Here is a chain of conditions that led to to a bizarre problem:
mail for a virtual alias was sometimes delivered to the local spam
folder, instead of being forwarded to the intended remote recipient.
It was only after some careful detective work that we found out
that a lot of things were needed for this to happen.
1) A virtual alias was rewritten to an email address with a remote
domaih, and delivered by the Postfix SMTP client.
2) This worked as expected most of the time. However, a few times
a day, DNS lookup for the remote domain resulted in "host found but
no data record of requested type" for MX, A and AAAA queries.
3) Normally, the Postfix SMTP client would bounce the message as
undeliverable. However, Postfix was configured with "smtp_host_lookup
= native, dns". After the above DNS queries failed, the Postfix
SMTP client did native lookups using the getaddrinfo() system library
routine. Through nsswitch.conf, this searched /etc/hosts as well
as DNS.
4) We already know that DNS lookup for the remote domain would fail.
However, /etc/resolv.conf specified a "search" list, so that after
the initial DNS lookup failure, the local domain name was appended
to the remote domain.
5) Normally, DNS lookup would fail because remote-domain.local-domain
does not exist. However, the DNS zone for the local domain had a
wildcard subdomain, so that remote-domain.local-domain actually
resolved to a local IP address on the Postfix server itself.
6) Normally, the Postfix SMTP client would detect that there was a
mailer loop and bounce the message. However, Postfix was configured
with "best_mx_transport = local", and therefore the Postfix SMTP
client passed the message to the Postfix local delivery agent.
7) Normally, the Postfix local delivery agent would bounce the
message because the username in the email address did not exist
in /etc/passwd or /etc/aliases. However, Postfix was configured
with "luser_relay = spam", and the Postfix local delivery agent
delivered the message to the spam mailbox.
The net result was that mail for a virtual alias, that should be
forwarded to a remote address, was sometimes delivered to the local
spam folder. But only because a half-dozen conditions were met.
Wietse
