SSL_accept error from ...
I'm seeing sporadic SSL_accept error messages and would like to know their significance. Sometimes I'm seeing : 0, sometime : -1 A few examples: Jul 3 17:44:00 mail postfix/smtpd[1210]: SSL_accept error from post.blossin.de[217.92.177.100]: -1 Jul 3 17:53:22 mail postfix/smtpd[1174]: SSL_accept error from post.blossin.de[217.92.177.100]: -1 Jul 3 18:31:12 mail postfix/smtpd[8533]: SSL_accept error from post.blossin.de[217.92.177.100]: -1 Jul 4 15:13:25 mail postfix/smtpd[9088]: SSL_accept error from post.blossin.de[217.92.177.100]: -1 ... Jul 5 11:38:38 mail postfix/smtpd[17412]: SSL_accept error from www.neuro.med.tu-dresden.de[141.76.248.20]: 0 Jul 6 02:32:25 mail postfix/smtpd[1491]: SSL_accept error from server.detodos.com.br[189.90.142.30]: 0 So what are those? -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: SSL_accept error from ...
Ralf Hildebrandt: I'm seeing sporadic SSL_accept error messages and would like to know their significance. Sometimes I'm seeing : 0, sometime : -1 A few examples: Jul 3 17:44:00 mail postfix/smtpd[1210]: SSL_accept error from post.blossin.de[217.92.177.100]: -1 Jul 3 17:53:22 mail postfix/smtpd[1174]: SSL_accept error from post.blossin.de[217.92.177.100]: -1 Jul 3 18:31:12 mail postfix/smtpd[8533]: SSL_accept error from post.blossin.de[217.92.177.100]: -1 Jul 4 15:13:25 mail postfix/smtpd[9088]: SSL_accept error from post.blossin.de[217.92.177.100]: -1 ... Jul 5 11:38:38 mail postfix/smtpd[17412]: SSL_accept error from www.neuro.med.tu-dresden.de[141.76.248.20]: 0 Jul 6 02:32:25 mail postfix/smtpd[1491]: SSL_accept error from server.detodos.com.br[189.90.142.30]: 0 So what are those? Postfix prints all information that is available on the OpenSSL error stack. The absence of such logging suggests that the error stack is empty (perhaps the client hung up), or that your grep(1) command eliminated them. Wietse
Re: SSL_accept error from ...
* Wietse Venema wie...@porcupine.org: Jul 3 17:44:00 mail postfix/smtpd[1210]: SSL_accept error from post.blossin.de[217.92.177.100]: -1 Jul 3 17:53:22 mail postfix/smtpd[1174]: SSL_accept error from post.blossin.de[217.92.177.100]: -1 Jul 3 18:31:12 mail postfix/smtpd[8533]: SSL_accept error from post.blossin.de[217.92.177.100]: -1 Jul 4 15:13:25 mail postfix/smtpd[9088]: SSL_accept error from post.blossin.de[217.92.177.100]: -1 ... Jul 5 11:38:38 mail postfix/smtpd[17412]: SSL_accept error from www.neuro.med.tu-dresden.de[141.76.248.20]: 0 Jul 6 02:32:25 mail postfix/smtpd[1491]: SSL_accept error from server.detodos.com.br[189.90.142.30]: 0 So what are those? Postfix prints all information that is available on the OpenSSL error stack. The absence of such logging suggests that the error stack is empty (perhaps the client hung up), I guess so then or that your grep(1) command eliminated them. That's all there was. OK, I'll just ignore those then. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: SSL_accept error from ...
