fix: $myhostname.localhost virtual mailbox domain

DavidePrincipi · DavidePrincipi · commit 3e2de9312a5b · 2025-07-31T17:56:24.000+02:00
- Ensure double-bounces originate from a valid DNS name. Some sites
  check whether the domain part of the address resolves via DNS. We use
  double-bounce@$myhostname for this purpose.

- Use a fictional internal routing domain name, $myhostname.localhost,
  where POSTFIX_ORIGIN was previously used. This simplifies configuration
  scenarios where the LDAP user domain is also a mail domain. We assume
  $myhostname.localhost is never used as a mail domain, since it cannot
  be registered in DNS and .localhost is reserved by RFC 2606.

- Update the test suite to expect a slightly different error message when
  the user domain is not accessible. Remove the user_domain test suite,
  as that scenario no longer occurs.
diff --git a/README.md b/README.md
@@ -289,12 +289,12 @@ For instance, to speed up testing on a local machine:
    installation steps. The `--variable` option is required to find the
    existing Mail instance.
 
-       SSH_KEYFILE=~/.ssh/id_ecdsa bash test-module.sh 10.5.4.1 ghcr.io/nethserver/mail:bug-6977 --exclude udomORremove --variable MID:mail1
+       SSH_KEYFILE=~/.ssh/id_ecdsa bash test-module.sh 10.5.4.1 ghcr.io/nethserver/mail:bug-6977 --exclude udomORmodule --variable MID:mail1
 
 3. Select a subset of tests and suite with `--include`, `--test`, or
    `--suite` flags. For example, run only the SMTP test suite:
 
-       SSH_KEYFILE=~/.ssh/id_ecdsa bash test-module.sh 10.5.4.1 ghcr.io/nethserver/mail:bug-6977 --exclude udomORremove --variable MID:mail1 --suite smtp
+       SSH_KEYFILE=~/.ssh/id_ecdsa bash test-module.sh 10.5.4.1 ghcr.io/nethserver/mail:bug-6977 --exclude udomORmodule --variable MID:mail1 --suite smtp
 
 ## Migration from nethserver-mail (NS7)
 
diff --git a/postfix/README.md b/postfix/README.md
@@ -30,10 +30,7 @@ Standard public TCP ports
 - `POSTFIX_TRUSTED_NETWORK`. Added to Postfix [mynetworks](https://www.postfix.org/postconf.5.html#mynetworks)
 - `POSTFIX_HOSTNAME`. Value for Postfix
   [myhostname](https://www.postfix.org/postconf.5.html#myhostname).
-- `POSTFIX_ORIGIN`. User domain name set as mailbox domain, also appended
-  to unqualified user names by the trivial-rewrite process. See Postfix
-  [virtual_mailbox_domains](https://www.postfix.org/postconf.5.html#virtual_mailbox_domains)
-  and [myorigin](https://www.postfix.org/postconf.5.html#myorigin).
+- `POSTFIX_ORIGIN`. Selected user domain -- Not used by Postfix any more. Still used by APIs.
 - `POSTFIX_LDAP_HOST`, eg `127.0.0.1`
 - `POSTFIX_LDAP_PORT`, eg `389`
 - `POSTFIX_LDAP_USER`, bind DN, eg `uid=ldapservice,dc=directory,dc=nh`
diff --git a/postfix/etc/postfix/alias-access-check.cf b/postfix/etc/postfix/alias-access-check.cf
diff --git a/postfix/etc/postfix/dovecot-sasl.cf b/postfix/etc/postfix/dovecot-sasl.cf
@@ -5,4 +5,3 @@
 smtpd_sasl_type = dovecot
 smtpd_sasl_path = /var/lib/umail/auth
 smtpd_sasl_security_options = noanonymous
-smtpd_sasl_local_domain = $myorigin
diff --git a/postfix/etc/postfix/pcdb-init.sql b/postfix/etc/postfix/pcdb-init.sql
@@ -24,13 +24,11 @@ CREATE TABLE domains (
     -- transport rules.
     addusers INT DEFAULT 0,
     -- if set to 1, the domain accepts additional user addresses like
-    -- user@domain. The address is rewritten to user@$myorigin. See
-    -- POSTFIX_ORIGIN in the README.
+    -- user@domain.
     addgroups INT DEFAULT 0,
     -- if set to 1, the domain accepts additional group addresses like
     -- group@domain. The group members list is retrieved from LDAP and
-    -- the address is rewritten to user1, user2, user3, etc. See
-    -- POSTFIX_ORIGIN in the README.
+    -- the address is rewritten to user1, user2, user3, etc.
     catchall TEXT DEFAULT NULL,
     -- fallback rewrite rule for addresses that do not match any record in
     -- the "destmap" table. It can be a virtual mailbox name.
diff --git a/postfix/usr/local/bin/reload-config b/postfix/usr/local/bin/reload-config
@@ -37,44 +37,22 @@ fi
 
