Email address tagging doesn't work with virtual mailboxes in postfix

Question

I have my own email server, and I'd like to be able to use dynamic email address tagging. I added the recipient_delimiter = +- directive to my config and restarted postfix, but now if I email bob+sometaghere@starbeamrainbowlabs.com for example, the email will be bounced with the error "Unknown User". If I email unknownuser@starbeamrainbowlabs.com, the email is delivered to the webmaster account as expected.

Here's my postfix config:

## These are all default Postfix settings that we won't change
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
inet_interfaces = all
mailbox_command = /usr/lib/dovecot/deliver -c
    /etc/dovecot/conf.d/01-mail-stack-delivery.conf -m "${EXTENSION}"
mailbox_size_limit = 0
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +-
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
tls_random_source = dev:/dev/urandom

## Settings below this line are things we're modifying or adding

## Your mail server identity options
myhostname = mail.starbeamrainbowlabs.com
#mydestination = localhost, starbeamrainbowlabs.com,
#    localhost.starbeamrainbowalabs.com
# 89.107.190.141 = cross-code central
mynetworks = 127.0.0.0/8 192.168.0.0/24 [::ffff:127.0.0.0]/104 [::1]/128 89.107.190.141

## Customized smtpd paramters
smtpd_banner = $myhostname ESMTP
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
    check_helo_access hash:/etc/postfix/helo_access
    #reject_non_fqdn_helo_hostname,
    reject_invalid_helo_hostname,
    #reject_unknown_helo_hostname,
    #warn_if_reject, # warn us instead of actually blocking them
    permit
smtpd_sender_restrictions = permit_mynetworks,
    permit_sasl_authenticated,
    #reject_unknown_sender_domain,
    reject_sender_login_mismatch
smtpd_recipient_restrictions = permit_mynetworks,
    permit_sasl_authenticated,
    reject_unknown_client_hostname,
    reject_unknown_sender_domain,
    reject_unknown_recipient_domain,
    reject_unauth_pipelining,
    reject_unauth_destination, 
    reject_invalid_hostname,
    reject_non_fqdn_sender
smtpd_sender_login_maps = $virtual_mailbox_maps

## Dealing with rejection: use permanent 550 errors to stop retries
unknown_address_reject_code = 550
unknown_hostname_reject_code = 550
unknown_client_reject_code = 550

## customized TLS parameters
smtpd_tls_ask_ccert = yes
smtpd_tls_cert_file = /etc/ssl/private/chain/www-mail.starbeamrainbowlabs.com.pem
smtpd_tls_key_file = /etc/ssl/private/key/decrypted/www-mail.starbeamrainbowlabs.com.key
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_ciphers = high
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s


## Customized Dovecot and virtual user-specific settings
canonical_maps = hash:/etc/postfix/canonical
home_mailbox = Maildir/
message_size_limit = 104857600
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_mailbox_domains = hash:/etc/postfix/virtual-mailbox-domains
virtual_mailbox_maps = hash:/etc/postfix/virtual-mailbox-users
virtual_transport = dovecot

## This setting will generate an error if you restart Postfix before
## adding the appropriate service definition in master.cf, so make
## sure to get that taken care of!
dovecot_destination_recipient_limit = 1

## Customized milter settings
milter_default_action = accept
milter_connect_macros = j {daemon_name} v {if_name} _
non_smtpd_milters = $smtpd_milters
smtpd_milters = inet:127.0.0.1:11444 unix:/opendkim/opendkim.sock

## Other customized mail server settings
default_destination_concurrency_limit = 5
disable_vrfy_command = yes
relay_destination_concurrency_limit = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may

From /etc/postfix/master.cf, I have this defining Dovecot:

dovecot   unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver
  -f ${sender} -d ${recipient}

I also have definitions for ifmail, bsmtp, scalemail-backend, mailman, uucp, scache, maildrop, and a bunnch of others, but I'm not entirely sure what they all do.

Does anyone know what is going on here and how I can fix it please?

I'm using virtual mailboxes.

Answer 1

In /etc/postfix/master.cf configuration file, ensure that the definition of dovecot service, referenced by virtual_transport configuration parameter, is set to suppress the extension part of the recipient address during the call to /usr/lib/dovecot/deliver.

For example, this may not work because ${recipient} will be expanded to bob+sometaghere@starbeamrainbowlabs.com by Postfix's pipe(8) service:

dovecot   unix  -       n       n       -       -       pipe
  flags=DRhu user=dovecot:dovecot argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient}

The ${recipient} macro should be replaced by ${user}@${domain} in this scenario, so that Dovecot delivery agent receives the correct address bob@starbeamrainbowlabs.com in its command line:

dovecot   unix  -       n       n       -       -       pipe
  flags=DRhu user=dovecot:dovecot argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${domain}

Reference: https://wiki1.dovecot.org/LDA/Postfix

Answer 2

Multiple characters in recipient_delimiter parameter seems to be supported in Postfix 2.11 or newer only. Ensure that you are either running a recent Postfix version or, alternatively, use only one delimiter character.

From postconf (5) man page:

recipient_delimiter (default: empty)

The set of characters that can separate a user name from its extension (example: user+foo), or a .forward file name from its extension (example: .forward+foo). Basically, the software tries user+foo and .forward+foo before trying user and .forward. This implementation recognizes one delimiter character and one extension per email address or .forward file name.

When the recipient_delimiter set contains multiple characters (Postfix 2.11 and later), a user name or .forward file name is separated from its extension by the first character that matches the recipient_delimiter set.