Postfix tries to lookup external address locally

Question

I am currently trying to set up a mail server using postfix, dovecot, amavis, sqlite, etc..

Lets say I have: mydomain.com and mail.mydomain.com (MX record points here)

When sending an email to an external mail address (lets say mymail@gmail.com), postfix tries to find that email in the virtual mailbox database. (Before settings up the virtual mail system, I could send mail via the mail command.)

/var/log/mail.log:

Sep 12 12:34:11 mail postfix/submission/smtpd[7695]: initializing the server-side TLS engine
Sep 12 12:34:11 mail postfix/submission/smtpd[7695]: connect from unknown[myhomeip]
Sep 12 12:34:12 mail postfix/submission/smtpd[7695]: setting up TLS connection from unknown[myhomeip]
Sep 12 12:34:12 mail postfix/submission/smtpd[7695]: unknown[myhomeip]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH:!aNULL:!LOW:!EXP:!MEDIUM:!ADH:!AECDH:!MD5:!DSS:!ECDSA:!3DES:!DES:!eNULL:!RC4:!CBC3-SHA:!PSK"
Sep 12 12:34:12 mail postfix/submission/smtpd[7695]: SSL_accept:before SSL initialization
Sep 12 12:34:12 mail postfix/submission/smtpd[7695]: SSL_accept:before SSL initialization
Sep 12 12:34:12 mail postfix/submission/smtpd[7695]: unknown[myhomeip]: Decrypting session ticket, key expiration: 1631442310
Sep 12 12:34:12 mail postfix/submission/smtpd[7695]: SSL_accept:SSLv3/TLS read client hello
Sep 12 12:34:12 mail postfix/submission/smtpd[7695]: SSL_accept:SSLv3/TLS write server hello
Sep 12 12:34:12 mail postfix/submission/smtpd[7695]: SSL_accept:SSLv3/TLS write change cipher spec
Sep 12 12:34:12 mail postfix/submission/smtpd[7695]: SSL_accept:TLSv1.3 write encrypted extensions
Sep 12 12:34:12 mail postfix/submission/smtpd[7695]: SSL_accept:SSLv3/TLS write finished
Sep 12 12:34:12 mail postfix/submission/smtpd[7695]: SSL_accept:TLSv1.3 early data
Sep 12 12:34:12 mail postfix/submission/smtpd[7695]: SSL_accept:TLSv1.3 early data
Sep 12 12:34:12 mail postfix/submission/smtpd[7695]: SSL_accept:SSLv3/TLS read finished
Sep 12 12:34:12 mail postfix/submission/smtpd[7695]: unknown[myhomeip]: Reusing old session (RFC 5077 session ticket)
Sep 12 12:34:12 mail postfix/submission/smtpd[7695]: Anonymous TLS connection established from unknown[myhomeip]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)
Sep 12 12:34:12 mail postfix/submission/smtpd[7695]: 502B781E4E: client=unknown[myhomeip], sasl_method=PLAIN, sasl_username=testuser@mydomain.com
Sep 12 12:34:12 mail postfix/cleanup[7700]: 502B781E4E: message-id=<cc4bc968-343b-fb34-01c8-fd151dfd0e0d@mydomain.com>
Sep 12 12:34:12 mail postfix/qmgr[6826]: 502B781E4E: from=<testuser@mydomain.com>, size=330, nrcpt=1 (queue active)
Sep 12 12:34:12 mail postfix/submission/smtpd[7695]: disconnect from unknown[myhomeip] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=1 commands=7
Sep 12 12:34:12 mail dovecot: imap(testuser@mydomain.com)<7250><x83QYcnLPEhehlnC>: Connection closed (noop finished 0.207 secs ago) in=1695 out=5945 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=241 body_count=0 body_bytes=0
Sep 12 12:34:12 mail postfix/smtpd[7704]: initializing the server-side TLS engine
Sep 12 12:34:12 mail postfix/smtpd[7704]: connect from localhost[127.0.0.1]
Sep 12 12:34:12 mail postfix/smtpd[7704]: B4A9F81E73: client=localhost[127.0.0.1]
Sep 12 12:34:12 mail postfix/cleanup[7700]: B4A9F81E73: message-id=<cc4bc968-343b-fb34-01c8-fd151dfd0e0d@mydomain.com>
Sep 12 12:34:12 mail postfix/qmgr[6826]: B4A9F81E73: from=<testuser@mydomain.com>, size=780, nrcpt=1 (queue active)
Sep 12 12:34:12 mail postfix/smtpd[7704]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Sep 12 12:34:12 mail amavis[847]: (00847-08) Passed CLEAN {RelayedOpenRelay}, [myhomeip]:18412 [myhomeip] <testuser@mydomain.com> -> <mymail@gmail.com>, Queue-ID: 502B781E4E, Message-ID: <cc4bc968-343b-fb34-01c8-fd151dfd0e0d@mydomain.com>, mail_id: thEgZdv5F-0T, Hits: 0.688, size: 330, queued_as: B4A9F81E73, 327 ms
Sep 12 12:34:12 mail postfix/lmtp[7701]: 502B781E4E: to=<mymail@gmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.5, delays=0.14/0.01/0.01/0.34, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as B4A9F81E73)
Sep 12 12:34:12 mail postfix/qmgr[6826]: 502B781E4E: removed
Sep 12 12:34:12 mail postfix/virtual[7705]: B4A9F81E73: to=<mymail@gmail.com>, relay=virtual, delay=0.06, delays=0/0.03/0/0.02, dsn=5.1.1, status=bounced (unknown user: "mymail@gmail.com")
Sep 12 12:34:12 mail postfix/cleanup[7700]: C2D3C81E74: message-id=<20210912103412.C2D3C81E74@mail.mydomain.com>
Sep 12 12:34:12 mail postfix/qmgr[6826]: C2D3C81E74: from=<>, size=2692, nrcpt=1 (queue active)
Sep 12 12:34:12 mail postfix/bounce[7706]: B4A9F81E73: sender non-delivery notification: C2D3C81E74
Sep 12 12:34:12 mail postfix/qmgr[6826]: B4A9F81E73: removed
Sep 12 12:34:12 mail postfix/virtual[7705]: C2D3C81E74: to=<testuser@mydomain.com>, relay=virtual, delay=0.01, delays=0/0/0/0, dsn=2.0.0, status=sent (delivered to maildir)
Sep 12 12:34:12 mail postfix/qmgr[6826]: C2D3C81E74: removed
Sep 12 12:34:19 mail dovecot: imap-login: Login: user=<testuser@mydomain.com>, method=PLAIN, rip=myhomeip, lip=myserverip, mpid=7712, TLS, session=<B00g5MnL7kdehlnC>