 S='$' # to escape $ in template
 
-if [ -n "${POSTFIX_ORIGIN}" ]; then
-    tmpl_virtual_mailbox_domains=${POSTFIX_ORIGIN}
-    tmpl_virtual_mailbox_maps="inline:{{ vmail@${POSTFIX_ORIGIN} = vmail }}, "'proxy:ldap:$meta_directory/laddusers-origin.cf'
-    tmpl_myorigin=${POSTFIX_ORIGIN}
-    tmpl_verify_recipient_address="check_recipient_access inline:{{ ${POSTFIX_ORIGIN} = reject_unverified_recipient }}"
-else
-    tmpl_virtual_mailbox_domains=
-    tmpl_virtual_mailbox_maps=
-    tmpl_myorigin='$myhostname'
-    tmpl_verify_recipient_address=
-fi
+tmpl_myhostname="${POSTFIX_HOSTNAME:-$(hostname -f)}"
+tmpl_vdomain="${tmpl_myhostname}.localhost"
+tmpl_virtual_mailbox_domains="${tmpl_vdomain}"
+tmpl_virtual_mailbox_maps="inline:{{ vmail@${tmpl_vdomain} = vmail }}, "'proxy:ldap:$meta_directory/laddusers-origin.cf'
+tmpl_verify_recipient_address="check_recipient_access inline:{{ ${tmpl_vdomain} = reject_unverified_recipient }}"
+
 
