<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>Rejecting Unknown Local Recipients with Postfix</title> <meta http-equiv="Content-Type" content="text/html; charset=us-ascii"> </head> <body> <h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Rejecting Unknown Local Recipients with Postfix</h1> <hr> <h2>Introduction</h2> <p> As of Postfix version 2.0, the Postfix SMTP server rejects mail for unknown recipients in <a href="ADDRESS_CLASS_README.html#local_domain_class">local domains</a> (domains that match $<a href="postconf.5.html#mydestination">mydestination</a> or the IP addresses in $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> or $<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>) with "User unknown in local recipient table". This feature was optional with earlier Postfix versions. </p> <p> The good news is that this keeps undeliverable mail out of your queue, so that your mail queue is not clogged up with undeliverable MAILER-DAEMON messages. </p> <p> The bad news is that it may cause mail to be rejected when you upgrade from a Postfix system that was not configured to reject mail for unknown local recipients. </p> <p> This document describes what steps are needed in order to reject unknown local recipients correctly. </p> <ul> <li><a href="#main_config">Configuring local_recipient_maps in main.cf</a> <li><a href="#change">When you need to change the local_recipient_maps setting in main.cf</a> <li><a href="#format">Local recipient table format </a> </ul> <h2><a name="main_config">Configuring local_recipient_maps in main.cf</a></h2> <p> The <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> parameter specifies lookup tables with all names or addresses of local recipients. A recipient address is local when its domain matches $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> or $<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>. If a local username or address is not listed in $<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a>, then the Postfix SMTP server will reject the address with "User unknown in local recipient table". </p> <p> The default setting, shown below, assumes that you use the default Postfix <a href="local.8.html">local(8)</a> delivery agent for local delivery, where recipients are either UNIX accounts or local aliases: </p> <blockquote> <pre> /etc/postfix/<a href="postconf.5.html">main.cf</a>: <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> = <a href="proxymap.8.html">proxy</a>:unix:passwd.byname $<a href="postconf.5.html#alias_maps">alias_maps</a> </pre> </blockquote> <p> To turn off unknown local recipient rejects by the SMTP server, specify: </p> <blockquote> <pre> /etc/postfix/<a href="postconf.5.html">main.cf</a>: <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> = </pre> </blockquote> <p> That is, an empty value. With this setting, the Postfix SMTP server will not reject mail with "User unknown in local recipient table". <b> Don't do this on systems that receive mail directly from the Internet. With today's worms and viruses, Postfix will become a backscatter source: it accepts mail for non-existent recipients and then tries to return that mail as "undeliverable" to the often forged sender address</b>. </p> <h2><a name="change">When you need to change the local_recipient_maps setting in main.cf</a></h2> <ul> <li> <p> Problem: you don't use the default Postfix <a href="local.8.html">local(8)</a> delivery agent for domains matching $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a>, or $<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>. For example, you redefined the "<a href="postconf.5.html#local_transport">local_transport</a>" setting in <a href="postconf.5.html">main.cf</a>. </p> <p> Solution: your <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> setting needs to specify a database that lists all the known user names or addresses for that delivery agent. For example, if you deliver users in $<a href="postconf.5.html#mydestination">mydestination</a> etc. domains via the <a href="virtual.8.html">virtual(8)</a> delivery agent, specify: </p> <pre> /etc/postfix/<a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#mydestination">mydestination</a> = $<a href="postconf.5.html#myhostname">myhostname</a> localhost.$<a href="postconf.5.html#mydomain">mydomain</a> localhost ... <a href="postconf.5.html#local_transport">local_transport</a> = virtual <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> = $<a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a> </pre> <p> If you use a different delivery agent for $<a href="postconf.5.html#mydestination">mydestination</a> etc. domains, see the section "<a href="#format">Local recipient table format</a>" below for a description of how the table should be populated. </p> <li> <p> Problem: you use the <a href="postconf.5.html#mailbox_transport">mailbox_transport</a> or <a href="postconf.5.html#fallback_transport">fallback_transport</a> feature of the Postfix <a href="local.8.html">local(8)</a> delivery agent in order to deliver mail to non-UNIX accounts. </p> <p> Solution: you need to add the database that lists the non-UNIX users: </p> <pre> /etc/postfix/<a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> = <a href="proxymap.8.html">proxy</a>:unix:passwd.byname, $<a href="postconf.5.html#alias_maps">alias_maps</a>, <the database with non-UNIX accounts> </pre> <p> See the section "<a href="#format">Local recipient table format</a>" below for a description of how the table should be populated. </p> <li> <p> Problem: you use the <a href="postconf.5.html#luser_relay">luser_relay</a> feature of the Postfix local delivery agent. </p> <p> Solution: you must disable the <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> feature completely, so that Postfix accepts mail for all local addresses: </p> <pre> /etc/postfix/<a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> = </pre> </ul> <h2><a name="format">Local recipient table format</a> </h2> <p> If you use local files in <a href="postmap.1.html">postmap(1)</a> format, then <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> expects the following table format: </p> <ul> <li> <p> In the left-hand side, specify a bare username, an "@domain.tld" wild-card, or specify a complete "user@domain.tld" address. </p> <li> <p> You have to specify something on the right-hand side of the table, but the value is ignored by <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a>. </ul> <p> If you use lookup tables based on NIS, LDAP, MYSQL, or PGSQL, then <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> does the same queries as for local files in <a href="postmap.1.html">postmap(1)</a> format, and expects the same results. </p> <p> With regular expression tables, Postfix only queries with the full recipient address, and not with the bare username or the "@domain.tld" wild-card. </p> <p> NOTE: a lookup table should always return a result when the address exists, and should always return "not found" when the address does not exist. In particular, a zero-length result does not count as a "not found" result. </p> </body> </html>