zoni
Postforward configured with Postfix PIPE(8) resulting in bounced (mail forwarding loop)
Hello, I am configuring an email server for a company (not a hosting company, but a travel company). And I need help in configuring postforward to work with postfix pipe(8) delivery agents.
THE CONFIGURATION
The domains and mailboxes are stored in the MySQL Database so in /etc/postfix/main.cf:
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_mailbox_base = /var/vmail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
virtual_alias_expansion_limit=2500
The daemon postsrsd is running as well, this is the config for postsrsd in /etc/postfix/main.cf:
#follow postforward suggestion in github when use with postsrsd
#sender_canonical_maps = tcp:localhost:10001
#sender_canonical_classes = envelope_sender
recipient_canonical_maps = tcp:localhost:10002
recipient_canonical_classes= envelope_recipient,header_recipient
And also followed your suggestion for the postforward policy when configured in Postfix PIPE(8)
#postforward policy
postforward_destination_recipient_limit = 1
Then in my /etc/postfix/master.cf, I registered the postforward service:
postforward unix - n n - - pipe flags=ODR user=vmail:vmail argv=/usr/local/bin/postforward --path /usr/sbin:/sbin:/usr/bin:/bin ${recipient}
Finally to make this all hooked, I created a transport map file /etc/postfix/transport, and put this line:
branddomainname.com postforward:
And went back to my /etc/postfix/main.cf, I added:
transport_maps = hash:/etc/postfix/transport
For now I wish the postforward only installs for the branddomainname.com and not other domain names (so other departments don't complain when something happens during this setup).
Of course I did not forget to do this:
postmap transport
systemctl restart postfix
AND NOW THE EXECUTION OF THE TEST
I sent an email from [email protected] to [email protected], where [email protected] has only one alias that is to [email protected].
THE RESULT OF THE TEST AND IT IS THE ISSUE
Unfortunately after many trials, this does not work, In the log, I found out the email which was only sent once has doubled:
Apr 30 11:59:59 corp115486 postfix/cleanup[17988]: 671E024406B7: warning: header Subject: Test #2 30 April 2020 from mail-ua1-f48.google.com[209.85.222.48]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mail-ua1-f48.google.com>
Apr 30 12:00:00 corp115486 postfix/cleanup[17988]: AA7D82440708: warning: header Subject: Test #2 30 April 2020 from local; from=<[email protected]> to=<[email protected]>
And then, I followed both of the MAIL-ID, and here is what I found on the log:
671E024406B7:
Apr 30 11:59:59 corp115486 postfix/smtpd[17981]: 671E024406B7: client=mail-ua1-f48.google.com[209.85.222.48]
Apr 30 11:59:59 corp115486 postfix/cleanup[17988]: 671E024406B7: message-id=<CAE7sF+GUdfepxMWW-Z9Ez6Go6wN8dG5nTGmvSk25sJUs5w5hng@mail.gmail.com>
Apr 30 11:59:59 corp115486 postfix/cleanup[17988]: 671E024406B7: warning: header Subject: Test #2 30 April 2020 from mail-ua1-f48.google.com[209.85.222.48]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mail-ua1-f48.google.com>
Apr 30 12:00:00 corp115486 opendkim[4178]: 671E024406B7: mail-ua1-f48.google.com [209.85.222.48] not internal
Apr 30 12:00:00 corp115486 opendkim[4178]: 671E024406B7: not authenticated
Apr 30 12:00:00 corp115486 opendkim[4178]: 671E024406B7: DKIM verification successful
Apr 30 12:00:00 corp115486 postfix/qmgr[17865]: 671E024406B7: from=<[email protected]>, size=2916, nrcpt=2 (queue active)
Apr 30 12:00:00 corp115486 postfix-rate-limit-snail/smtp[17872]: 671E024406B7: to=<[email protected]>, orig_to=<[email protected]>, relay=gmail-smtp-in.l.google.com[74.125.140.27]:25, delay=2.6, delays=2.3/0/0.14/0.14, dsn=2.0.0, status=sent (250 2.0.0 OK 1588222800 z16si463811wrl.168 - gsmtp)
Apr 30 12:00:00 corp115486 postfix/pipe[17992]: 671E024406B7: to=<[email protected]>, relay=postforward, delay=2.6, delays=2.3/0.01/0/0.34, dsn=2.0.0, status=sent (delivered via postforward service)
Apr 30 12:00:00 corp115486 postfix/qmgr[17865]: 671E024406B7: removed
AA7D82440708:
