[Dovecot] mails delivered to the wrong user when using lmtp_proxy and reject_unverified_recipient

Peer Heinlein p.heinlein at heinlein-support.de
Fri Jul 19 18:11:18 EEST 2013


looks like we detected a serious bug in dovecot's lmtp proxying where
e-mails are delivered to the wrong user.

The setup is:

*) Dovecot is configured with "lmtp_proxy=yes"

# Support proxying to other LMTP/SMTP servers by performing passdb lookups.
lmtp_proxy = yes

*) Postfix uses "dynamic recipient verification", so Postfix starts
sending a (verify) mail by LMTP to dovecot, but quits the lmtp-session
right after the RCPT TO:. No DATA-stage is reached in the protocol and
no real e-mail is sent. But Postfix had a LMTP-connection for "user1".

*) Just some seconds later a "real" e-mail to "user2" has to be
delivered to dovecot by LMTP. But Dovecot will deliver this mail to the
wrong "user1" instead of "user2". Looks like dovecot re-uses the (still
opened?) lmtp-proxy-connection from "user1" to deliver an e-mail to "user2".

Have a log at the protocol:

1) There's a verify call to user1 from Postfix:

Jul 19 13:49:49 mailms postfix/lmtp[9842]: DE653280C51:
to=<user1 at example.com>, relay=localhost[]:24, conn_use=2,
delay=120, delays=117/0.45/0/2.5, dsn=2.1.5, status=deliverable (250
2.1.5 OK)

2) Just five seconds later the e-mail to user2 (see Postfix' point of
view in the last line) is delivered to user2 (see result from Dovecot in
the last line):

Jul 19 13:50:04 mailms dovecot: lmtp(10965, kraemer): save: box=INBOX,
uid=49880, msgid=<59798276-E5D1-4053-A570-9901B731DF5D at example.come>,
Jul 19 13:50:04 mailms dovecot: lmtp(10965, kraemer):
msgid=<59798276-E5D1-4053-A570-9901B731DF5D at example.com>: saved mail to
Jul 19 13:50:04 mailms postfix/lmtp[10953]: C25FC280BE5:
to=<user2 at example.com>, relay=localhost[]:24, conn_use=19,
delay=116, delays=115/0.53/0/0.33, dsn=2.0.0, status=sent (250 2.0.0
<user2> 1zTeKrMn6VHVKgAAhyqEuA Saved)

Same with user3 and user4:

Jul 19 14:47:53 mailms postfix/lmtp[10845]: C389A2809D7:
to=<user3 at example.com>, relay=localhost[]:24, delay=4.7,
delays=3.7/0.87/0/0.19, dsn=2.1.5, status=deliverable (250 2.1.5 OK)
Jul 19 14:47:55 mailms dovecot: lmtp(26546, fs211113): save: box=INBOX,
uid=8504, msgid=<928729810.113.1374238063381 at example.com>, size=233151
Jul 19 14:47:55 mailms dovecot: lmtp(26546, fs211113):
MbMvI2816VGyZwAAhyqEuA: msgid=<928729810.113.1374238063381 at example.com>:
saved mail to INBOX
Jul 19 14:47:55 mailms postfix/lmtp[22524]: 6F0D2280A6E:
to=<user4 at example.com>, relay=localhost[]:24, conn_use=2,
delay=10, delays=8.4/1/0/0.8, dsn=2.0.0, status=sent (250 2.0.0 <user3>
MbMvI2816VGyZwAAhyqEuA Saved)

The user itself is quite normal in the user database (but has a
mailhost= set):

root at mailms:/etc/dovecot/conf.d# doveadm user user2 at example.com
userdb: user2 at example.com
  uid       : 5000
  gid       : 5000
  home      : /srv/mail/user2

root at mailms:/etc/dovecot/conf.d# doveadm auth user2 at example.com
passdb: user2 at example.com auth failed
extra fields:


Heinlein Support GmbH
Schwedter Str. 8/9b, 10119 Berlin


Tel: 030 / 405051-42
Fax: 030 / 405051-19

Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht
Geschäftsführer: Peer Heinlein -- Sitz: Berlin

More information about the dovecot mailing list