit = 100
    smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
    smtpd_helo_required = yes
    smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, reject_invalid_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo
    smtpd_milters = inet:localhost:11332
    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client bl.score.senderscore.com, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client b.barracudacentral.org, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf
    smtpd_relay_restrictions = $smtpd_recipient_restrictions
    smtpd_restriction_classes = greylisting
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_sasl_path = private/auth
    smtpd_sasl_type = dovecot
    smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf
    smtpd_sender_restrictions = reject_unlisted_sender, reject_unknown_sender_domain, check_sender_access regexp:/etc/postfix/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, check_sender_access regexp:/etc/postfix/tag_as_foreign.re
    smtpd_tls_ask_ccert = yes
    smtpd_tls_auth_only = no
    smtpd_tls_cert_file = /etc/ssl/mail01.XXXXXX.net/cert.pem
    smtpd_tls_ciphers = medium
    smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
    smtpd_tls_dh512_param_file = /etc/postfix/dh512.pem
    smtpd_tls_eecdh_grade = strong
    smtpd_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2
    smtpd_tls_key_file = /etc/ssl/mail01.XXXXXX.net/privkey.pem
    smtpd_tls_loglevel = 1
    smtpd_tls_mandatory_ciphers = medium
    smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
    smtpd_tls_protocols = !SSLv2,!SSLv3
    smtpd_tls_received_header = yes
    smtpd_tls_security_level = may
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtpd_use_tls = yes
    tls_random_source = dev:/dev/urandom
    transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
    virtual_alias_domains =
    virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf
    virtual_gid_maps = mysql:/etc/postfix/mysql-virtual_gids.cf
    virtual_mailbox_base = /var/vmail
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
    virtual_transport = dovecot
    virtual_uid_maps = mysql:/etc/postfix/mysql-virtual_uids.cf
    

    Does anyone have an idea ?
     
  2. Steini86

    Steini86 Active Member

    That would have been my first guess. Is on of the domains listed in /etc/mailname or /etc/hosts ?
    http://www.postfix.org/DEBUG_README.html
     
  3. Jesse Norell

    Jesse Norell Well-Known Member

    Can you please post your master.cf and /etc/postfix/relay_maps. What port did [email protected] send from (25, 465 or 587)?
     
  4. aballi2

    aballi2 New Member

    Hi,

    mails are ususally send through submission, Port 587
    master.cf
    Code:
    smtp      inet  n       -       y       -       -       smtpd
    submission inet n       -       y       -       -       smtpd
      -o syslog_name=postfix/submission
      -o smtpd_tls_security_level=encrypt
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    smtps     inet  n       -       y       -       -       smtpd
      -o syslog_name=postfix/smtps
      -o smtpd_tls_wrappermode=yes
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    #628       inet  n       -       y       -       -       qmqpd
    pickup    unix  n       -       y       60      1       pickup
    cleanup   unix  n       -       y       -       0       cleanup
    qmgr      unix  n       -       n       300     1       qmgr
    #qmgr     unix  n       -       n       300     1       oqmgr
    tlsmgr    unix  -       -       y       1000?   1       tlsmgr
    rewrite   unix  -       -       y       -       -       trivial-rewrite
    bounce    unix  -       -       y       -       0       bounce
    defer     unix  -       -       y       -       0       bounce
    trace     unix  -       -       y       -       0       bounce
    verify    unix  -       -       y       -       1       verify
    flush     unix  n       -       y       1000?   0       flush
    proxymap  unix  -       -       n       -       -       proxymap
    proxywrite unix -       -       n       -       1       proxymap
    smtp      unix  -       -       y       -       -       smtp
    relay     unix  -       -       y       -       -       smtp
            -o syslog_name=postfix/$service_name
    #       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
    showq     unix  n       -       y       -       -       showq
    error     unix  -       -       y       -       -       error
    retry     unix  -       -       y       -       -       error
    discard   unix  -       -       y       -       -       discard
    local     unix  -       n       n       -       -       local
    virtual   unix  -       n       n       -       -       virtual
    lmtp      unix  -       -       y       -       -       lmtp
    anvil     unix  -       -       y       -       1       anvil
    scache    unix  -       -       y       -       1       scache
    postlog   unix-dgram n  -       n       -       1       postlogd
    maildrop  unix  -       n       n       -       -       pipe
      flags=DRhu user=vmail argv=/usr/bin/maildrop -d vmail ${extension} ${recipient} ${user} ${nexthop} ${sender}
    uucp      unix  -       n       n       -       -       pipe
      flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
    ifmail    unix  -       n       n       -       -       pipe
      flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
    bsmtp     unix  -       n       n       -       -       pipe
      flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
    scalemail-backend unix   -   n   n   -   2   pipe
      flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
    mailman   unix  -       n       n       -       -       pipe
      flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
      ${nexthop} ${user}
    