Ralf Hildebrandt: * Wietse Venema wie...@porcupine.org: Jul 3 17:44:00 mail postfix/smtpd[1210]: SSL_accept error from post.blossin.de[217.92.177.100]: -1 Jul 3 17:53:22 mail postfix/smtpd[1174]: SSL_accept error from post.blossin.de[217.92.177.100]: -1 Jul 3 18:31:12 mail postfix/smtpd[8533]: SSL_accept error from post.blossin.de[217.92.177.100]: -1 Jul 4 15:13:25 mail postfix/smtpd[9088]: SSL_accept error from post.blossin.de[217.92.177.100]: -1 ... Jul 5 11:38:38 mail postfix/smtpd[17412]: SSL_accept error from www.neuro.med.tu-dresden.de[141.76.248.20]: 0 Jul 6 02:32:25 mail postfix/smtpd[1491]: SSL_accept error from server.detodos.com.br[189.90.142.30]: 0 So what are those? Postfix prints all information that is available on the OpenSSL error stack. The absence of such logging suggests that the error stack is empty (perhaps the client hung up), I guess so then or that your grep(1) command eliminated them. That's all there was. OK, I'll just ignore those then. I would not deny that this user interface can be improved. One minor improvement would be to log lost connection when the OpenSSL error stack is empty (i.e. when ERR_peek_error() returns an end-of-data indication instead of an OpenSSL error number). Wietse
Re: SSL_accept error from ...
* Wietse Venema wie...@porcupine.org: That's all there was. OK, I'll just ignore those then. I would not deny that this user interface can be improved. One minor improvement would be to log lost connection when the OpenSSL error stack is empty (i.e. when ERR_peek_error() returns an end-of-data indication instead of an OpenSSL error number). That would definitely raise less suspicion! -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Multiple SSL certs for TLS
Is it possible to host multiple SSL certs for use with TLS? I am having trouble finding documentation regarding this configuration, but we have some customers who would like to implement their own SSL certs on our outbound mail server for TLS.
Re: Multiple SSL certs for TLS
On Fri, Jul 22, 2011 at 10:29:03AM -0500, l...@airstreamcomm.net wrote: Is it possible to host multiple SSL certs for use with TLS? I am having trouble finding documentation regarding this configuration, but we have some customers who would like to implement their own SSL certs on our outbound mail server for TLS. Not on the same IP:port. Each server identity needs its own TCP end-point. -- Viktor.
Re: SSL_accept error from ...
On Fri, Jul 22, 2011 at 09:32:29AM -0400, Wietse Venema wrote: So what are those? Postfix prints all information that is available on the OpenSSL error stack. The absence of such logging suggests that the error stack is empty (perhaps the client hung up), or that your grep(1) command eliminated them. These are typically just lost connections. A problem client in my logs shows: 8 plaintext deliveries 6 plaintext DATA timeouts 24 TLS deliveries 109 TLS DATA timeouts 7 TLS SSL accept error: 0 There is nothing on the TLS error stack. Anonymised log samples: TLS delivery: 2011-07-22T05:51:11-04:00 amnesiac postfix/smtpd[9446]: connect from unknown[192.0.2.1] 2011-07-22T05:51:12-04:00 amnesiac postfix/smtpd[9446]: Anonymous TLS connection established from unknown[192.0.2.1]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) 2011-07-22T05:51:12-04:00 amnesiac postfix/smtpd[9446]: 755A11AC8003: client=unknown[192.0.2.1] 2011-07-22T05:51:12-04:00 amnesiac postfix/cleanup[9603]: 755A11AC8003: message-id=id1 2011-07-22T05:51:12-04:00 amnesiac postfix/qmgr[11097]: 755A11AC8003: from=sender1, size=19041, nrcpt=1 (queue active) 2011-07-22T05:51:12-04:00 amnesiac postfix/smtp[9512]: 755A11AC8003: to=rcpt1, relay=127.0.0.1[127.0.0.1]:27, delay=0.2, delays=0.16/0/0/0.03, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 9C384EF8003) 2011-07-22T05:51:12-04:00 amnesiac postfix/qmgr[11097]: 755A11AC8003: removed 2011-07-22T05:51:12-04:00 amnesiac postfix/smtpd[9446]: disconnect from unknown[192.0.2.1] TLS DATA timeout: 2011-07-22T05:51:30-04:00 amnesiac postfix/smtpd[9390]: connect from unknown[192.0.2.1] 2011-07-22T05:51:30-04:00 amnesiac postfix/smtpd[9390]: