Using Catch All Email Addresses

A catch-all email address is an address that is used as a fall-back for when no other recipients are available. Ergo, it is the email address that receives all email for a domain that isn’t already delivered to other users or groups or shared folders.

A default Kolab environment is not configured to facilitate catch-all addresses, so this article outlines why and how to configure such a catch-all email address in a way that allows the use of another relatively obscure but very powerful feature — the use of address extensions.

Problem Description

When one or more catch-all email addresses are defined, and address extensions are also in use, the order in which Postfix iterates over tables and versions of the recipient email address may cause Postfix to hit early and stop iterating with the wrong result. For reasons explained in more detail further down in this article, misconfiguration for catch-all addresses can lead to a mail to Jane to end up with John instead.

Since we want the catch-all address to be the recipient of last resort, we have to appreciate the order in which Postfix will attempt to match RCPT TO addresses against the lookup tables configured.

Skip ahead to the solution.

A Note About Hosted Environments

Hosted Kolab environments, such as those that allow public registration of email addresses and domains (like Kolab Now), catch-all addresses need to be set up slightly more carefully. Therefore, this article should not be used if your Kolab environment is indeed such a Hosted Kolab environment.

Should you wish to apply catch-all addresses to Hosted Kolab environments, we recommend you contact Kolab Systems for support.

Reasons to Use Catch All Addresses, Address Extensions

Reasons to use catch-all addresses vary, in both importance and applicability, and a non-exhaustive list would include;

  • Collect spam (and learn from it), using a catch-all address like a sort of honeypot,
  • Continue to receive email to deleted addresses, such as former employees or other such organizational changes,
  • Split out a potentially long list of standard addresses (hr@, accounting@, hostmaster@, postmaster@, webmaster@, admin@, etc., etc.) without having to specify the specific aliases, distribution groups or shared mail folders.

Address extensions (what comes after the ‘+’ in an email address such as are a relatively obscure yet very powerful feature that allows a recipient to specify the folder to which email is to be delivered (such as in the example) or distinguish which email address had been submitted (news letters, mailing lists, etc.) to third parties who in turn may share the address with other third parties, potentially leading to spam.

Postfix Virtual Alias Maps, Address Extensions & Lookup Iterations

The following is a typical configuration for the Postfix virtual_alias_maps setting:

virtual_alias_maps = hash:/etc/aliases,

These lookup tables are iterated over with the following versions of the recipient address(es), meaning all lookup tables are iterated over with the first version, then the second, and so forth:

  • user+extension@domain,
  • user@domain,
  • user+extension,
  • user,
  • @domain

Normally, a simple catch-all address would be configured by adding an alias catchall@domain to an existing mailbox entry;

dn: uid=doe,ou=People,dc=example,dc=com

And a simple additional lookup table is configured for Postfix’s virtual_alias_maps to lookup (&(alias=catchall@%d)(objectclass=kolabinetorgperson)).

However, when address extensions are used, the typical lookup iteration would cause the first iteration to hit on the catch-all address.

Consider an email sent to There would be no literal match on the virtual alias maps iteration for a literal address value of resulting in the catchall lookup table to hit. In other words, it would hit much too early, and mistakenly deliver the mail to John.

Postfix, Shared Mail Folders, Address Extensions & Lookup Iterations

Shared mail folders used for generic addresses such as getting delivered to a folder such as shared/ can incidentally also use address extensions. Suppose an organization subscribes itself to newsletters and other types of address lists that could be unintentionally shared with third parties, potentially leading to spam. For example, one may subscribe to social media with address extensions,, and what-have-you.

As explained before, while messages for may be configured to arrive in shared/, the address extension will cause the first iteration to miss the shared folder delivery, and hit the catch-all entry.

The Solution

This solution requires some re-configuration of Postfix to allow continued delivery to shared folders, and requires manual intervention to modify one or more LDAP entries, or an update to at least kolab-webadmin version 3.2.13 or later. Updating to kolab-webadmin version 3.2.13 or later is the recommended route.

It also requires ensuring that any and all shared mail folder addresses are made to be local, using an entry in /etc/postfix/virtual and /etc/postfix/transport.

Virtual and Transport Lookup Tables

Create or edit /etc/postfix/virtual and ensure the following entry is present (replace the domain name):

Create the hash database file:

# postmap /etc/postfix/virtual

Add to lookup table at or near the beginning of the virtual_alias_maps setting (here’s where Hosted Kolab environments differ, too):

virtual_alias_maps = hash:/etc/aliases,

Create or edit /etc/postfix/transport and ensure the following entry is present: lmtp:unix:/var/lib/imap/socket/lmtp

Create the hash database file:

# postmap /etc/postfix/transport

Ensure that the lookup table is listed in Postfix’s transport_maps setting lists hash:/etc/postfix/transport (Kolab is configured as such by default).

Reload Postfix:

# systemctl reload postfix

With Kolab Webadmin 3.2.13+

In the Kolab Web Administration Panel, edit the user or users that are to receive mail caught by the catch-all address, and add a secondary email address of ‘‘.

Manual LDAP Intervention

This solution is not recommended as it would void one’s ability to alter the configuration of the relevant users through the Kolab Web Administration Panel until after the update to version 3.2.13 or later.

# ldapmodify -x -H localhost -D "cn=Directory Manager" -W
Password: *********
dn: uid=doe,ou=People,dc=example,dc=com
changetype: modify
add: alias
modifying entry "uid=doe,ou=People,dc=example,dc=com
Posted in Guides and tagged , , , , , .