lmtp user verification
Hi,
after a new install and avoiding a lot of simple faults, i try to run my system postfix as smtpd, smtpds, and submission, and dovecot as imap and lmtp server.
I can login to imap, and i can send via 587 with sasl authentification. So i think that most things are ok :-)
What does NOT work is the local transport to my maildir. christian.kuhn@qno.de is not resolved to qno@qno.de but to qno@bywater.qno.de, and lmtp rejects that unverified user:
2025-05-25T18:13:25.431342+02:00 bywater postfix/smtpd[987726]: NOQUEUE: reject: RCPT from mail-lj1-f176.google.com[209.85.208.176]: 450 4.1.1 <qno@bywater.qno.de>: Recipient address rejected: unverified address: host bywater.qno.de[private/dovecot-lmtp] said: 550 5.1.1 <qno@bywater.qno.de> User doesn't exist: qno@bywater.qno.de (in reply to RCPT TO command)
also mails to qno-anyextension@qno.de are rejected. I set recipient_delimiter to -, but it seems to be ignored by lmtp:
2025-05-25T15:24:10.147369+02:00 bywater postfix/smtpd[985952]: NOQUEUE: reject: RCPT from higher.littydate.com[104.244.79.41]: 450 4.1.1 <qno-planets@qno.de>: Recipient address rejected: unverified address: host bywater.qno.de[private/dovecot-lmtp] said: 550 5.1.1 <qno-planets@qno.de> User doesn't exist: qno-planets@qno.de (in reply to RCPT TO command); from=<webmaster@littydate.com> to=<qno-planets@qno.de> proto=ESMTP helo=<higher.littydate.com>
postconf -n: (postfix 3.8.6) broken_sasl_auth_clients = yes compatibility_level = 3.6 content_filter = amavis:[127.0.0.1]:10024 default_database_type = cdb indexed = ${default_database_type}:${tabledir} inet_interfaces = 127.0.0.1, 65.21.136.15, [::1], [2a01:4f9:3b:25b0:9:6:1:e01] local_recipient_maps = mailbox_transport = lmtp:unix:private/dovecot-lmtp mydestination = $myhostname mydomain = qno.de myhostname = bywater.qno.de mynetworks = 127.0.0.0/8 65.21.136.15/32 [::1]/128 [2a01:4f9:3b:25b0:9:6:1:e01]/128 [2a01:4f8:171:b85:9:6:1:e01]/128 136.243.102.134/32 myorigin = $mydomain policyd-spf_time_limit = 3600 postscreen_access_list = permit_mynetworks postscreen_bare_newline_action = enforce postscreen_bare_newline_enable = no postscreen_dnsbl_action = enforce postscreen_dnsbl_reply_map = ${indexed}dnsbl_reply postscreen_dnsbl_sites = zusbyxqsairu6mu6ayyhstc3ua.zen.dq.spamhaus.net postscreen_dnsbl_threshold = 1 postscreen_non_smtp_command_action = enforce postscreen_non_smtp_command_enable = no postscreen_pipelining_action = enforce postscreen_pipelining_enable = no receive_override_options = no_address_mappings recipient_delimiter = - smtp_bind_address = 65.21.136.15 smtp_bind_address6 = 2a01:4f9:3b:25b0:9:6:1:e01 smtp_generic_maps = ${indexed}generic smtp_tls_exclude_ciphers = aNULL smtp_tls_loglevel = 1 smtp_tls_mandatory_ciphers = medium smtp_tls_mandatory_exclude_ciphers = RC4, MD5, SHA1 smtp_tls_security_level = may smtpd_data_restrictions = reject_unauth_pipelining smtpd_helo_required = yes smtpd_helo_restrictions = reject_unknown_helo_hostname smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unverified_recipient, check_policy_service unix:private/policyd-spf, reject_rbl_client zusbyxqsairu6mu6ayyhstc3ua.zen.dq.spamhaus.net, reject_rhsbl_reverse_client zusbyxqsairu6mu6ayyhstc3ua.dbl.dq.spamhaus.net, reject_rhsbl_helo zusbyxqsairu6mu6ayyhstc3ua.dbl.dq.spamhaus.net, reject_rhsbl_sender zusbyxqsairu6mu6ayyhstc3ua.dbl.dq.spamhaus.net smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = $smtpd_sasl_security_options smtpd_sasl_type = dovecot smtpd_sender_restrictions = reject_unknown_sender_domain smtpd_tls_auth_only = yes smtpd_tls_eccert_file = /etc/letsencrypt/live/mail.qno.de/fullchain.pem smtpd_tls_eckey_file = /etc/letsencrypt/live/mail.qno.de/privkey.pem smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5, SHA1 smtpd_tls_mandatory_protocols = >=TLSv1.2 smtpd_tls_received_header = yes smtpd_tls_security_level = may tabledir = ${config_directory}/tables.d/ virtual_alias_domains = $mydomain virtual_alias_maps = ${indexed}virtual virtual_gid_maps = static:5000 virtual_mailbox_base = /var/mail/vhosts virtual_mailbox_domains = sk-koenig-tegel.de virtual_mailbox_maps = mysql:${tabledir}virtual_mailbox_maps.cf virtual_minimum_uid = 10000 virtual_transport = lmtp:unix:private/dovecot-lmtp virtual_uid_maps = static:5000