Anonymous TLS connection established from unknown[192.0.2.1]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) 2011-07-22T05:51:30-04:00 amnesiac postfix/smtpd[9390]: 921D21AC8009: client=unknown[192.0.2.1] 2011-07-22T05:52:16-04:00 amnesiac postfix/smtpd[9390]: timeout after DATA (57269 bytes) from unknown[192.0.2.1] 2011-07-22T05:52:26-04:00 amnesiac postfix/smtpd[9390]: disconnect from unknown[192.0.2.1] plaintext delivery 2011-07-22T05:53:22-04:00 amnesiac postfix/smtpd[9443]: C62C71748001: client=unknown[192.0.2.1] 2011-07-22T05:53:22-04:00 amnesiac postfix/cleanup[9278]: C62C71748001: message-id=id2 2011-07-22T05:53:57-04:00 amnesiac postfix/qmgr[11097]: C62C71748001: from=sender1, size=161047, nrcpt=1 (queue active) 2011-07-22T05:53:57-04:00 amnesiac postfix/smtp[9509]: C62C71748001: to=rcpt1, relay=127.0.0.1[127.0.0.1]:27, delay=35, delays=35/0/0/0.12, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 717B5EF8001) 2011-07-22T05:53:57-04:00 amnesiac postfix/qmgr[11097]: C62C71748001: removed TLS SSL_accept error 0 2011-07-22T05:53:33-04:00 amnesiac postfix/smtpd[9446]: connect from unknown[192.0.2.1] 2011-07-22T05:53:33-04:00 amnesiac postfix/smtpd[9446]: SSL_accept error from unknown[192.0.2.1]: 0 2011-07-22T05:53:33-04:00 amnesiac postfix/smtpd[9446]: lost connection after STARTTLS from unknown[192.0.2.1] 2011-07-22T05:53:33-04:00 amnesiac postfix/smtpd[9446]: disconnect from unknown[192.0.2.1] plaintext DATA timeout 2011-07-22T05:54:22-04:00 amnesiac postfix/smtpd[9389]: connect from unknown[192.0.2.1] 2011-07-22T05:54:22-04:00 amnesiac postfix/smtpd[9389]: D4AF21748001: client=unknown[192.0.2.1] 2011-07-22T05:55:08-04:00 amnesiac postfix/smtpd[9389]: timeout after DATA (65624 bytes) from unknown[192.0.2.1] 2011-07-22T05:55:08-04:00 amnesiac postfix/smtpd[9389]: disconnect from unknown[192.0.2.1] -- Viktor.
Difference between smtpd_client_restrictions and smtd_recipient_resrictions
Hi I don't undestand what is difference between smtpd_client_restrictions and smtpd_recipient_restrictions? Thanks
Re: Difference between smtpd_client_restrictions and smtd_recipient_resrictions
Am 22.07.2011 20:04, schrieb gaby: I don't undestand what is difference between smtpd_client_restrictions and smtpd_recipient_restrictions? the time when they are processed for reject because of smtpd_client_restriction you need not to wait for RCPT TO, but you should be advised to do this and put all restrictions in smtpd_recipient_restrictions as long you have no real good reason to do not so analyze logfiles is boring without full sender / rcpt signature.asc Description: OpenPGP digital signature
Re: Difference between smtpd_client_restrictions and smtd_recipient_resrictions
On Fri, Jul 22, 2011 at 09:04:37PM +0300, gaby wrote: I don't undestand what is difference between smtpd_client_restrictions and smtpd_recipient_restrictions? Postfix has 6 top-level restriction lists: smtpd_client_restrictions smtpd_helo_restrictions smtpd_sender_restrictions smtpd_recipient_restrictions smtpd_data_restrictions smtpd_end_of_data_restrictions They are almost identical. - A message is rejected if any restriction list rejects the message, otherwise it is accepted . - By default the first 4 lists are applied serially for each RCPT TO command. - The data restrictions are applied at the DATA command, and don't have access to the recipient address when the message has more than 1 recipient. - The end_of_data restrictions are applied at ., and can provide the actual message size to a policy service. - To thwart most accidental open-relay configurations, The recipient restrictions MUST contain an element that rejects by default, that is one of: reject_unauth_destination, reject, defer this is not required for the other lists. Otherwise you get four or so ways to filter the message envelope. Many sites just use the recipient restrictions and leave all the rest empty. Because an OK result from any restriction element terminates a given restriction list, but still continues to the next list, in some configurations, you get more expressive rules by using more than one list. -- Viktor.
