Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 408
  • Last Modified:

Email / Exchange / PostFix / MailScanner / ClamAV / SpamAssassin sending to wrong address ..


I just setup a linux based spam filter/relay using MailScanner, ClamAV, and SpamAssassin. When an email arrives it scans the messages and then forwards it on to my exchange server if everything is ok and clean.

Everything works in regards to scanning incoming emails and filtering, however for some reason, once an email passes the filters it gets forwarded to the address "ok@mydomain.com".

The weird part is that all the headers say it should go to the actual email address. It's blowing my mind.

Here is what my /var/log/maillog looks like once the scan has completed and it forwards the message on:

May  6 08:04:28 hostfilter postfix/smtp[24950]: 8081C6567B5: to=<ok@mydomain.com>, orig_to=<wpatterson@mydomain.com>, relay=[]:25, delay=22, delays=21/0.01/0/0.18, dsn=2.6.0, status=sent (250 2.6.0 <20110506140413.94AA96567AB@hostfilter.mydomain.com> Queued mail for delivery)

Open in new window

Notice it is sending to "ok@mydomain.com" with an "orig_to" the actual email address.

Now, I tried to add the address "ok@mydomain.com" as an alias to my account, but that just makes EVERY email in my organization go to ME. Even when the "TO:" address has someone elses email address on it.

Here's the header from an email message that I received that was meant to someone else. You'll notice everything in the header says it's destined for "russ@mydomain.com". But because I added the email account "ok@mydomain.com" as my alias, I received it.

Here's the header:
X-Antivirus: AVG for E-mail
Received: from hostfilter.mydomain.com ( by
 peak2010.mydomain.com ( with Microsoft SMTP Server id; Fri, 6 May 2011 07:58:41 -0600
Received: from col0-omc2-s2.col0.hotmail.com (col0-omc2-s2.col0.hotmail.com
 [])	by hostfilter.mydomain.com (Postfix) with ESMTP id
 AA8E16567AB	for <russ@mydomain.com>; Fri,  6 May 2011 07:59:22 -0600 (MDT)
Received: from COL106-W58 ([]) by col0-omc2-s2.col0.hotmail.com
 with Microsoft SMTPSVC(6.0.3790.4675);	 Fri, 6 May 2011 06:59:20 -0700
Message-ID: <col106-w589F1D49081EA69F5EA62EF1830@phx.gbl>
Content-Type: multipart/alternative;
X-Originating-IP: []
From: Bill Patterson <asdf@hotmail.com>
To: <russ@mydomain.com>
Subject: Testing
Date: Fri, 6 May 2011 07:59:19 -0600
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 06 May 2011 13:59:20.0252 (UTC) FILETIME=[CBE41FC0:01CC0BF5]
X-peakalarm-MailScanner-Information: Please contact the ISP for more information
X-peakalarm-MailScanner-ID: AA8E16567AB.A66B8
X-peakalarm-MailScanner: Found to be clean
X-peakalarm-MailScanner-From: asdf@hotmail.com
X-Spam-Status: No
Return-Path: asdf@hotmail.com

Open in new window

Everything would work PERFECTLY, if it would forward to the address it has listed in the "orig_" field ..

Any ideas? I don't know if it's MailScanner, or ClamAV, or SpamAssassin sending to that address, but I can't find reference to "ok@" after grepping for hours...

  • 2
1 Solution
How or where are you adding the alias ?
wpatterson82Author Commented:
I use relay_recipients.proto / .db

here's an excerpt:
user1@mydomain.com     OK
user2@mydomain.com     OK
user3@mydomain.com     OK
user4@mydomain.com     OK
user5@mydomain.com     OK

Open in new window

That's the only file I have any "OK" .. but those are needed for postfix correct?

Here are a few lines from my /etc/postfix/main.cf file:

relay_recipient_maps = hash:/etc/postfix/relay_recipients
transport_maps = hash:/etc/postfix/transport
virtual_maps = hash:/etc/postfix/relay_recipients

Open in new window

*Note: If I don't have "virtual_maps" added and just leave "relay_recipient_maps", postfix completely ignores any addresses found in the relay_recipients file.
Sikhumbuzo NtsadaCommented:
Open all your rules and look for the e-mail, this seems to be in the filter rules not the config files of your mails.
wpatterson82Author Commented:

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now