I'm using Postfix to funnel email from three different domains into one catchall like so:
/etc/postfix/virtual:
@domain1.de [email protected]
@domain2.de [email protected]
@domain3.de [email protected]
Sending an email to [email protected] results in the following header:
Delivered-To: [email protected]
Return-Path: <[email protected]>
<[email protected]>
Received: from v2.domain1.de by v2.domain1.de with LMTP id pX7HGJd6ZGcVgBIAGUxxBA (envelope-from <[email protected]>) for <[email protected]>; Thu, 19 Dec 2024 19:57:11 +0000
Received: from mba.domain1.de (home.domain1.de [1.2.3.4]) by v2.domain1.de (Postfix) with ESMTP id 5CF148A278 for <[email protected]>; Thu, 19 Dec 2024 19:57:11 +0000 (UTC)
Received: by mba.domain1.de (Postfix, from userid 501) id 29B953B98524; Thu, 19 Dec 2024 20:57:11 +0100 (CET)
The catchall address is exposed twice. How can I avoid that, preferably by replacing [email protected] with the actual recipient [email protected] ?
postconf -M :
smtp inet n - y - - smtpd
submission inet n - y - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp -o syslog_name=postfix/$service_name
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
postlog unix-dgram n - n - 1 postlogd
maildrop unix - n n - - pipe flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
postconf -n :
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
compatibility_level = 3.6
inet_interfaces = all
inet_protocols = all
mailbox_command =
mailbox_size_limit = 0
mailbox_transport = lmtp:unix:private/dovecot-lmtp
message_size_limit = 52428800
mydestination = domain1.de,domain2.de,domain3.de,localhost
myhostname = v2.domain1.de
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter =
relayhost =
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_enforce_tls = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks permit_sasl_authenticated reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname
smtpd_recipient_restrictions = reject_invalid_hostname reject_unauth_pipelining reject_unauth_destination permit_mynetworks, permit_sasl_authenticated, check_recipient_access hash:/etc/postfix/rcpt_blacklist
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sender_restrictions = permit_mynetworks permit_sasl_authenticated reject_unknown_sender_domain reject_unknown_reverse_client_hostname reject_unknown_client_hostname
smtpd_tls_cert_file = /etc/letsencrypt/live/v2.domain1.de-0001/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/v2.domain1.de-0001/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
smtputf8_enable = no
virtual_maps = hash:/etc/postfix/virtual
This is normal and expected behavior. Don't change it unless you know what you're doing, and from the fact you ever asking about it, it seems you don't, so simply don't change this. Also this is only seen by the recipient of the message, if you don't trust your recipients that much, I have a bad news for you. And the user who accesses that mail probably will know that address anyway, because it must be the username to the IMAP server to access the mailbox in the end of the day, right?
This is used to suppress duplicate delivery. If the mail has the address in the
Delivered-Toheader, it won't be delivered again to that address. It's a feature oflocaldelivery agent, seeman 8 local.You may suppress it using empty
prepend_delivered_headerinmain.cf:RTFM:
Instead, it may be better to change
frozen_delivered_totonoinmain.cf:Then it must not be updated on alias expansion. However, I am not sure how it works, never used it.
The second instance is in the
Receivedheader. Again, blame yourself when you happen to debug your mail if you meddle with this. It's often hard enough even if you have all the bunch of information, let alone when it's deliberately mangled or removed. You can change it withheader_checks, see this question.Update:
Apparently, the last (uppermost)
Receivedheader was not made by Postfix:It's hinted by the fact it's recieved via LMTP. Apparently it was added by Dovecot, since it's what the transport to local mailboxes is set to in
main.cf:I did not notice this from the beginning. In that case, you need to setup Dovecot's behavior with adding that
Receivedheader. I have no idea how to do this, never used Dovecot myself.Also, keep in mind that it probably has no way of determining what the original envelope recipient was, because the alias expansion or whatever Postfix did happened before the message was forwarded to Dovecot. It only knows that the delivery to the catch-all address was requested.