local_recipient_maps set up, yet postfix continues to send bounce messages

[Chad Elliott]

Sorry if this question gets asked too often, but I followed the instructions to stop backscatter email from my server, yet it continues to send bounces.  Here is the output of postconf -n:

alias_maps = hash:/etc/aliases

command_directory = /usr/sbin

config_directory = /etc/postfix

daemon_directory = /usr/libexec/postfix

debug_peer_level = 2

debug_peer_list = XXX.XXX.XXX.XXX

home_mailbox = Maildir/

html_directory = no

inet_interfaces = all

local_recipient_maps = $virtual_alias_maps

mail_owner = postfix

mail_spool_directory = /var/spool/mail

mailbox_command = /usr/bin/procmail -f- -a "$USER"

mailbox_size_limit = 256000000

mailq_path = /usr/bin/mailq.postfix

manpage_directory = /usr/share/man

maximal_queue_lifetime = 3d

mydestination = localhost,$myhostname

mynetworks = XXX.XXX.XXX.XXX/32, XXX.XXX.XXX.XXX/32

newaliases_path = /usr/bin/newaliases.postfix

queue_directory = /var/spool/postfix

readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES

sample_directory = /usr/share/doc/postfix-2.3.3/samples

sendmail_path = /usr/sbin/sendmail.postfix

setgid_group = postdrop

smtp_host_lookup = dns, native

smtp_sasl_security_options = noplaintext

smtpd_banner = $myhostname ESMTP $mail_name

smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unknown_sender_domain, reject_unlisted_recipient

smtpd_sasl_auth_enable = yes

smtpd_sasl_local_domain = $myhostname

smtpd_sasl_security_options = noanonymous

unknown_local_recipient_reject_code = 550

virtual_alias_maps = hash:/etc/postfix/virtual

virtual_mailbox_base = /var/spool/mail

virtual_mailbox_domains = hash:/etc/postfix/mydomains

There are no wildcards in virtual_alias_maps or alias_maps

Thanks,

Chad.

[Charles Marcus]

Logs?

--

Best regards,

Charles Marcus
I.T. Director
Media Brokers International, Inc.
678.514.6224 | 678.514.6299 fax

[Chad Elliott]

Such a busy server, it's tough to get just the right snippet, let me know if anything seems missing here.

Oct 14 12:44:46 mail postfix/smtpd[2527]: < mail.senderdomain.org[173.255.XXX.XXX7]: rcpt to:lksjdflka...@mycompany.com

Oct 14 12:44:46 mail postfix/smtpd[2527]: extract_addr: input: lksjdflka...@mycompany.com

Oct 14 12:44:46 mail postfix/smtpd[2527]: smtpd_check_addr: addr=lksjdflka...@mycompany.com

Oct 14 12:44:46 mail postfix/smtpd[2527]: ctable_locate: purge entry key z04...@XXXX.com

Oct 14 12:44:46 mail postfix/smtpd[2527]: send attr request = rewrite

Oct 14 12:44:46 mail postfix/smtpd[2527]: send attr rule = local

Oct 14 12:44:46 mail postfix/smtpd[2527]: send attr address = lksjdflka...@mycompany.com

Oct 14 12:44:46 mail postfix/smtpd[2527]: private/rewrite socket: wanted attribute: flags

Oct 14 12:44:46 mail postfix/smtpd[2527]: input attribute name: flags

Oct 14 12:44:46 mail postfix/smtpd[2527]: input attribute value: 0

Oct 14 12:44:46 mail postfix/smtpd[2527]: private/rewrite socket: wanted attribute: address

Oct 14 12:44:46 mail postfix/smtpd[2527]: input attribute name: address

Oct 14 12:44:46 mail postfix/smtpd[2527]: input attribute value: lksjdflka...@mycompany.com

Oct 14 12:44:46 mail postfix/smtpd[2527]: private/rewrite socket: wanted attribute: (list terminator)

Oct 14 12:44:46 mail postfix/smtpd[2527]: input attribute name: (end)

Oct 14 12:44:46 mail postfix/smtpd[2527]: rewrite_clnt: local: lksjdflka...@mycompany.com -> lksjdflka...@mycompany.com

Oct 14 12:44:46 mail postfix/smtpd[2527]: send attr request = resolve

Oct 14 12:44:46 mail postfix/smtpd[2527]: send attr sender = 

Oct 14 12:44:46 mail postfix/smtpd[2527]: send attr address = lksjdflka...@mycompany.com