SMTP Authentication for Mail servers - on host with dynamic IP address?
Hi, I have a PC Box (lets call it 'Bubba') that is connected to my ISP. Bubba get it's dynamic IP address using dhcp-client from my ISP's dehcp-server. I have a registered FQDN: csanyi-pal.info and mails are handled by 0 mail.csanyi-pal.info. Unfortunately the allt-time dynamic IP address of my FQDN is on the blocklist. One can see this here: http://www.spamhaus.org Using command: 'host csanyi-pal.info' one can find IP address and can check to see if the IP Address is currently listed in the live Spamhaus IP blocklists: SBL, XBL and PBL. Recent results are: Blocklist Lookup Results 95.85.169.209 is not listed in the SBL 95.85.169.209 is listed in the PBL, in the following records: * PBL604044 95.85.169.209 is not listed in the XBL So if I want to remove my dynamic IP from Policy Block List I must to setup my Postfix on Bubba to SMTP Authentication for Mail servers, right? Is this possible? -- Regards, Pal http://csanyi-pal.info
Re: SMTP Authentication for Mail servers - on host with dynamic IP address?
On Fri, Jul 22, 2011 at 08:39:25PM +0200, Csanyi Pal wrote: Bubba get it's dynamic IP address using dhcp-client from my ISP's dehcp-server. Hosts with volatile IP addresses need to relay all email via SASL authenticated connections to their ISP's relay. They should also not be the MX hosts for any domains, since cached DNS data may direct clients to send to a stale IP address, which may refuse or misdirect SMTP traffic. If you want to run an MTA, you need a static IP. -- Viktor.
Re: SMTP Authentication for Mail servers - on host with dynamic IP address?
Victor Duchovni victor.ducho...@morganstanley.com writes: On Fri, Jul 22, 2011 at 08:39:25PM +0200, Csanyi Pal wrote: Bubba get it's dynamic IP address using dhcp-client from my ISP's dehcp-server. Hosts with volatile IP addresses need to relay all email via SASL authenticated connections to their ISP's relay. They should also not be the MX hosts for any domains, since cached DNS data may direct clients to send to a stale IP address, which may refuse or misdirect SMTP traffic. If you want to run an MTA, you need a static IP. I understood! Thanks for the explanation! -- Regards, Pal http://csanyi-pal.info
postfix error on trivial-rewrite
Hi there, I am seeing my Postfix 2.3.3 having following error. It may appears to be problem connecting to LDAP (which uses TLS extension), but I tried running postmap and the output shows that it is successfully lookup domain from LDAP. There are other Postfix servers successfully connecting to LDAP using TLS extension, too. I am not sure this is LDAP/Postfix integration problem, but I do not know where to go from here. This is the error message. Thanks in advance. Yan Jul 22 19:25:21 sdirpop001 postfix/trivial-rewrite[19891]: error: dict_ldap_connect: Unable to set STARTTLS: -11: Connect error Jul 22 19:25:21 sdirpop001 postfix/trivial-rewrite[19891]: fatal: ldap:acceptdomains(0,lock|fold_fix): table lookup problem Jul 22 19:25:21 sdirpop001 postfix/trivial-rewrite[19892]: error: dict_ldap_connect: Unable to set STARTTLS: -11: Connect error Jul 22 19:25:21 sdirpop001 postfix/trivial-rewrite[19892]: fatal: ldap:acceptdomains(0,lock|fold_fix): table lookup problem Jul 22 19:25:22 sdirpop001 postfix/master[16350]: warning: process /usr/libexec/postfix/trivial-rewrite pid 19891 exit status 1 Jul 22 19:25:22 sdirpop001 postfix/master[16350]: warning: /usr/libexec/postfix/trivial-rewrite: bad command startup -- throttling Jul 22 19:25:22 sdirpop001 postfix/smtpd[16359]: warning: premature end-of-input on private/rewrite socket while reading input attribute name Jul 22 19:25:22 sdirpop001 postfix/smtpd[16359]: warning: problem talking to service rewrite: Success Jul 22 19:25:22 sdirpop001 postfix/master[16350]: warning: process /usr/libexec/postfix/trivial-rewrite pid 19892 exit status 1 Jul 22 19:25:22 sdirpop001 postfix/smtpd[16358]: warning: premature end-of-input on private/rewrite socket while reading input attribute name Jul 22 19:25:22 sdirpop001 postfix/smtpd[16358]: warning: problem talking to service rewrite: Connection reset by peer Jul 22 19:25:22 sdirpop001 postfix/smtpd[16354]: warning: premature end-of-input on private/rewrite socket while reading input attribute name Jul 22 19:25:22 sdirpop001 postfix/smtpd[16354]: warning: problem talking to service rewrite: Success Jul 22 19:25:22 sdirpop001 postfix/smtpd[16355]: warning: premature end-of-input on private/rewrite socket while reading input attribute name Jul 22 19:25:22 sdirpop001 postfix/smtpd[16355]: warning: problem talking to service rewrite: Connection reset by peer This is my LDAP-related configuration in main.cf mydestination = $myhostname, localhost.