Notice the status=bounced unknown user in line 33. I also get this from the mailer-daemon: Diagnostic-Code: X-Postfix; unknown user: "mymail@gmail.com"

I can receive external email and I can receive/send email if I send from my domain to my domain.

My hostname is mail.mydomain.com

My hosts file:

127.0.0.1       localhost
127.0.1.1       mail.mydomain.com

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
myserverip    mydomain.com

Sql transport content:

sqlite> SELECT * FROM transports;
mydomain.com|1001|virtual:

Output from postconf -n:

append_dot_mydomain = no
biff = no
compatibility_level = 2
content_filter = lmtp-amavis:[127.0.0.1]:10024
inet_interfaces = all
inet_protocols = ipv4
local_recipient_maps =
mailbox_size_limit = 1024
masquerade_domains = $mydomain
mydestination = $mydomain, $myhostname, localhost.mydomain.com, localhost
myhostname = mail.mydomain.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_exclude_ciphers = LOW, EXP
smtp_tls_loglevel = 2
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_recipient_restrictions = reject_unknown_client_hostname
smtpd_relay_restrictions = permit_mynetworks,permit_sasl_authenticated,defer_unauth_destination
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.mydomain.com/fullchain.pem
smtpd_tls_dh1024_param_file = /etc/letsencrypt/dhparams.pem
smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, 3DES, DES, eNULL, RC4, CBC3-SHA, PSK
smtpd_tls_key_file = /etc/letsencrypt/live/mail.mydomain.com/privkey.pem
smtpd_tls_loglevel = 2
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
tls_preempt_cipherlist = yes
tls_ssl_options = NO_RENEGOTIATION
transport_maps = sqlite:/etc/postfix/sqlite_transports_maps.cf
virtual_alias_maps = sqlite:/etc/postfix/sqlite_virtual_alias_maps.cf
virtual_gid_maps = static:1001
virtual_mailbox_base = /home/mail/
virtual_mailbox_maps = sqlite:/etc/postfix/sqlite_virtual_mailbox_maps.cf
virtual_uid_maps = static:1001

/etc/mailname contains mydomain.com

Content of master.cf:

smtp      inet  n       -       y       -       -       smtpd
submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_wrappermode=no
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=yes
  -o smtpd_relay_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_recipient_restrictions=
smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=yes
  -o smtpd_tls_wrappermode=yes
lmtp-amavis unix -      -       -       -       2       lmtp
  -o lmtp_data_done_timeout=1200
  -o lmtp_send_xforward_command=yes
  -o max_use=20
127.0.0.1:10025 inet n  -       n       -       -       smtpd
  -o content_filter=
  -o mynetworks=127.0.0.0/8
  -o smtpd_client_restrictions=permit_mynetworks,reject
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o smtpd_delay_reject=no
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_data_restrictions=reject_unauth_pipelining
  -o smtpd_end_of_data_restrictions=
  -o smtpd_restriction_classes=
  -o smtpd_error_sleep_time=0
  -o smtpd_soft_error_limit=1001
  -o smtpd_hard_error_limit=1000
  -o smtpd_client_connection_count_limit=0
  -o smtpd_client_connection_rate_limit=0
  -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters,no_address_mappings
  -o local_header_rewrite_clients=
  -o smtpd_milters=
  -o local_recipient_maps=
  -o relay_recipient_maps=
pickup    unix  n       -       y       60      1       pickup
cleanup   unix  n       -       y       -       0       cleanup
  -o header_checks=regexp:/etc/postfix/header_checks
qmgr      unix  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       y       1000?   1       tlsmgr
rewrite   unix  -       -       y       -       -       trivial-rewrite
bounce    unix  -       -       y       -       0       bounce
defer     unix  -       -       y       -       0       bounce
trace     unix  -       -       y       -       0       bounce
verify    unix  -       -       y       -       1       verify
flush     unix  n       -       y       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       y       -       -       smtp
relay     unix  -       -       y       -       -       smtp
        -o syslog_name=postfix/$service_name
showq     unix  n       -       y       -       -       showq
error     unix  -       -       y       -       -       error
retry     unix  -       -       y       -       -       error
discard   unix  -       -       y       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       y       -       -       lmtp
anvil     unix  -       -       y       -       1       anvil
scache    unix  -       -       y       -       1       scache
postlog   unix-dgram n  -       n       -       1       postlogd
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

I already tried various mydestination settings.

Thanks for your help !

Answer 1

Postfix might select virtual for domains it is not actually supposed to handle when one of your lookups returns a (any) result when it should not: a false positive.

It is likely transport_maps or virtual_mailbox_domains (defaults to deferring to virtual_mailbox_maps). You have proven this theory if both your domain and one that should in fact be relayed produce results from one of your configured lookups, e.g. try this:

postmap -q caesar@mydomain.example sqlite:/etc/postfix/sqlite_virtual_mailbox_maps.cf
postmap -q outsider@other.example sqlite:/etc/postfix/sqlite_virtual_mailbox_maps.cf
postmap -q @other.example sqlite:/etc/postfix/sqlite_virtual_mailbox_maps.cf

postmap -q mydomain.example sqlite:/etc/postfix/sqlite_transports_maps.cf
postmap -q other.example sqlite:/etc/postfix/sqlite_transports_maps.cf

If you got results for both, take a stern look at the query, specifically the WHERE clause with the placeholder (starting with %) and determine why it returns more results for domains you have not explicitly put into your database. Returning the key itself or static results is common in Postfix so it does not trigger a warning.. it is just not useful to your case.

---

I have not used Amavis this way, but I believe that overriding transports in Postfix is not needed for standard use cases such as this. Instead, use the fact that Postfix will check the respective transport_mailbox_domains lookups to determine which domains and mailboxes are transported how.

You may not need overriding transport for this, and will likely get a more flexible and less error-prone setup if you list your virtual domains in virtual_mailbox_domains instead of transport_maps and use the latter only for specific overrides.