Postifx - Dovecot unable to send emails "status=bounced (user unknown)"

My email server was working fine on (Debian Jessie 8.5). My setup uses Postfix 2.11.3, Dovecot 2.2.13, and using Virtual users and Mailboxes (Maildir style). It worked great, until I wanted to implement autocreation of the Junk folder and sending emails marked as spam by SpamAssassin 3.4.0 / Perl 5.20.2. That works fine. I am able to get emails between my virual domains, as well as emails from outside (Gmail, Yahoo, etc). I am able to send emails between my virtual domains hosted on this server. But when I try to send emails to the outside world (Gmail, Yahoo, etc) I get the following in /var/log/syslog:

Nov  8 21:47:08 mercury postfix/smtpd[12803]: connect from localhost[127.0.0.1]
Nov  8 21:47:08 mercury postfix/smtpd[12803]: 93611814E5: client=localhost[127.0.0.1]
Nov  8 21:47:08 mercury postfix/cleanup[12805]: 93611814E5: message-id=<[email protected]>
Nov  8 21:47:08 mercury opendkim[24011]: 93611814E5: DKIM-Signature field added (s=mail, d=example.com)
Nov  8 21:47:08 mercury postfix/qmgr[12250]: 93611814E5: from=<[email protected]>, size=6380, nrcpt=1 (queue active)
Nov  8 21:47:08 mercury spamd[738]: spamd: connection from ip6-localhost [::1]:33575 to port 783, fd 6
Nov  8 21:47:08 mercury spamd[738]: spamd: setuid to vmail succeeded
Nov  8 21:47:08 mercury spamd[738]: spamd: processing message <[email protected]> for vmail:5000
Nov  8 21:47:08 mercury postfix/smtpd[12803]: disconnect from localhost[127.0.0.1]
Nov  8 21:47:15 mercury spamd[738]: spamd: clean message (-1.1/5.5) for vmail:5000 in 7.3 seconds, 6661 bytes.
Nov  8 21:47:15 mercury spamd[738]: spamd: result: . -1 - ALL_TRUSTED,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,T_REMOTE_IMAGE scantime=7.3,size=6661,user=vmail,uid=5000,required_score=5.5,rhost=ip6-localhost,raddr=::1,rport=33575,mid=<[email protected]>,autolearn=ham autolearn_force=no
Nov  8 21:47:15 mercury postfix/pipe[12806]: 93611814E5: to=<[email protected]>, relay=spamassassin, delay=7.4, delays=0.07/0/0/7.3, dsn=5.1.1, status=bounced (user unknown)
Nov  8 21:47:15 mercury postfix/cleanup[12805]: F10AB814E7: message-id=<[email protected]>
Nov  8 21:47:15 mercury postfix/qmgr[12250]: F10AB814E7: from=<>, size=8521, nrcpt=1 (queue active)
Nov  8 21:47:15 mercury postfix/bounce[12819]: 93611814E5: sender non-delivery notification: F10AB814E7
Nov  8 21:47:15 mercury postfix/qmgr[12250]: 93611814E5: removed
Nov  8 21:47:16 mercury postfix/virtual[12820]: F10AB814E7: to=<[email protected]>, relay=virtual, delay=0.02, delays=0/0.02/0/0, dsn=2.0.0, status=sent (delivered to maildir)
Nov  8 21:47:16 mercury postfix/qmgr[12250]: F10AB814E7: removed
Nov  8 21:47:16 mercury spamd[9376]: prefork: child states: II

Bottom line - seems that Postfix is not expanding my /var/postfix/users and/or Postfix is not passing the domain/user to Dovecot and therefore it creates this status=bounced (user unknown) error.