Apr 30 12:00:00 corp115486 postfix/pickup[17864]: AA7D82440708: uid=5000 from=<[email protected]>
Apr 30 12:00:00 corp115486 postfix/cleanup[17988]: AA7D82440708: message-id=<CAE7sF+GUdfepxMWW-Z9Ez6Go6wN8dG5nTGmvSk25sJUs5w5hng@mail.gmail.com>
Apr 30 12:00:00 corp115486 postfix/cleanup[17988]: AA7D82440708: warning: header Subject: Test #2 30 April 2020 from local; from=<[email protected]> to=<[email protected]>
Apr 30 12:00:00 corp115486 opendkim[4178]: AA7D82440708: no signing table match for '[email protected]'
Apr 30 12:00:00 corp115486 opendkim[4178]: AA7D82440708: DKIM verification successful
Apr 30 12:00:00 corp115486 postfix/qmgr[17865]: AA7D82440708: from=<[email protected]>, size=4440, nrcpt=2 (queue active)
Apr 30 12:00:00 corp115486 postfix/pipe[17992]: AA7D82440708: to=<[email protected]>, relay=postforward, delay=0.26, delays=0.2/0/0/0.07, dsn=5.4.6, status=bounced (mail forwarding loop for [email protected])
Apr 30 12:01:01 corp115486 postfix-rate-limit-snail/smtp[17873]: AA7D82440708: to=<[email protected]>, orig_to=<[email protected]>, relay=gmail-smtp-in.l.google.com[74.125.140.27]:25, delay=61, delays=0.2/60/0.15/0.29, dsn=2.0.0, status=sent (250 2.0.0 OK 1588222861 d6si1137819wrv.413 - gsmtp)
Apr 30 12:01:01 corp115486 postfix/bounce[18004]: AA7D82440708: sender non-delivery notification: 3DBCC24406F9
Apr 30 12:01:01 corp115486 postfix/qmgr[17865]: AA7D82440708: removed
If you take a look at the second message with ID AA7D82440708, postforward is working and has rewrote the from to the following:
[email protected]
Now I do not understand where was the first message with ID 671E024406B7 was triggered from or is this how postfix works or postforward sent it again after it rewrote it?
I hope that I could get some answers on this problem.
#Staysafe
Thank you, Dismas
Hi Dismas,
Now I do not understand where was the first message with ID 671E024406B7 was triggered from or is this how postfix works or postforward sent it again after it rewrote it?
Postforward indeed submits new mail into the queue (by executing sendmail) which is why you'll see a pickup entry with a new message ID.
This problem in your configuration that is causing postfix to run into a mail forwarding loop appears to be in the service definition:
postforward unix - n n - - pipe flags=ODR user=vmail:vmail argv=/usr/local/bin/postforward --path /usr/sbin:/sbin:/usr/bin:/bin ${recipient}
The argument to postforward needs to be the email address that needs to be forwarded to, not the original recipient.
By using ${recipient} above, you're specifying the original recipient, which postfix correctly determines ends up in a forwarding loop (if it accepts this mail, it goes through postforward again, which submits it back to itself, puts it through postforward again, and so on and so on).
If all mail for branddomainname.com needs to go to the same forwarded recipient, you could put that address in place of ${recipient} above. If you have multiple different addresses, I cannot think of any way to achieve this other than to define specific transports for each of them so you end up with something like:
# /etc/postfix/master.cf
postforward_foo unix - n n - - pipe flags=ODR user=vmail:vmail argv=/usr/local/bin/postforward --path /usr/sbin:/sbin:/usr/bin:/bin [email protected]
postforward_bar unix - n n - - pipe flags=ODR user=vmail:vmail argv=/usr/local/bin/postforward --path /usr/sbin:/sbin:/usr/bin:/bin [email protected]
# /etc/postfix/transport
[email protected] postforward_foo:
[email protected] postforward_bar:
Hi Zoni,
Thank you for your time and answer. I hope you and your family are in good health in this pandemic era.
Unfortunately, I have tried it and it does not work. But anyhow, if it would need manual addition on every forwarding email addresses (aliases), then I guess I just have to accept to live with the fact that aliases would be forwarded as unauthenticated and would broke the SPF.
The world does not have COVID-19 vaccine yet as I was writing this comment, and so what is the big deal with forwarded emails breaking the SPF ;).
Once again, thank you, Dismas.