    dovecot   unix  -       n       n       -       -       pipe
      flags=DRhu user=vmail:vmail [email protected] argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop}
    
    x.x.x.x:smtp inet n - n - - smtpd
            -o content_filter=
            -o syslog_name=postfix/smtp/office365
            -o smtpd_restriction_classes=
            -o smtpd_client_restrictions=check_client_access,hash:/etc/postfix/access
            -o smtpd_helo_restrictions=
            -o smtpd_sender_restrictions=
            -o smtpd_recipient_restrictions=check_client_access,hash:/etc/postfix/access,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_sender_domain,reject_unknown_recipient_domain,reject_unknown_client,reject_unauth_destination,reject_unverified_recipient,permit_mynetworks,reject
            -o smtpd_relay_restrictions=check_client_access,hash:/etc/postfix/access,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_sender_domain,reject_unknown_recipient_domain,reject_unknown_client,reject_unauth_destination,reject_unverified_recipient,permit_mynetworks,reject
            -o strict_rfc821_envelopes=yes
            -o receive_override_options=no_header_body_checks
            -o smtp_send_xforward_command=yes
            -o milter_default_action=accept
            -o milter_macro_daemon_name=ORIGINATING
            -o disable_dns_lookups=yes
            -o sender_dependent_relayhost_maps=
            -o myhostname=office365-gateway.xxxxx.net
            -o smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt
            -o smtp_tls_CApath=/etc/ssl/certs
            -o smtpd_tls_cert_file=/etc/ssl/mail01.XXXXXX.net/fullchain.pem
            -o smtpd_tls_key_file=/etc/ssl/mail01.XXXXXX.net/privkey.pem
            -o smtpd_use_tls=yes
            -o smtpd_tls_session_cache_database=btree:${data_directory}/smtpd_scache
            -o smtpd_tls_security_level=may
            -o smtpd_tls_dh1024_param_file=/etc/postfix/dh2048.pem
            -o smtpd_tls_dh512_param_file=/etc/postfix/dh512.pem
       -o smtpd_milters=
       -o non_smtpd_milters=
    
    y.y.y.y:submission inet n - y - - smtpd
            -o content_filter=
            -o syslog_name=postfix/submission/spamcloud
            -o smtpd_restriction_classes=
            -o smtpd_tls_security_level=encrypt
            -o smtpd_client_restrictions=check_client_access,hash:/etc/postfix/access,permit_mynetworks,reject
            -o smtpd_helo_restrictions=
            -o smtpd_sender_restrictions=
            -o smtpd_recipient_restrictions=check_client_access,hash:/etc/postfix/access,permit_mynetworks,reject
            -o smtpd_relay_restrictions=check_client_access,hash:/etc/postfix/access,permit_mynetworks,reject
            -o strict_rfc821_envelopes=yes
            -o receive_override_options=no_header_body_checks
            -o smtp_send_xforward_command=yes
            -o milter_default_action=accept
            -o milter_macro_daemon_name=ORIGINATING
            -o disable_dns_lookups=yes
            -o sender_dependent_relayhost_maps=
            -o smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt
            -o smtp_tls_CApath=/etc/ssl/certs
            -o smtpd_tls_cert_file=/etc/ssl/mail01.XXXXXX.net/fullchain.pem
            -o smtpd_tls_key_file=/etc/ssl/mail01.XXXXXX.net/privkey.pem
            -o smtpd_use_tls=yes
            -o smtpd_tls_session_cache_database=btree:${data_directory}/smtpd_scache
            -o smtpd_tls_security_level=may
            -o smtpd_tls_dh1024_param_file=/etc/postfix/dh2048.pem
            -o smtpd_tls_dh512_param_file=/etc/postfix/dh512.pem
            -o myhostname=spamcloud-gateway.xxxx.net
            -o smtpd_milters=
            -o non_smtpd_milters=
    
