Undelivered Mail Returned to Sender since upgrade to 4.2-0

ucs-4-2
postfix
mailserver

#1

Hello,

after upgrading to UCS 4.2-0 I have problems with receiving mails. I receive a lot of error messages:

Undelivered Mail Returned to Sender

<mail@non-primary.domain>: host 127.0.0.1[127.0.0.1] said: 550-Mailbox unknown.
    Either there is no mailbox associated with this 550-name or you do not have
    authorization to see it. 550 5.1.1 User unknown (in reply to RCPT TO
    command)

I use smtp generic maps, so the file /etc/univention/templates/files/etc/postfix/main.cf.d/30maps is modified. I readded my changes to the new template, but this doesn’t help. Also I did a

ucr commit /etc/postfix/*
systemctl restart postfix.service

Kind regards,
SirTux

EDIT: I use cyrus


#2

The problem is gone if I disable the generic maps. Maybe it’s time to setup univention-mail-canonical-maps


#3

Yes that seems to be working


#4

There seems to be still a problem because i don’t change the return-path. How can I fix this?


#5

How is Return-Path a problem, exactly?


#6

The antispam software of the mail relay rejects the mails with internal domain in the return path:

 said: 550 5.7.0 Mail
    from domain [user@internal.domain] is missing A or MX DNS record. See
    http://spamauditor.org/best-practices/valid_from_address/ for more
    information. Protection provided by MagicSpam 2.0.13-1
    http://www.magicspam.com (in reply to RCPT TO command)

#7

How are these emails created?

Have you set the UCR variable mail/postfix/myorigin?


#8

mail/postfix/myorigin ist not set. But the problem occurs also if I set it to the external or the internal domain.

I’ve tested it with KMail and Rainloop.


#9

How does kmail send its mail? Via sendmail or via SMTP? Same for Rainloop.


#10

Both send via SMTP.

Beitrag muss mindestens 20 Zeichen lang sein


#11

Normally the Return-Path header is only added during the final step of delivery (e.g. when postfix hands the mail over to Cyrus); see e.g. this thread where Wietse Venema, the author of Postfix, states so. Therefore what you’re writing doesn’t really make a lot of sense to me: an anti-spam solution on a gateway should never see a Return-Path header.

To me this sounds like the envelope sender address contains the internal domain. The envelope sender address is normally set by the client handing the mail over to the delivery system for the first time (e.g. kmail), but mailservers along the way may modify it.

Can you show what your current postfix configuration looks like? e.g. the output of ucr search --brief mail/postfix and postconf -n.

mosu


#12

It can be that my analysis is wrong. I’m not a mail expert :wink:

# ucr search --brief mail/postfix
mail/postfix/cron/recreate/dh/parameter: <empty>
mail/postfix/dnslookups: <empty>
mail/postfix/dovecot_sasl: <empty>
mail/postfix/inet/interfaces: all
mail/postfix/inet/protocols: <empty>
mail/postfix/ldap/timeout: 15
mail/postfix/ldaptable/debuglevel: 0
mail/postfix/ldaptable/starttls: yes
mail/postfix/ldaptable/tlscacertfile: /etc/univention/ssl/ucsCA/CAcert.pem
mail/postfix/ldaptable/tlsrequirecert: yes
mail/postfix/local/header/rewrite/clients: static:all
mail/postfix/masquerade/domains: $mydomain
mail/postfix/masquerade/exceptions: root
mail/postfix/mastercf/options/smtp/.*: <empty>
mail/postfix/mastercf/options/smtps/.*: <empty>
mail/postfix/mastercf/options/smtps/smtpd_sasl_auth_enable: yes
mail/postfix/mastercf/options/smtps/smtpd_tls_wrappermode: yes
mail/postfix/mastercf/options/submission/.*: <empty>
mail/postfix/mastercf/options/submission/smtpd_enforce_tls: yes
mail/postfix/mastercf/options/submission/smtpd_sasl_auth_enable: yes
mail/postfix/mynetworks: <empty>
mail/postfix/myorigin: <empty>
mail/postfix/policy/listfilter/maxproc: <empty>
mail/postfix/policy/listfilter/use_sasl_username: yes
mail/postfix/policy/listfilter: no
mail/postfix/smtp/hostlookup: <empty>
mail/postfix/smtp/tls/loglevel: 0
mail/postfix/smtpd/banner: <empty>
mail/postfix/smtpd/debug: <empty>
mail/postfix/smtpd/restrictions/recipient/.*: <empty>
mail/postfix/smtpd/restrictions/recipient/10: permit_mynetworks
mail/postfix/smtpd/restrictions/recipient/20: reject_unauth_pipelining
mail/postfix/smtpd/restrictions/recipient/29: permit_sasl_authenticated
mail/postfix/smtpd/restrictions/recipient/30: reject_unknown_recipient_domain
mail/postfix/smtpd/restrictions/recipient/40: reject_non_fqdn_recipient
mail/postfix/smtpd/restrictions/recipient/50: reject_invalid_helo_hostname
mail/postfix/smtpd/restrictions/recipient/60: reject_unauth_destination
mail/postfix/smtpd/restrictions/recipient/70: permit
mail/postfix/smtpd/restrictions/recipient/90: check_policy_service unix:private/kolabpolicy
mail/postfix/smtpd/restrictions/sender/07: permit_unknown_sender_domain
mail/postfix/smtpd/restrictions/sender/reject_unknown_client_hostname: <empty>
mail/postfix/smtpd/restrictions/sender/reject_unknown_reverse_client_hostname: <empty>
mail/postfix/smtpd/tls/dh1024/param/file: /etc/postfix/dh_2048.pem
mail/postfix/smtpd/tls/dh512/param/file: /etc/postfix/dh_512.pem
mail/postfix/smtpd/tls/eecdh/grade: strong
mail/postfix/smtpd/tls/exclude_ciphers: RC4, aNULL
mail/postfix/smtpd/tls/loglevel: 0
mail/postfix/smtpd/tls/mandatory_protocols: <empty>
mail/postfix/smtpd/tls/protocols: <empty>
mail/postfix/softbounce: no
mail/postfix/ssl/cafile: <empty>
mail/postfix/ssl/capath: <empty>
mail/postfix/ssl/certificate: <empty>
mail/postfix/ssl/key: <empty>
mail/postfix/submission/restrictions/recipient/.*: <empty>
mail/postfix/tls/client/exclude_ciphers: RC4, aNULL
mail/postfix/tls/client/level: may
mail/postfix/tls/client/mandatory_protocols: <empty>
mail/postfix/tls/client/policy/.*: <empty>
mail/postfix/tls/client/policy/amavis: [127.0.0.1]:10024 none
mail/postfix/tls/client/protocols: <empty>
mail/postfix/tls/policy/maps: <empty>
mail/postfix/tls/preempt/cipherlist: yes
mail/postfix/transport/ldap/enabled: yes
mail/postfix/virtual/enabled: yes

# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/lib/postfix
disable_vrfy_command = no
inet_interfaces = all
inet_protocols = ipv4
local_header_rewrite_clients = static:all
masquerade_domains = $mydomain
masquerade_exceptions = root
message_size_limit = 36700160
mydestination = $myhostname, localhost.$mydomain, localhost
myhostname = ucsmaster.top2.top1
mynetworks = 127.0.0.0/8
myorigin = ucsmaster.top2.top1
recipient_canonical_maps = ldap:/etc/postfix/ldap.canonicalrecipient
relayhost = mail.draakgard.de
relocated_maps = hash:/etc/postfix/relocated
sender_canonical_classes = header_sender
sender_canonical_maps = ldap:/etc/postfix/ldap.canonicalsender
smtp_helo_name = ucsmaster.top2.top1
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/smtp_auth
smtp_sasl_security_options = noanonymous
smtp_tls_exclude_ciphers = RC4, aNULL
smtp_tls_loglevel = 0
smtp_tls_mandatory_protocols = !SSLv2
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtp_tls_protocols = !SSLv2
smtp_tls_security_level = may
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_pipelining, permit_sasl_authenticated, reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_invalid_helo_hostname, reject_unauth_destination, permit, check_policy_service unix:private/kolabpolicy
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_starttls_timeout = 300s
smtpd_timeout = 300s
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/univention/ssl/ucsmaster.top2.top1/cert.pem
smtpd_tls_dh1024_param_file = /etc/postfix/dh_2048.pem
smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
smtpd_tls_eecdh_grade = strong
smtpd_tls_exclude_ciphers = RC4, aNULL
smtpd_tls_key_file = /etc/univention/ssl/ucsmaster.top2.top1/private.key
smtpd_tls_loglevel = 0
smtpd_tls_mandatory_protocols = !SSLv2
smtpd_tls_protocols =
smtpd_tls_received_header = no
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_preempt_cipherlist = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport, ldap:/etc/postfix/ldap.transport
virtual_alias_domains =
virtual_alias_maps = hash:/etc/postfix/virtual, ldap:/etc/postfix/ldap.groups, ldap:/etc/postfix/ldap.distlist, ldap:/etc/postfix/ldap.virtual, ldap:/etc/postfix/ldap.external_aliases, ldap:/etc/postfix/ldap.sharedfolderremote, ldap:/etc/postfix/ldap.sharedfolderlocal_aliases, ldap:/etc/postfix/ldap.virtualwithcanonical
virtual_mailbox_domains = ldap:/etc/postfix/ldap.virtualdomains
virtual_mailbox_maps = ldap:/etc/postfix/ldap.virtual_mailbox, ldap:/etc/postfix/ldap.sharedfolderlocal, ldap:/etc/postfix/ldap.virtualwithcanonical


#13

So… rewriting the sender addresses is already active. Can you please show

  1. the output of grep -E 'query_filter|result_attribute' /etc/postfix/ldap.canonicalsender and
  2. the output of univention-ldapsearch uid=<username> | grep -iE '^dn:|.*mail.*:' for one of the user names affected by this problem?

#14
# grep -E 'query_filter|result_attribute' /etc/postfix/ldap.canonicalsender
query_filter = (&(univentionCanonicalSenderRewriteEnabled=1)(|(univentionInternalPrimaryMailAddress=%s)(univentionInternalAlternativeMailAddress=%s)))
result_attribute = univentionPublicPrimaryMailAddress

# univention-ldapsearch uid=stefan | grep -iE '^dn:|.*mail.*:'
dn: uid=username,cn=users,dc=internal,dc=domain
mailPrimaryAddress: username@internal.domain
mailGlobalSpamFolder: 0
univentionFetchmailProtocol: IMAP
univentionMailHomeServer: ucsmaster.internal.domain
univentionFetchmailUseSSL: 1
univentionFetchmailServer: mail.external.domain
univentionFetchmailAddress: username@external.domain
mail: username@internal.domain
mail: username@external.domain
mailAlternativeAddress: username@external.domain
univentionPublicPrimaryMailAddress: username@external.domain
univentionInternalPrimaryMailAddress: username@internal.domain

#15

Hey,

hmm you’re already re-writing the sender, but only the header addresses, not the envelope addresses. Try setting the UCR variable mail/maps/canonical/sender/classes to envelope_sender, header_sender instead.

Kind regards,
mosu


#16

Thank you it works now :slight_smile:


#17

Well, finally! :slight_smile: