Postfix: Recipient address rejected: User unknown in local recipient table, even though recipient domain is an external domain

In my company infrastructure, I have an internal mail server with postfix whose name is, say, srv-internal.central.mydomain.tld with internal IP 10.10.128.200.

For exchanging mails with the Net, it uses a relay mail server (a server on a DMZ environment with all needed pinholes for instance ..), even with postfix, whose name is mailgw.central.mydomain.tld with internal interface IP 10.10.133.105

Public domain name of our infrastructure is (say) "central.mydomain.tld", but "pec.central.mydomain.tld" IS NOT our subdomain. It is provided by another ISP outside our network (so, mails to this domain, have to get out).

If I send a mail from [email protected] (from srv-internal.central.mydomain.tld machine) to [email protected], I get from relay server the following error:

Sep  4 08:03:16 mailgw postfix/smtpd[26678]: NOQUEUE: reject: RCPT from unknown[10.10.128.200]: 550 5.1.1 <[email protected]>: Recipient address rejected: User unknown in relay recipient table; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<srv-internal.central.mydomain.tld>
Sep  4 08:03:16 mailgw postfix/smtpd[26678]: disconnect from unknown[10.10.128.200]

My relay server is on Linux CentOS release 5.7, postfix release is postfix-2.3.3-2.1.el5_2 from standard CentOS repositories.

Let's say my domain is:

 mydomain = central.mydomain.tld

And my postfix configuration on relay server, currenttly is the following:

(postconf -d; postconf -d; postconf -n; ) | sort | uniq -u

alias_maps = hash:/etc/aliases
biff = no
body_checks = regexp:/etc/postfix/body_checks
content_filter = filter:127.0.0.1:10025
default_process_limit = 10
disable_vrfy_command = yes
header_checks = pcre:/etc/postfix/header_checks
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 12582912
mime_header_checks = regexp:/etc/postfix/mime_header_checks
mydestination = $myhostname, localhost.$mydomain
myhostname = mailgw.$mydomain
mynetworks = 127.0.0.0/8, 10.10.24.0/24, 10.10.128.200/32, 10.10.128.201/32
newaliases_path = /usr/bin/newaliases.postfix
readme_directory = /etc/postfix/README_FILES
receive_override_options = no_address_mappings
relay_domains = $mydomain, riminiventure.it
relay_recipient_maps = hash:/etc/postfix/relay_recipients
sample_directory = /etc/postfix/samples
sendmail_path = /usr/sbin/sendmail.postfix
smtpd_error_sleep_time = 5s
smtpd_hard_error_limit = 10
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_mynetworks,    permit_sasl_authenticated,    check_client_access hash:/etc/postfix/access_client,    check_helo_access hash:/etc/postfix/access_helo,    check_sender_access hash:/etc/postfix/access_sender, pcre:/etc/postfix/access_sender_pcre,    check_recipient_access hash:/etc/postfix/access_recipient,    reject_unauth_destination,    reject_invalid_hostname,    reject_unauth_pipelining,    reject_non_fqdn_sender,    reject_unknown_sender_domain,    reject_non_fqdn_recipient,    reject_unknown_recipient_domain,    reject_rbl_client bl.spamcop.net,    reject_rbl_client sbl.spamhaus.org,  check_policy_service inet:127.0.0.1:2501,    permit
smtpd_soft_error_limit = 3
strict_rfc821_envelopes = yes
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 450
virtual_alias_domains = riminifar.it
virtual_alias_maps = hash:/etc/postfix/virtual

And this is my /etc/postfix/transport:

central.mydomain.tld        smtp:[srv-internal.central.mydomain.tld]
someotherdomain.org         smtp:[srv-internal.central.mydomain.tld]
yadomain.it                  smtp:[srv-internal.central.mydomain.tld]
xad.central.mydomain.tld        smtp:[srv-internal.central.mydomain.tld]
test.central.mydomain.tld        smtp:[10.10.15.101]

Now, Recipient address rejected: User unknown in relay recipient table seems that relay server (mailgw) "thinks" that "pec.central.mydomain.tld" is one of its subdomain, so it searches for recipient user into its relay_recipient_maps, while it shouldn't IMHO.

I expected this behaviour if I put ".central.mydomain.tld" (with initial dot!) in my transport table, but I really have "central.mydomain.tld", so, reading manuals, it should only consider the domain name, and not also subdomains.

I greatly appreciate if somebody could suggest me what I am doing wrong.

Solution 1:

The parameter that's you should aware of is parent_domain_matches_subdomains.

A list of Postfix features where the pattern "example.com" also matches subdomains of example.com, instead of requiring an explicit ".example.com" pattern. This is planned backwards compatibility: eventually, all Postfix features are expected to require explicit ".example.com" style patterns when you really want to match subdomains.

So, parent_domain_matches_subdomains holds the list of domain that postfix should match its subdomain too even without (dot) in front of it.

Unfortunately, the relay_domains parameter fall to that list.

# postconf parent_domain_matches_subdomains
parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps

And because your relay_domainscontains $mydomain or central.mydomain.tld, postfix matches all subdomain of central.mydomain.tld as relay_domains not external ones.

The solution is set parent_domain_matches_subdomains and don't include relay_domains on those parameter.