My dovecot -n is:

# 2.2.13: /etc/dovecot/dovecot.conf
# OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.5
auth_verbose = yes
base_dir = /var/run/dovecot/
info_log_path = /var/log/dovecot.info
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
log_path = /var/log/dovecot
mail_home = /home/vmail/%d/%n
mail_location = maildir:~/
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave
namespace inbox {
  hidden = no
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
  subscriptions = yes
}
passdb {
  args = scheme=PLAIN username_format=%u /etc/dovecot/users
  driver = passwd-file
}
plugin {
  sieve = /etc/dovecot/sieve/default.sieve
  sieve_dir = ~/sieve
}
pop3_uidl_format = %g
postmaster_address = postmaster@${DOMAIN}
protocols = imap pop3
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
}
service imap-login {
  inet_listener imaps {
    port = 0
  }
}
ssl = no
ssl_cert = /etc/ssl/dovecot.crt
ssl_key = /etc/ssl/dovecot.key
ssl_parameters_regenerate = 1 days
userdb {
  args = uid=vmail gid=vmail home=/home/vmail/%d/%n
  driver = static
}
userdb {
  args = uid=vmail gid=vmail home=/home/vmail/%d/%n
  driver = static
}
valid_chroot_dirs = /home/vmail/
verbose_ssl = yes
protocol lmtp {
  mail_plugins = " sieve"
}
protocol lda {
  mail_plugins = " sieve"
}

and postconf returns:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
home_mailbox = Maildir/
inet_interfaces = all
mailbox_command =
mailbox_size_limit = 0
milter_default_action = accept
milter_protocol = 2
mydestination = fqdn.mydomain.com, mercury, localhost.localdomain, localhost
myhostname = fqdn.mydomain.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
non_smtpd_milters = inet:localhost:12301
queue_directory = /var/spool/postfix
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_cert_file = /etc/ssl/dovecot.crt
smtp_tls_key_file = /etc/ssl/dovecot.key
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_milters = inet:localhost:12301
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_cert_file = /etc/ssl/dovecot.crt
smtpd_tls_key_file = /etc/ssl/dovecot.key
smtpd_tls_loglevel = 1
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_security_level = may
smtpd_use_tls = yes
spamassassin_destination_recipient_limit = 1
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_gid_maps = static:5000
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = /etc/postfix/vhosts
virtual_mailbox_maps = hash:/etc/postfix/vmaps
virtual_minimum_uid = 1000
virtual_uid_maps = static:5000

I am not sure what I should be looking into to solve this weird problem. I can send emails between my virtual domains, I can receive emails, but I am not able to send any emails out to the world :-(


Solution 1:

Solution 1 (not the best way)

Open your master.cf, and search for these rules:

smtp       inet  n       -       y       -       -       smtpd
smtps      inet  n       -       y       -       -       smtpd
submission inet  n       -       y       -       -       smtpd

After each of these rules, you will probably have -o content_filter=spamassassin.
This is good for incoming mails, but is not needed for outgoing mails. In the case that you're using dovecat for handling the mails, it even won't work, and that is the problem here.

The solution is: only use the spamassasin filter for the incoming mails.
You can do this by only applying it on the smtp rule, and not the smtps and submission.
The counterside of this is that you cannot use port 25 for sending mails, but is that a problem? Most ISP's are blocking it anyway, and port 465/587 are better for this.

Solution 2 (better way)

In your master.cf file, you remove (or comment) the lines for spamassassin.

In main.cf you add this:

virtual_transport = lmtp:unix:private/dovecot-lmtp

In your dovecot config file (20-lmtp.conf or dovecot.conf), you enable the sieve plugin for lmtp traffic (you've already got this, but I don't know if it's working inside quotes):

protocol lmtp {
  mail_plugins = sieve
}

This also needs to be in the dovecot config file:

protocols = imap pop3 lmtp sieve

You don't have the last 2 of this.

Local mails will be handled with dovecot with this solution (and the sieve will be executed), outgoing mails will be relayed.

Last part of this, is the spam-filtering.
This is done with a milter (and not a service).

If you don't have this already, install it: apt-get install spamass-milter.
In your postfix main.cf you enable it, by adding this:

smtpd_milters = inet:localhost:12301 unix:spamass/spamass.sock

It should use the spamassassin rules that you already have configured.