 tmpl_milters="${POSTFIX_MILTERS}"
 tmpl_mynetworks="127.0.0.1/32 ${POSTFIX_TRUSTED_NETWORK}"
-tmpl_myhostname="${POSTFIX_HOSTNAME:-$(hostname -f)}"
 tmpl_debug_peer_list="${POSTFIX_DEBUG_PEERS:-\$mynetworks}"
 tmpl_relay_domains=$(pcdbquery "SELECT group_concat(domain || '=' || transport) FROM domains WHERE transport LIKE '_mtp:%'")
-tmpl_virtual_alias_domains=$(pcdbquery "SELECT group_concat(domain) FROM domains WHERE transport IS NULL AND domain NOT IN ('*', '${POSTFIX_ORIGIN}')")
-origin_flags="$(pcdbquery "SELECT addusers + (addgroups * 2) AS origin_flags FROM domains WHERE domain='${POSTFIX_ORIGIN}'")"
-if [ "${origin_flags}" == 1  ]; then
-    # addusers flag: reject groups and vmail, accept users and aliases
-    tmpl_reject_internal_myorigin="check_recipient_access inline:{{ vmail@${POSTFIX_ORIGIN} = REJECT access denied }}",'check_recipient_access pipemap:{sqlite:$meta_directory/alias-access-check.cf,proxy:ldap:$meta_directory/laddgroupmembers.cf,static:{REJECT access denied}}'
-elif [ "${origin_flags}" == 2  ]; then
-    # addgroups flag: reject users and vmail, accept groups and aliases
-    tmpl_reject_internal_myorigin="check_recipient_access inline:{{ vmail@${POSTFIX_ORIGIN} = REJECT access denied }}",'check_recipient_access pipemap:{sqlite:$meta_directory/alias-access-check.cf,proxy:ldap:$meta_directory/laddusers-origin.cf,static:{REJECT access denied}}'
-elif [ "${origin_flags}" == 3  ]; then
-    # addusers+addgroups flag: reject vmail only, accept everything else
-    tmpl_reject_internal_myorigin="check_recipient_access inline:{{ vmail@${POSTFIX_ORIGIN} = REJECT access denied }}"
-elif  [ "${origin_flags}" == 0  ]; then
-    # domain has no flags: reject users, groups, and vmail, accept aliases
-    tmpl_reject_internal_myorigin="check_recipient_access inline:{{ vmail@${POSTFIX_ORIGIN} = REJECT access denied }}",'check_recipient_access pipemap:{sqlite:$meta_directory/alias-access-check.cf,unionmap:{proxy:ldap:$meta_directory/laddusers-origin.cf,proxy:ldap:$meta_directory/laddgroupmembers.cf},static:{REJECT access denied}}'
-else
-    # reject everything because the domain not defined
-    tmpl_reject_internal_myorigin="check_recipient_access inline:{{ ${POSTFIX_ORIGIN} = REJECT access denied }}"
-fi
-tmpl_domain_catchall_map=$(pcdbquery "SELECT 'inline:{' || group_concat('{@' || domain || '=' || catchall || '@${tmpl_myorigin}}', ', ') || '}' FROM domains WHERE length(catchall) > 0 AND domain != '*'")
-tmpl_laddgroups_domains=$(pcdbquery "SELECT group_concat(domain, ' ') FROM (SELECT domain FROM domains WHERE addgroups = 1 UNION SELECT '${POSTFIX_ORIGIN}' AS domain)")
-tmpl_laddusers_domains=$(pcdbquery "SELECT group_concat(domain, ' ') FROM (SELECT domain FROM domains WHERE addusers = 1 UNION SELECT '${POSTFIX_ORIGIN}' AS domain)")
+tmpl_virtual_alias_domains=$(pcdbquery "SELECT group_concat(domain) FROM domains WHERE transport IS NULL AND domain != '*'")
+tmpl_reject_internal_myorigin="check_recipient_access inline:{{ ${tmpl_vdomain} = REJECT access denied }}"
+tmpl_domain_catchall_map=$(pcdbquery "SELECT 'inline:{' || group_concat('{@' || domain || '=' || catchall || '@${tmpl_vdomain}}', ', ') || '}' FROM domains WHERE length(catchall) > 0 AND domain != '*'")
+tmpl_laddgroups_domains=$(pcdbquery "SELECT group_concat(domain, ' ') FROM (SELECT domain FROM domains WHERE addgroups = 1 UNION SELECT '${tmpl_vdomain}' AS domain)")
+tmpl_laddusers_domains=$(pcdbquery "SELECT group_concat(domain, ' ') FROM (SELECT domain FROM domains WHERE addusers = 1 UNION SELECT '${tmpl_vdomain}' AS domain)")
 tmpl_ldap_bind_dn="${POSTFIX_LDAP_USER}"
 tmpl_ldap_bind_pw="${POSTFIX_LDAP_PASS}"
 tmpl_ldap_host="${POSTFIX_LDAP_HOST}"
@@ -100,7 +78,7 @@ envsubst >/etc/postfix/laddusers.cf <"${TEMPLATES_DIR:?}/laddusers-${ldap_schema
 envsubst >/etc/postfix/userforwards.cf <"${TEMPLATES_DIR:?}/userforwards.cf"
 envsubst >/etc/postfix/laddgroupmembers.cf <"${TEMPLATES_DIR:?}/laddgroupmembers-${ldap_schema}.cf"
 envsubst <"${TEMPLATES_DIR:?}/laddusers-${ldap_schema}.cf" | \
-    sed "s/^domain = .*/domain = ${tmpl_myorigin}/ ; /^# just/ d" >/etc/postfix/laddusers-origin.cf
+    sed "s/^domain = .*/domain = ${tmpl_vdomain}/ ; /^# just/ d" >/etc/postfix/laddusers-origin.cf
 
