Whole Domain Mapping Results in Backscatter (rcpt to 250 Ok)

I posted the message below to the postfix-users@postfix.org mailing list and was informed that doing whole domain mappings in the /etc/postfix/virtual file (virtual_alias_maps) unavoidably results in "rcpt to" 250 Ok responses. This results in e-mail backscatter that can result in ISPs getting blacklisted.

Authoritative members of the postfix.org mailing list have indicated that the only way to prevent this issue is to not have any "whole domain" mappings in any virtual_alias_maps file. Instead, the mappings must be replicated completely, achieving intended result and also ensuring that the desired 550 status code is issued for non-existent addresses of the whole-domain mapped domain.

I can see only 2 possible solutions to this problem:

1) Have virtualmin keep track of which domains are to have replicated e-mail addresses and ensure that replicated e-mail addresses propagate to the whole-domain mapped domains.

2) Have an outside script keep track of which domains are to have replicated e-mail addresses. In this case, there needs to be indicator coming from virtualmin to trigger the replication. Likewise, when whole-domain mappings are removed via Virtualmin, there needs to be some indicator to the outside script to stop replication and either (a) keep existing replicated addresses, (b) discard all replicated addresses, or (c) selectively discard replicated addresses.

Since I'm motivated to solve this problem for my servers, if you let me know which way you would prefer to see the problem solved, I'll see if I can fix it. Or, if you can fix this issue, please let me know so that I don't attempt a solution myself.

Many thanks,
Steve Amerige
Fat Bear

====================================================
SUBJECT: Transitive Closure for Whole Domain Mapping
TO: postfix-users@postfix.org
====================================================

With:

virtual_alias_maps = hash:/etc/postfix/virtual

and:

/etc/postfix/virtual:
...
domainA.com domainA.com
user1@domainA.com mailboxForUser1-A
user2@domainA.com mailboxForUser2-A
domainB.com domainB.com
@domainB.com @domainA.com

Doing:

# telnet mailserver 25
Trying A.B.C.D...
Connected to mailServer.
Escape character is '^]'.
220 mailServer ESMTP Postfix
helo name
250 mailServer
mail from: foo@bar.com
250 2.1.0 Ok
rcpt to: user3@domainA.com
550 5.1.1 : Recipient address rejected: User unknown in virtual alias table
quit
221 Closing connection. Good bye.
Connection closed by foreign host.
#

gives me exactly the results I want. But doing:

# telnet mailserver 25
Trying A.B.C.D...
Connected to mailServer.
Escape character is '^]'.
220 mailServer ESMTP Postfix
helo name
250 mailServer
mail from: foo@bar.com
250 2.1.0 Ok
rcpt to: user3@domainB.com
250 2.1.5 Ok
quit
221 Closing connection. Good bye.
Connection closed by foreign host.
#

gives an undesired 250 status for the unknown user3@domainB.com. Is there a way to configure Postfix, leaving the file /etc/postfix virtual unchanged, so that the response to an unknown user via a whole-domain mapping results in a 550 status? [Note: please don't ask me to change the /etc/postfix/virtual file... it is not possible at this time].

Many thanks,
Steve Amerige
Fat Bear

postconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
disable_vrfy_command = yes
home_mailbox = Maildir/
html_directory = no
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost, fat7.fatbear.com
mynetworks = A.B.C.D
newaliases_path = /usr/bin/newaliases.postfix
readme_directory = /usr/share/doc/postfix-2.4.5/README_FILES
relayhost = k2smtpout.secureserver.net
sample_directory = /usr/share/doc/postfix-2.4.5/samples
sender_bcc_maps = hash:/etc/postfix/bcc
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_helo_required = yes
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unknown_sender_domain,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_invalid_hostname,
reject_unauth_destination,
check_helo_access hash:/etc/postfix/smtp_helo_blacklist,
reject_unlisted_recipient,
check_policy_service inet:127.0.0.1:2501,
reject_unknown_recipient_domain,
reject_rbl_client zen.spamhaus.org,
permit
smtpd_sasl_auth_enable = yes
smtpd_tls_CAfile = /home/mailserver/ssl/mailserver.com/sf_intermediate_bundle.crt
smtpd_tls_cert_file = /home/mailserver/ssl/mailserver.com/_.mailserver.com.pem
smtpd_tls_key_file = /home/mailserver/ssl/mailserver.com/_.mailserver.com.key
smtpd_use_tls = yes
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual

Status: 
Closed (fixed)

Comments