Postfix, virtual aliases and catchall for undefined addresses
In Postfix 2.10.2, I have a setup with multiple domains and several virtual aliases to assign mail addresses to local users. It works fine as long as I do not add a catchall.
Before I used virtual aliases, I had a catchall defined with
local_recipient_maps =
luser_relay = catchall
but as I need to sort out mail addresses from different domains, I had to use virtual aliases.
Now postfix.org says I should do it like this, which I did:
/etc/postfix/main.cf:
virtual_alias_domains = example.com
virtual_alias_maps = hash:/etc/postfix/virtual
/etc/postfix/virtual:
[email protected] account1
[email protected] account1
[email protected] account2
@example.com catchall
But if I do so, the catchall address grabs all my mail instead of just the mail to not explicitly defined addresses. Why is that and how do I change it?
I did postmap virtual and also restarted Postfix. There are no errors in the log, it just logs the delivery to the catchall address. And there is a warning "do not list domain example.com in BOTH mydestination and virtual_alias_domains", but I did not do that! I don't even have a mydestination directive. (There is one in the config below, but I added that after NickW suggested so.)
Here is my complete conf:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = all
mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/dovecot.conf -m "${EXTENSION}"
mailbox_size_limit = 0
mydestination = $myhostname
myhostname = mydomain.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_unknown_sender_domain
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/dovecot/dovecot.pem
smtpd_tls_key_file = /etc/dovecot/private/dovecot.pem
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
virtual_alias_domains = $myhostname, myotherdomain.com
virtual_alias_maps = hash:/etc/postfix/virtual
If you include catch all email address in virtual alias then it will work.
in main.cf
:
virtual_alias_maps = hash:/etc/postfix/virtual
in virtual
:
[email protected] [email protected]
[email protected] [email protected]
...
[email protected] [email protected]
@example.com [email protected]
So, I figured it out. Some people suggest that the catch-all has to be on top of the virtual alias file, but I tried that before and it did not help (though I found that solution quite logical).
What worked is:
- Set
mydestination=localhost
(that is not$myhostname
) - Add the catchall on top of the virtual alias file:
@domain.com catchall-account@localhost
- Add all other virtual aliases below:
[email protected] contact@localhost
The example assumes you have UNIX users named catchall-account
and contact
. Mails to [email protected] will be delivered to the contact user while all other mail will be delivered to the catch-all account.
Maybe this is not necessary in all cases, but in my special case I want to use an account to save mail for some addresses, but mail sent directly to that account should end up in the catch-all.
After all, looks like Postfix is not working it's way through the virtual aliases from top to bottom, and additionally catch-alls have some special priority. I will be glad about further comments in case someone is actually able to explain this behaviour.