1

I'm running into issues with postfix, specifically while creating a local virtual alias to forward email to external addresses (on other servers).

My goal is to: Forward all email sent to fwd@xyz.com to final-address@external-server.com (virtual user on another server like gmail etc).

I tried to set this using virtual_alias_maps This was the result:

This is the mail system at host my-server.xyz.com.

I'm sorry to have to inform you that your message could not
be delivered (...)

<final-address@external-server.com> (expanded from <fwd@xyz.com>): user unknown
Reporting-MTA: dns; my-server.xyz.com

It knows the email should be forwarded to final-address@external-server.com however it says it can't find that user? Is it looking for final-address@external-server.com on it's own virtual users? Why?

I've multiple entries in virtual_alias_maps that forward email internally, for instance site@xyz.com is forwarded / aliased to person.surname@xyz.com and it works. However when the destination is an external address I get the error above.

Part of my main.cf:

smtpd_recipient_restrictions = 
    permit_sasl_authenticated,
    permit_mynetworks,
    reject_invalid_hostname,
    reject_non_fqdn_sender,
    reject_unknown_client_hostname,
    reject_unknown_sender_domain,
    reject_unknown_recipient_domain,
    reject_unknown_address,
    reject_non_fqdn_recipient,
    reject_unauth_destination,
    reject_unauth_pipelining

smtpd_client_restrictions = 
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_invalid_hostname,
    check_client_access regexp:/etc/postfix/checks/client_restrictions,
    reject_rbl_client zen.spamhaus.org,
    reject_rbl_client bl.spamcop.net,
    reject_rbl_client cbl.abuseat.org

smtpd_sender_restrictions = 
    permit_mynetworks,
    reject_unknown_address,
    reject_unknown_sender_domain,
    reject_non_fqdn_sender,
    #reject_sender_login_mismatch
    reject_authenticated_sender_login_mismatch

smtpd_helo_restrictions = 
    permit_sasl_authenticated,
    permit_mynetworks,
    check_helo_access hash:/etc/postfix/checks/helo_access,
    reject_non_fqdn_helo_hostname,
    reject_invalid_helo_hostname,
    reject_unknown_helo_hostname,
    permit

smtpd_sender_login_maps = mysql:/etc/postfix/virtual/mysql-sender-login-maps.cf

# Virtual Maps 
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/virtual/mysql-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/virtual/mysql-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/virtual/mysql-alias-maps.cf

virtual_alias_maps runs on this SQL:

query = SELECT destination FROM `VirtualAlias` WHERE source='%s' AND active = 1

And for the examples above it had the following entries:

id | source | destination | active
1 site@xyz.com person.surname@xyz.com 1
2 fwd@xyz.com final-address@external-server.com 1

Is my assumption right when I say it is looking for final-address@external-server.com on its own virtual users and then failing (because it's obviously an external email)? If yes how can I fix it?

Thank you.

No Port 25 Sending: No email client is able to send email over port 25, they're forced to go over port 587 (MSA). => They also get user unknown if they try to send email using port 25 (for external destinations, internal ones work). Maybe it's something related to this?

I guess this happens because the spam control content filter bellow forces all sent email to get delivered directly into dovecot and if the destination isn't one of our virtual users it fails...

Also, the submission is controlled like:

submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

** maybe smtpd_client_restrictions restrictions here are making it hard?**

Spam Control: master.cf was changed to send all email through a content filter:

smtp      inet  n       -       -       -       -       smtpd -o content_filter=spamassassin

spamassassin unix -     n   n   -   -   pipe
    flags=DROhu user=vmail:vmail argv=/usr/bin/spamc -f -e /usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop}

Suggested checks by @clement: 

postmap -q external-server.com mysql:/etc/postfix/virtual/mysql-mailbox-maps.cf
postmap -q external-server.com mysql:/etc/postfix/virtual/mysql-mailbox-domains.cf

=> both give empty results, as expected, since external-server.com is not not listed there.

Defining virtual_alias_domains didn't help. Same issue. Do we need to set it? From my understanding if virtual_alias_domains is empty postfix will look further at virtual_alias_maps.

Suggested checks by @Guntis:

As I suspected postfix seem to be trying to deliver the forwarded email into spamassassin+dovecot, read No Port 25 Sending above and my comments:

postfix/smtpd[]: < remote-incoming.server.com[87.x.x.x]: RCPT TO:<fwd@xyz.com>
postfix/smtpd[]: extract_addr: input: <fwd@xyz.com>
postfix/smtpd[]: smtpd_check_addr: addr=fwd@xyz.com
postfix/smtpd[]: send attr request = rewrite
postfix/smtpd[]: send attr rule = local
postfix/smtpd[]: send attr address = fwd@xyz.com
postfix/smtpd[]: private/rewrite socket: wanted attribute: flags
postfix/smtpd[]: input attribute name: flags
postfix/smtpd[]: input attribute value: 0
postfix/smtpd[]: private/rewrite socket: wanted attribute: address
postfix/smtpd[]: input attribute name: address
postfix/smtpd[]: input attribute value: fwd@xyz.com
postfix/smtpd[]: private/rewrite socket: wanted attribute: (list terminator)
postfix/smtpd[]: input attribute name: (end)
postfix/smtpd[]: rewrite_clnt: local: fwd@xyz.com -> fwd@xyz.com
postfix/smtpd[]: send attr request = resolve
postfix/smtpd[]: send attr sender =
postfix/smtpd[]: send attr address = fwd@xyz.com
postfix/smtpd[]: private/rewrite socket: wanted attribute: flags
postfix/smtpd[]: input attribute name: flags
postfix/smtpd[]: input attribute value: 0
postfix/smtpd[]: private/rewrite socket: wanted attribute: transport
postfix/smtpd[]: input attribute name: transport
postfix/smtpd[]: input attribute value: lmtp
postfix/smtpd[]: private/rewrite socket: wanted attribute: nexthop
postfix/smtpd[]: input attribute name: nexthop

