Postfix virtual map escapes some @

I can confirm that it didn’t work for me either. I think we can just fix our install script and not add virtuser_file plugin.

Do you have an option resolve_dequoted_address = no added too?

:memo: I have just tried it and it worked for me with smtpd_sender_restrictions = reject_sender_login_mismatch option enabled.

Yes, I have this option added. See my whole main.cf below:

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
append_dot_mydomain = no
readme_directory = no
compatibility_level = 3.6

TLS parameters

smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
smtpd_tls_key_file = /etc/postfix/postfix.key.pem
smtpd_tls_security_level = may

smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

Main Config

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = mail1.domain.nl
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, mail1.domain.nl, localhost.domain.nl, , localhost
relayhost = email-smtp.eu-central-1.amazonaws.com:587
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
virtual_alias_maps = hash:/etc/postfix/virtual
sender_bcc_maps = hash:/etc/postfix/bcc
sender_dependent_default_transport_maps = hash:/etc/postfix/dependent
home_mailbox = Maildir/
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtp_dns_support_level = dnssec
smtp_host_lookup = dns
allow_percent_hack = no
resolve_dequoted_address = no
tls_server_sni_maps = hash:/etc/postfix/sni_map
smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/smtp_sasl_password_map

Amazon SES CUSTOM

smtp_sasl_security_options = noanonymous
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes

SPAMExperts CUSTOM

smtpd_client_restrictions = check_client_access hash:/etc/postfix/access, permit_sasl_authenticated, permit_mynetworks, reject

Block cross-logins

smtpd_sender_login_maps = hash:/etc/postfix/virtual
smtpd_sender_restrictions = reject_sender_login_mismatch

And here is the content of /etc/postfix/virtual

domain@domain.nl domain
domain.nl domain.nl
hostmaster@domain.nl domain@domain.nl
abuse@domain.nl domain@domain.nl
postmaster@domain.nl domain@domain.nl
webmaster@domain.nl domain@domain.nl
test@domain.nl test\@domain.nl
other@domain.nl other\@domain.nl

Notice the backslash in the two records at the bottom… These are the users that I created via the virtualmin interface.

Btw, here’s the error I get when sending… Very strange…

<test@domain.nl>: Sender address rejected: not owned by user test@domain.nl.

We still need it when using regular format usernames though, right?

Okay guys, I am now 100% certain that my error is caused by the escaped characters in /etc/postfix/virtual.

What I tested:
I removed every backslash (the escaped @ character) from the file: /etc/postfix/virtual.
Then, I remapped the config file with command: postmap /etc/postfix/virtual

After that, I could send my e-mails like usually with the following restrictions in place:

smtpd_sender_login_maps = hash:/etc/postfix/virtual
smtpd_sender_restrictions = reject_sender_login_mismatch

If I put the backslash back, then I’ll receive the error again:

Sender address rejected: not owned by user test@test.com

So… Now I am lost… I am thinking about creating a Virtualmin Script (Actions upon server and user creation) that copies the /etc/postfix/virtual file to /etc/postfic/virtual_copy and removes every backslash from the copied file. Then I am able to use ‘smtpd_sender_restrictions’ like it is intended. But this is imho a dirty workaround that should not be necessary. If you have better ideas, please let me know.

Not really. I didn’t notice anything that would break aside from RoundCube couldn’t properly detect the domain name when sending mail. It sets From: address to something like username@localhost in case if only a username used for login (e.g. in case of a main domain user). Although, this can easily be fixed in RoundCube by properly defining your (user) email address. What else could break you think? RoundCube just sends and receives using credentials provided (i.e. uses SMTP and IMAP).

Well, yes, you could send mail but the problem is that mail is not getting received with this only change (i.e. replacing \@ with @ wouldn’t work for receiving mail).

That’s why I created a copy of the file to /etc/postfic/virtual_copy that’s only been used in smtpd_sender_login_maps = hash:/etc/postfix/virtual_copy.

Now I can send and receive. But like I said, this is a (dirty) workaround…

Instead, do you have any issues by disabling virtuser_file plugin completely by editing roundcube/config/config.inc.php file and removing virtuser_file from plugins list.

I don’t use roundcube… I am just authenticating with SMTP to my Virtualmin (Postfix) server. So I don’t think this applies to my case, right?

No, it doesn’t apply. This thread is related to RoundCube sending username as user\@dom.name rather than as user@dom.name when virtuser_file plugin is enabled.

Okay… I created a new topic at Postfix 'reject_sender_login_mismatch' rule not usable because of escaped @ characters in /etc/postfix/virtual

@Ilia @Jamie
Thanks.
It was also my current solution to remove the postfix virtualmapping from the roundcube config file.
All works as intended now.

Thanks for the support and readiness to help! It’s much appreciated.

Did you have to setup that virtualmapping plugin in Roundcube yourself, or was it enabled by default?

Hello @Jamie

It was enabled by default.
At first I tried to bring over the roundcube from the old server (files & DB), but that version (1.5.x) did not respond well to php8. I decided to go for a fresh installation and used the Virtualmin install script to accomplish that.

Hope this helps

So in my opinion, Roundcube should probably fix this plugin to deal with \ escapes in the virtusertable file.

Hi,

Sorry if it isn’t related to this thread.

There is one thing I don’t understand. If I restore a virtual server it doesn’t add any user line in
/etc/postfix/virtual. But if I add a new user to this restored server then Virtualmin adds the line:
newuser@domain.tld newuser\@domain.tld

I’m worried. Is this correct? What about the other users in the restored server?

Regards

I’ve just reading all this as I been installing new Server and added roundcube and got the authentication issue. Will this be fixed in a future releases or do we remove the Roundcube addon in future?

For anyone having this issue, you can force Virtualmin to switch back to the old format of having two Unix users per @-format mailbox at System Settings → Virtualmin Configuration → Advanced options → Create extra Unix user on Postfix systems when using user@domain format? by selecting Yes

4 Likes

Excellent, exactly what I was looking for.

Thanks
Steve

P.S. All work with @ now.

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.