$mydomain, localhost, ldap:acceptdomains acceptdomains_server_host = ldap://hostname:389 acceptdomains_start_tls = yes acceptdomains_version = 3 acceptdomains_search_base = ou=domain,dc=hubdirect,dc=stage,dc=medplus,dc=com acceptdomains_query_filter = ((domainname=%s)(objectClass=DirectDomain)) acceptdomains_result_attribute = domainname acceptdomains_bind = yes acceptdomains_bind_dn = cn=Directory Manager acceptdomains_bind_pw = password This is the output of postmap: postmap -v -q mydomain ldap:acceptdomains, it correctly resovles the domain. POSTCONF output is below. [root@sdirpop001 tmp]# postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix debug_peer_level = 2 html_directory = no inet_interfaces = all local_recipient_maps = ldap:ldaplocal local_transport = dovecot mail_owner = postfix mailbox_size_limit = 0 mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 1024 mydestination = $myhostname, localhost.$mydomain, localhost, ldap:acceptdomains mynetworks = all newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES sample_directory = /usr/share/doc/postfix-2.3.3/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_tls_mandatory_exclude_ciphers = aNULL unknown_local_recipient_reject_code = 550 Confidentiality Notice: The information contained in this electronic transmission is confidential and may be legally privileged. It is intended only for the addressee(s) named above. If you are not an intended recipient, be aware that any disclosure, copying, distribution or use of the information contained in this transmission is prohibited and may be unlawful. If you have received this transmission in error, please notify us by telephone (513) 229-5500 or by email (postmas...@medplus.com). After replying, please erase it from your computer system.
Re: postfix error on trivial-rewrite
On Fri, Jul 22, 2011 at 03:35:41PM -0400, Zhou, Yan wrote: I am seeing my Postfix 2.3.3 having following error. This is 5+ years out of date. It may appears to be problem connecting to LDAP (which uses TLS extension), LDAP over TLS is best attempted with a modern software stack. but I tried running postmap and the output shows that it is successfully lookup domain from LDAP. There are other Postfix servers successfully connecting to LDAP using TLS extension, too. Your trivial-rewrite service may set for chroot in master.cf. This likely impedes LDAP functionality. Jul 22 19:25:21 sdirpop001 postfix/trivial-rewrite[19891]: error: dict_ldap_connect: Unable to set STARTTLS: -11: Connect error Perhaps the LDAP library can't resolve the server hostname from the chroot jail. acceptdomains_server_host = ldap://hostname:389 The hostname may not resolve from the chroot jail. Look at master.cf. The default master.cf file in the Postfix source distribution has chroot disabled. Vendors who repackage Postfix and turn chroot on, need to provide users with appropriate support and documentation. -- Viktor.
Re: Σχετ: Anyone solely using SMTP Auth for outbound mail?
Le 20/07/2011 22:15, Peter Tselios a écrit : Well, since I plan to move into the Postfix wagon, from scratch, I want to learn more about the 587 port submission and the blockage of port 25 for that. What are the best practices on the matter? Are there any documents on that? Soren how do you implement it? P. The new standard recommends using port 587 (now called submission) for mail submission, instead of overloading port 25. it is recommended that submission access requires authentication. thus sasl (well, ip based auth is acceptable for some time if you can guarantee that it's ok). now, given the auth mechanisms that are supported by MUAs, the one that works is PLAIN. in which case, TLS is receommended.