    172.16.19.102:submission inet n - y - - smtpd
            -o content_filter=
            -o syslog_name=postfix/submission/proxmox
            -o smtpd_restriction_classes=
            -o smtpd_tls_security_level=encrypt
            -o smtpd_client_restrictions=permit_mynetworks,reject
            -o smtpd_helo_restrictions=
            -o smtpd_sender_restrictions=
            -o smtpd_recipient_restrictions=permit_mynetworks,reject
            -o smtpd_relay_restrictions=permit_mynetworks,reject
            -o strict_rfc821_envelopes=yes
            -o receive_override_options=no_header_body_checks
            -o smtp_send_xforward_command=yes
            -o milter_default_action=accept
            -o milter_macro_daemon_name=ORIGINATING
            -o disable_dns_lookups=yes
            -o sender_dependent_relayhost_maps=
            -o smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt
            -o smtp_tls_CApath=/etc/ssl/certs
            -o smtpd_tls_cert_file=/etc/ssl/mail01.XXXXXX.net/fullchain.pem
            -o smtpd_tls_key_file=/etc/ssl/mail01.XXXXXX.net/privkey.pem
            -o smtpd_use_tls=yes
            -o smtpd_tls_session_cache_database=btree:${data_directory}/smtpd_scache
            -o smtpd_tls_security_level=may
            -o smtpd_tls_dh1024_param_file=/etc/postfix/dh2048.pem
            -o smtpd_tls_dh512_param_file=/etc/postfix/dh512.pem
            -o myhostname=mail01.xxxxx.net
            -o smtpd_milters=
            -o non_smtpd_milters=
    


    relay_maps
    relay maps are used to connect domains with office365 in a hybrid mode.
    Some Accounts are on office365, some in ispconfig. With the Exchange connector setting, i can send emails through office365
    Upfront: both domains (example.net and example.com are not listed in the relay_maps)
    Code:
    @domain1.de [domain1.mail.protection.outlook.com]:25
    @domain2.de [domain2.mail.protection.outlook.com]:25
    @domain3.de [domain3.mail.protection.outlook.com]:25
    
     
    Last edited: Nov 12, 2019
  5. Jesse Norell

    Jesse Norell Well-Known Member

    I suspect in the logs you posted above that it was a port 25 connection, as all your 587 ('submission') entries in main.cf have a syslog_name which does not show in your log example:
    So to clarify, `[email protected]` created under 'Email Forward' and `[email protected]` is a 'Email Mailbox' ? Then `postmap -q [email protected] proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf` returns `[email protected]`, `postmap -q example.com proxy:mysql:/etc/postfix/mysql-virtual_domains.cf` returns `example.com`, and `postmap -q [email protected] proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf` returns `example.com/sth.else` ?

    Right offhand I don't see where the problem is. Turn up verbosity, and enable debugging as @Steini86 indicated. See the debugging section of http://www.postfix.org/ADDRESS_REWRITING_README.html too. Clarify for certain what ip address and port the client is connecting to (though from what I see, it should be port 25 on any address except x.x.x.x).
     
  6. aballi2

    aballi2 New Member

    First, my exmaple was wrong! sorry for it. Port 587 was used.

    Code:
    Nov 12 15:19:29 mail01 postfix/submission/smtpd[32740]: 7477631A72: client=176.198.0.0, sasl_method=PLAIN, [email protected]
    
    Answer for all 4 questions
    -> YES
    The weird thing is, that the same setup worked on the previous server, totally weird. I'll check if i find sth. with the debug.
     
  7. aballi2

    aballi2 New Member

    @Jesse Norell
    The reason was:
    receive_override_options = no_address_mappings
    after i disabled this line, everything works again like a chram.

    BUT:
    This option comes from the standard ispconfig configuration.
    I guess the option is necessary when the server uses amavis as content_filter, because before filtering, no mapping should happen.
    But rspamd is connected as milter, not as content_filter. So i'm not sure if this is a bug which comes with the 3.1.15 config or if postfix still behaves wrongly. On the old setup (with amavis) this option was set as well, and the server worked for 3 years. ?

    @till - maybe sth. you know ? Is this option relevant when rspamd is in place ?

    Best, Andre
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    I guess it should be removed for Rspamd indeed. Will check that.
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

  10. aballi2

    aballi2 New Member

  11. Jesse Norell

    Jesse Norell Well-Known Member

    That sounds correct to me, that when using a content filter (amavis), the address mappings happen downstream of the filter (port 10025 or 10027), and removing that setting for a milter (rspamd) is the solution.

    The one thing that doesn't add up is that you claim different behavior for emails which are sent from outside (which normally means anonymous delivery to port 25) than what your clients saw sending on port 587; from my look at your config, both should behave the same in that respect. You would have different behavior for the smtpd listeners postfix/smtp/office365, postfix/submission/spamcloud and postfix/submission/proxmox, but not from general "outside" mail traffic. Or perhaps all your "outside" mail is delivered to those specially configured listeners, and there is no "outside" mail in the usual meaning of anonymous delivery to port 25?
     
  12. Jesse Norell

    Jesse Norell Well-Known Member

Share This Page