 if [ -z "${tmpl_sasl_commentout}" ] ; then
     cat /etc/postfix/dovecot-sasl.cf >> /etc/postfix/main.cf
diff --git a/postfix/usr/local/lib/templates/laddgroupmembers-ad.cf b/postfix/usr/local/lib/templates/laddgroupmembers-ad.cf
@@ -13,4 +13,4 @@ query_filter = (&(objectClass=group)(sAMAccountName=%u)(groupType:1.2.840.113556
 result_attribute = sAMAccountName
 special_result_attribute = member
 leaf_result_attribute = sAMAccountName
-domain = ${tmpl_laddgroups_domains} notempty.invalid
+domain = ${tmpl_laddgroups_domains}
diff --git a/postfix/usr/local/lib/templates/laddgroupmembers-rfc2307.cf b/postfix/usr/local/lib/templates/laddgroupmembers-rfc2307.cf
@@ -11,4 +11,4 @@ server_port = ${tmpl_ldap_port}
 search_base = ${tmpl_ldap_base}
 query_filter = (&(objectClass=posixGroup)(cn=%u))
 result_attribute = memberUid
-domain = ${tmpl_laddgroups_domains} notempty.invalid
+domain = ${tmpl_laddgroups_domains}
diff --git a/postfix/usr/local/lib/templates/laddusers-ad.cf b/postfix/usr/local/lib/templates/laddusers-ad.cf
@@ -11,4 +11,4 @@ server_port = ${tmpl_ldap_port}
 search_base = ${tmpl_ldap_base}
 query_filter = (&(objectClass=user)(objectCategory=person)(sAMAccountName=%u))
 result_attribute = sAMAccountName
-domain = ${tmpl_laddusers_domains} notempty.invalid
+domain = ${tmpl_laddusers_domains}
diff --git a/postfix/usr/local/lib/templates/laddusers-rfc2307.cf b/postfix/usr/local/lib/templates/laddusers-rfc2307.cf
@@ -11,4 +11,4 @@ server_port = ${tmpl_ldap_port}
 search_base = ${tmpl_ldap_base}
 query_filter = (&(objectClass=posixAccount)(objectClass=inetOrgPerson)(uid=%u))
 result_attribute = uid
-domain = ${tmpl_laddusers_domains} notempty.invalid
+domain = ${tmpl_laddusers_domains}
diff --git a/postfix/usr/local/lib/templates/main.cf b/postfix/usr/local/lib/templates/main.cf
@@ -57,10 +57,10 @@ virtual_transport = lmtp:unix:/var/lib/umail/lmtp
 relay_domains = ${tmpl_relay_domains}
 transport_maps = sqlite:${S}meta_directory/relaydest.cf
 recipient_delimiter = +
-myorigin = ${tmpl_myorigin}
 
 # Never use local transport, set "mydestination" to empty string:
 mydestination =
+myorigin = ${tmpl_vdomain}
 
 #
 # Address verification (memory DB)
@@ -74,6 +74,7 @@ address_verify_negative_cache = yes
 address_verify_negative_expire_time = 2h
 address_verify_negative_refresh_time = 15m
 address_verify_cache_cleanup_interval = 4h
+double_bounce_sender = double-bounce@${tmpl_myhostname}
 
 #
 # Relay authentication rules, SMTP server passwords and TLS policy
diff --git a/postfix/usr/local/lib/templates/userforwards.cf b/postfix/usr/local/lib/templates/userforwards.cf
@@ -7,4 +7,4 @@ query =
     SELECT dest
     FROM userforwards
     WHERE user = '%u'
-domain = ${tmpl_myorigin}
+domain = ${tmpl_vdomain}
diff --git a/tests/50__smtp/00__internal_address.robot b/tests/50__smtp/00__internal_address.robot
@@ -9,22 +9,22 @@ Test Tags    internal    address    domain
 User domain wildcard address is internal
     Send SMTP message to    i2@ldap.dom.test
     ...                     expect_curl_exitcode=55
-    Should return SMTP error    554 5.7.1 <i2@ldap.dom.test>: Recipient address rejected: access denied
+    Should return SMTP error    554 5.7.1 <i2@ldap.dom.test>: Relay access denied
 
 User domain user is internal
     Send SMTP message to    u1@ldap.dom.test
     ...                     expect_curl_exitcode=55
-    Should return SMTP error    554 5.7.1 <u1@ldap.dom.test>: Recipient address rejected: access denied
+    Should return SMTP error    554 5.7.1 <u1@ldap.dom.test>: Relay access denied
 
 User domain group is internal
     Send SMTP message to    g1@ldap.dom.test
     ...                     expect_curl_exitcode=55
-    Should return SMTP error    554 5.7.1 <g1@ldap.dom.test>: Recipient address rejected: access denied
+    Should return SMTP error    554 5.7.1 <g1@ldap.dom.test>: Relay access denied
 
 Vmail is internal
     Send SMTP message to    vmail@ldap.dom.test
     ...                     expect_curl_exitcode=55
-    Should return SMTP error    554 5.7.1 <vmail@ldap.dom.test>: Recipient address rejected: access denied
+    Should return SMTP error    554 5.7.1 <vmail@ldap.dom.test>: Relay access denied
 
 User alias internal address
     Send SMTP message to    i1@internal.test
diff --git a/tests/50__smtp/00__user_domain.robot b/tests/50__smtp/00__user_domain.robot