Re: dovecot lmtp
Le 20/07/2011 00:03, Kendall Shaw a écrit : On 07/19/2011 01:32 PM, mouss wrote: Le 19/07/2011 22:00, Kendall Shaw a écrit : Your setup is ok, but your test is not... you have defined virtual_transport to be dovecot, but this only applies to virtual_mailbox_domains. you didn't explicitely specify mydestination, so the default applies: $ postconf -d mydestination mydestination = $myhostname, localhost.$mydomain, localhost if this applies to you, then localhost is a local domain. this is good. in your tests, you should not send mail to @localhost. keep this reserved for addresses that need local functionality (execute some script,... etc). Okay, but I am not sending mail to @localhost. I send to ks...@kendallshaw.com. Fetchmail sends RCPT TO:eekshaw@localhost. that's it. mail sent to localhost goes to localhost... There is the header To: ks...@kendallshaw.com in the message. Does postfix decide on the destination based on the To header or RCPT TO? when you send a letter, it goes to where the address you write on the envelope. you don't expect the mailman to open the envelope to see if you wrote this letter is for ...? If it is the later, I guess this is a fetchmail question, and I'll ask somewhere else. for mailbioxes @localhost that need to be delievered to a mailbox, use virtual_aliases_maps: joe@localhostjoe+localh...@kendallshaw.com In case this is not a fetchmail problem, I tried: creating /usr/pkg/etc/postfix/aliases: kshaw@localhost ks...@kendallshaw.com postmap /usr/pkg/etc/postfix/aliases and added to main.cf: virtual_alias_maps = hash:/usr/pkg/etc/postfix/aliases and there is no change after postfix reload. Does the alias happen before postfix picks a delivery process? your /usr/pkg indicates a Netbsd system. yet, your previous log shows a localhost.localdomain which is a linux humphhumph. I'm lost... retry with append_dot_mydomain = no or change your virtual thing to joe@localhost.localdomain joe+localh...@example.com
Re[2]: dovecot lmtp
Original Message From: mouss mo...@ml.netoyen.net To: postfix-users@postfix.org Sent: Sat, Jul 23, 2011, 5:55 AM Subject: Re: dovecot lmtp Le 20/07/2011 00:03, Kendall Shaw a écrit : On 07/19/2011 01:32 PM, mouss wrote: Le 19/07/2011 22:00, Kendall Shaw a écrit : Your setup is ok, but your test is not... you have defined virtual_transport to be dovecot, but this only applies to virtual_mailbox_domains. you didn't explicitely specify mydestination, so the default applies: $ postconf -d mydestination mydestination = $myhostname, localhost.$mydomain, localhost if this applies to you, then localhost is a local domain. this is good. in your tests, you should not send mail to @localhost. keep this reserved for addresses that need local functionality (execute some script,... etc). Okay, but I am not sending mail to @localhost. I send to ks...@kendallshaw.com. Fetchmail sends RCPT TO:eekshaw@localhost. that's it. mail sent to localhost goes to localhost... There is the header To: ks...@kendallshaw.com in the message. Does postfix decide on the destination based on the To header or RCPT TO? when you send a letter, it goes to where the address you write on the envelope. you don't expect the mailman to open the envelope to see if you wrote this letter is for ...? If it is the later, I guess this is a fetchmail question, and I'll ask somewhere else. for mailbioxes @localhost that need to be delievered to a mailbox, use virtual_aliases_maps: joe@localhostjoe+localh...@kendallshaw.com In case this is not a fetchmail problem, I tried: creating /usr/pkg/etc/postfix/aliases: kshaw@localhost ks...@kendallshaw.com postmap /usr/pkg/etc/postfix/aliases and added to main.cf: virtual_alias_maps = hash:/usr/pkg/etc/postfix/aliases and there is no change after postfix reload. Does the alias happen before postfix picks a delivery process? your /usr/pkg indicates a Netbsd system. yet, your previous log shows a localhost.localdomain which is a linux humphhumph. I'm lost... retry with append_dot_mydomain = no or change your virtual thing to joe@localhost.localdomain joe+localh...@example.com