A catch-all email address is an address that is used as a fall-back for when no other recipients are available. Ergo, it is the email address that receives all email for a domain that isn’t already delivered to other users or groups or shared folders.
A default Kolab environment is not configured to facilitate catch-all addresses, so this article outlines why and how to configure such a catch-all email address in a way that allows the use of another relatively obscure but very powerful feature — the use of address extensions.
When one or more catch-all email addresses are defined, and address extensions are also in use, the order in which Postfix iterates over tables and versions of the recipient email address may cause Postfix to hit early and stop iterating with the wrong result. For reasons explained in more detail further down in this article, misconfiguration for catch-all addresses can lead to a mail to Jane to end up with John instead.
Since we want the catch-all address to be the recipient of last resort, we have to appreciate the order in which Postfix will attempt to match RCPT TO addresses against the lookup tables configured.
A Note About Hosted Environments
Hosted Kolab environments, such as those that allow public registration of email addresses and domains (like Kolab Now), catch-all addresses need to be set up slightly more carefully. Therefore, this article should not be used if your Kolab environment is indeed such a Hosted Kolab environment.
Should you wish to apply catch-all addresses to Hosted Kolab environments, we recommend you contact Kolab Systems for support.
Reasons to Use Catch All Addresses, Address Extensions
Reasons to use catch-all addresses vary, in both importance and applicability, and a non-exhaustive list would include;
- Collect spam (and learn from it), using a catch-all address like a sort of honeypot,
- Continue to receive email to deleted addresses, such as former employees or other such organizational changes,
- Split out a potentially long list of standard addresses (
admin@, etc., etc.) without having to specify the specific aliases, distribution groups or shared mail folders.
Address extensions (what comes after the ‘+’ in an email address such as
john.doe+Spam@example.com) are a relatively obscure yet very powerful feature that allows a recipient to specify the folder to which email is to be delivered (such as in the
john.doe+Spam@example.com example) or distinguish which email address had been submitted (news letters, mailing lists, etc.) to third parties who in turn may share the address with other third parties, potentially leading to spam.
Postfix Virtual Alias Maps, Address Extensions & Lookup Iterations
The following is a typical configuration for the Postfix
virtual_alias_maps = hash:/etc/aliases, ldap:/etc/postfix/ldap/virtual_alias_maps.cf, ldap:/etc/postfix/ldap/virtual_alias_maps_mailforwarding.cf, ldap:/etc/postfix/ldap/virtual_alias_maps_sharedfolders.cf, ldap:/etc/postfix/ldap/mailenabled_distgroups.cf, ldap:/etc/postfix/ldap/mailenabled_dynamic_distgroups.cf
These lookup tables are iterated over with the following versions of the recipient address(es), meaning all lookup tables are iterated over with the first version, then the second, and so forth:
Normally, a simple catch-all address would be configured by adding an alias
catchall@domain to an existing mailbox entry;
dn: uid=doe,ou=People,dc=example,dc=com mail: email@example.com alias: firstname.lastname@example.org (...)
And a simple additional lookup table is configured for Postfix’s
virtual_alias_maps to lookup
However, when address extensions are used, the typical lookup iteration would cause the first iteration to hit on the catch-all address.
Consider an email sent to
email@example.com. There would be no literal match on the virtual alias maps iteration for a literal address value of
firstname.lastname@example.org resulting in the catchall lookup table to hit. In other words, it would hit much too early, and mistakenly deliver the mail to John.
Postfix, Shared Mail Folders, Address Extensions & Lookup Iterations
Shared mail folders used for generic addresses such as
email@example.com getting delivered to a folder such as
shared/Info@example.com can incidentally also use address extensions. Suppose an organization subscribes itself to newsletters and other types of address lists that could be unintentionally shared with third parties, potentially leading to spam. For example, one may subscribe to social media with address extensions
firstname.lastname@example.org, and what-have-you.
As explained before, while messages for
email@example.com may be configured to arrive in
shared/Social@example.com, the address extension will cause the first iteration to miss the shared folder delivery, and hit the catch-all entry.
This solution requires some re-configuration of Postfix to allow continued delivery to shared folders, and requires manual intervention to modify one or more LDAP entries, or an update to at least kolab-webadmin version 3.2.13 or later. Updating to kolab-webadmin version 3.2.13 or later is the recommended route.
It also requires ensuring that any and all shared mail folder addresses are made to be local, using an entry in
Virtual and Transport Lookup Tables
Create or edit
/etc/postfix/virtual and ensure the following entry is present (replace the domain name):
Create the hash database file:
# postmap /etc/postfix/virtual
Add to lookup table at or near the beginning of the
virtual_alias_maps setting (here’s where Hosted Kolab environments differ, too):
virtual_alias_maps = hash:/etc/aliases, hash:/etc/postfix/virtual, ldap:/etc/postfix/ldap/virtual_alias_maps.cf, ldap:/etc/postfix/ldap/virtual_alias_maps_mailforwarding.cf, ldap:/etc/postfix/ldap/virtual_alias_maps_sharedfolders.cf, ldap:/etc/postfix/ldap/mailenabled_distgroups.cf, ldap:/etc/postfix/ldap/mailenabled_dynamic_distgroups.cf
Create or edit
/etc/postfix/transport and ensure the following entry is present:
Create the hash database file:
# postmap /etc/postfix/transport
Ensure that the lookup table is listed in Postfix’s transport_maps setting lists
hash:/etc/postfix/transport (Kolab is configured as such by default).
# systemctl reload postfix
With Kolab Webadmin 3.2.13+
In the Kolab Web Administration Panel, edit the user or users that are to receive mail caught by the catch-all address, and add a secondary email address of ‘
Manual LDAP Intervention
This solution is not recommended as it would void one’s ability to alter the configuration of the relevant users through the Kolab Web Administration Panel until after the update to version 3.2.13 or later.
# ldapmodify -x -H localhost -D "cn=Directory Manager" -W Password: ********* dn: uid=doe,ou=People,dc=example,dc=com changetype: modify add: alias alias: @example.com ^D modifying entry "uid=doe,ou=People,dc=example,dc=com