# 1. WHY?? unix:private/dovecot-lmtp

postfix/smtpd[]: input attribute value: unix:private/dovecot-lmtp
postfix/smtpd[]: private/rewrite socket: wanted attribute: recipient
postfix/smtpd[]: input attribute name: recipient
postfix/smtpd[]: input attribute value: fwd@xyz.com

postfix/smtpd[]: resolve_clnt: `' -> `fwd@xyz.com' -> transp=`lmtp' host=`unix:private/dovecot-lmtp' rcpt=`fwd@xyz.com' flags= class=virtual

# 2. Tries to lookup on MySQL fwd@xyz.com (acording to virtual_alias_maps)

postfix/smtpd[]: dict_mysql_lookup: retrieved 1 rows
postfix/smtpd[]: maps_find: virtual_alias_maps: mysql:/etc/postfix/virtual/mysql-alias-maps.cf(0,lock|fold_fix): fwd@xyz.com = final-address@external-server.com
postfix/smtpd[]: mail_addr_find: fwd@xyz.com -> final-address@external-server.com

# 3. It knows it should be delivered to another address...

postfix/smtpd[]: report recipient to all milters (flags=0x0)
postfix/smtpd[]: milter_macro_lookup: "i"
postfix/smtpd[]: milter_macro_lookup: "{rcpt_addr}"
postfix/smtpd[]: ctable_locate: leave existing entry key fwd@xyz.com
postfix/smtpd[]: milter_macro_lookup: result "fwd@xyz.com"
postfix/smtpd[]: milter_macro_lookup: "{rcpt_host}"
postfix/smtpd[]: ctable_locate: leave existing entry key fwd@xyz.com
postfix/smtpd[]: milter_macro_lookup: result "unix:private/dovecot-lmtp"
postfix/smtpd[]: milter_macro_lookup: "{rcpt_mailer}"
postfix/smtpd[]: ctable_locate: leave existing entry key fwd@xyz.com
postfix/smtpd[]: milter_macro_lookup: result "lmtp"

# 4. Is it still trying to deliver on fwd@xyz.com?? 

postfix/smtpd[]: milter8_rcpt_event: milter inet:localhost:12301: rcpt <fwd@xyz.com>
postfix/smtpd[]: event: SMFIC_RCPT; macros: {rcpt_addr}=fwd@xyz.com {rcpt_host}=unix:private/dovecot-lmtp {rcpt_mailer}=lmtp
postfix/smtpd[]: reply: SMFIR_CONTINUE data 0 bytes

# After a while it delivers the error notification

postfix/pipe[]: 2E2CA2E2DB3: to=<final-address@external-server.com>, orig_to=<fwd@xyz.com>, relay=spamassassin, delay=0.63, delays=0.29/0/0/0.33, dsn=5.1.1, status=bounced (user unknown)
postfix/cleanup[]: 920F92E2DC3: message-id=<20161219134225.920F92E2DC3@my-server.xyz.com>
postfix/bounce[]: 2E2CA2E2DB3: sender non-delivery notification: 920F92E2DC3
TCB13
  • 1,166
  • 1
  • 14
  • 34
  • `external-server.com` not listed in `virtual_mailbox_domains` table? Here is relevant http://serverfault.com/questions/631307/postfix-wont-send-mail-to-external-email-addresses-listed-in-virtual-alias-domai – Guntis Dec 18 '16 at 19:28
  • @Guntis no its not. I guess it's not the case on the link. Thank you. – TCB13 Dec 18 '16 at 22:40
  • @Guntis please check my edit, specially the `No Port 25 Sending` note. ;) – TCB13 Dec 18 '16 at 22:59
  • Make postfix more verbose. See `Verbose logging for specific SMTP connections` and `Making Postfix daemon programs more verbose` [hrere](http://www.postfix.org/DEBUG_README.html#verbose) And then look at log files what is happening when you send email to address who must then forwarded. Probably You will see where it looks up remote email address. – Guntis Dec 19 '16 at 05:29
  • Please ensure `postmap -q external-server.com mysql:/etc/postfix/virtual/mysql-mailbox-maps.cf` and `postmap -q external-server.com mysql:/etc/postfix/virtual/mysql-mailbox-domains.cf` gives empty results. Also can u define `virtual_alias_domains = xyz.com` just to be sure you only consider `xyz.com` under `virtual_alias_domains` as currently i see it not defined. – clement Dec 19 '16 at 06:16
  • @Guntis please check edits. And you too clement. Thanks for all the help. – TCB13 Dec 19 '16 at 14:50

0 Answers0