doveconf -n:
2.3.21 (47349e2482): /etc/dovecot/dovecot.conf
Pigeonhole version 0.5.21 (f6cd4b8e)
OS: Linux 6.8.0-60-generic x86_64 Ubuntu 24.04.2 LTS
Hostname: bywater.qno.de
auth_debug = yes auth_debug_passwords = yes auth_mechanisms = plain login auth_username_format = %Ln auth_verbose = yes auth_verbose_passwords = yes listen = 65.21.136.15, 2a01:4f9:3b:25b0:9:6:1:c01 mail_debug = yes mail_location = maildir:~/Maildir mail_privileged_group = mail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } plugin { sieve = file:~/sieve;active=~/.dovecot.sieve } protocols = " imap lmtp sieve" service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 ssl = yes } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } ssl_cert = </etc/letsencrypt/live/imap2.qno.de/fullchain.pem ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it syslog_facility = local0 userdb { driver = passwd } verbose_proctitle = yes verbose_ssl = yes
TIA QNo
Am Sonntag, 25. Mai 2025, 18:33:54 CEST schrieb Christian H. Kuhn via dovecot:
What does NOT work is the local transport to my maildir. christian.kuhn@qno.de is not resolved to qno@qno.de but to qno@bywater.qno.de, and lmtp rejects that unverified user:
For dovecot i think you need to strip the domain
protocol lmtp { auth_username_format = %{user | username} }
For postfix i think you need to add your domain to mydestination
mydestination = $myhostname, $mydomain # i also add localhost.$mydomain, localhost
regards, Tami
Dear Paul,
thank you for your comment.
Am 25.05.2025 um 20:01 schrieb Paul Zirnik via dovecot:
For dovecot i think you need to strip the domain
protocol lmtp { auth_username_format = %{user | username} }
If i understand the docs, the setting in 10-auth
auth_username_format = %Ln
sets the username to lowercase and strips the domain. As it is not contained in any environment, i regarded it as global. Is it really necessary to repeat it for protocol lmtp?
For postfix i think you need to add your domain to mydestination
mydestination = $myhostname, $mydomain # i also add localhost.$mydomain, localhost
That seems wrong. virtual_alias_domains = $mydomain, and the postfix docs warn explicitly to use mydestination for any virtual_alias_domain or virtual_mailbox_domain.
Kind regards, QNo
Am Sonntag, 25. Mai 2025, 23:01:11 CEST schrieb Christian H. Kuhn via dovecot:
Dear Paul,
thank you for your comment.
Am 25.05.2025 um 20:01 schrieb Paul Zirnik via dovecot:
For dovecot i think you need to strip the domain
protocol lmtp { auth_username_format = %{user | username} }
If i understand the docs, the setting in 10-auth
auth_username_format = %Ln
sets the username to lowercase and strips the domain. As it is not contained in any environment, i regarded it as global. Is it really necessary to repeat it for protocol lmtp?
I am using dovecot 2.4 already and i need to set it. I do use fetchmail that does redeliver it to postfix and if i left out the setting dovecot does reject as <user>@localhost unknown.
Also with 2.4 the vars are changed to full names and the single letters are gone, so better to change already.
For postfix i think you need to add your domain to mydestination
mydestination = $myhostname, $mydomain # i also add localhost.$mydomain, localhost
That seems wrong. virtual_alias_domains = $mydomain, and the postfix docs warn explicitly to use mydestination for any virtual_alias_domain or virtual_mailbox_domain.
i missed the virtual part, sorry.
regards, Tami
participants (2)
-
Christian H. Kuhn
-
Paul Zirnik