Oct 14 12:44:46 mail postfix/smtpd[2527]: private/rewrite socket: wanted attribute: flags

Oct 14 12:44:46 mail postfix/smtpd[2527]: input attribute name: flags

Oct 14 12:44:46 mail postfix/smtpd[2527]: input attribute value: 0

Oct 14 12:44:46 mail postfix/smtpd[2527]: private/rewrite socket: wanted attribute: transport

Oct 14 12:44:46 mail postfix/smtpd[2527]: input attribute name: transport

Oct 14 12:44:46 mail postfix/smtpd[2527]: input attribute value: virtual

Oct 14 12:44:46 mail postfix/smtpd[2527]: private/rewrite socket: wanted attribute: nexthop

Oct 14 12:44:46 mail postfix/smtpd[2527]: input attribute name: nexthop

Oct 14 12:44:46 mail postfix/smtpd[2527]: input attribute value: mycompany.com

Oct 14 12:44:46 mail postfix/smtpd[2527]: private/rewrite socket: wanted attribute: recipient

Oct 14 12:44:46 mail postfix/smtpd[2527]: input attribute name: recipient

Oct 14 12:44:46 mail postfix/smtpd[2527]: input attribute value: lksjdflka...@mycompany.com

Oct 14 12:44:46 mail postfix/smtpd[2527]: private/rewrite socket: wanted attribute: flags

Oct 14 12:44:46 mail postfix/smtpd[2527]: input attribute name: flags

Oct 14 12:44:46 mail postfix/smtpd[2527]: input attribute value: 1024

Oct 14 12:44:46 mail postfix/smtpd[2527]: private/rewrite socket: wanted attribute: (list terminator)

Oct 14 12:44:46 mail postfix/smtpd[2527]: input attribute name: (end)

Oct 14 12:44:46 mail postfix/smtpd[2527]: resolve_clnt: `' -> `lksjdflka...@mycompany.com' -> transp=`virtual' host=`mycompany.com' rcpt=`lksjdflka...@mycompany.com' flags= class=virtual

Oct 14 12:44:46 mail postfix/smtpd[2527]: ctable_locate: install entry key lksjdflka...@mycompany.com

Oct 14 12:44:46 mail postfix/smtpd[2527]: extract_addr: in: lksjdflka...@mycompany.com, result: lksjdflka...@mycompany.com

Oct 14 12:44:46 mail postfix/smtpd[2527]: >>> START Recipient address RESTRICTIONS <<<

Oct 14 12:44:46 mail postfix/smtpd[2527]: generic_checks: name=permit_sasl_authenticated

Oct 14 12:44:46 mail postfix/smtpd[2527]: generic_checks: name=permit_sasl_authenticated status=0

Oct 14 12:44:46 mail postfix/smtpd[2527]: generic_checks: name=permit_mynetworks

Oct 14 12:44:46 mail postfix/smtpd[2527]: permit_mynetworks: mail.senderdomain.org 173.255.XXX.XXX7

Oct 14 12:44:46 mail postfix/smtpd[2527]: match_hostname: mail.senderdomain.org ~? 67.192.XXX.XXX/32

Oct 14 12:44:46 mail postfix/smtpd[2527]: match_hostaddr: 173.255.XXX.XXX7 ~? 67.192.XXX.XXX/32

Oct 14 12:44:46 mail postfix/smtpd[2527]: match_hostname: mail.senderdomain.org ~? 127.0.0.0/8

Oct 14 12:44:46 mail postfix/smtpd[2527]: match_hostaddr: 173.255.XXX.XXX7 ~? 127.0.0.0/8

Oct 14 12:44:46 mail postfix/smtpd[2527]: match_list_match: mail.senderdomain.org: no match

Oct 14 12:44:46 mail postfix/smtpd[2527]: match_list_match: 173.255.XXX.XXX7: no match

Oct 14 12:44:46 mail postfix/smtpd[2527]: generic_checks: name=permit_mynetworks status=0

Oct 14 12:44:46 mail postfix/smtpd[2527]: generic_checks: name=reject_unauth_destination

Oct 14 12:44:46 mail postfix/smtpd[2527]: reject_unauth_destination: lksjdflka...@mycompany.com

Oct 14 12:44:46 mail postfix/smtpd[2527]: permit_auth_destination: lksjdflka...@mycompany.com

Oct 14 12:44:46 mail postfix/smtpd[2527]: ctable_locate: leave existing entry key lksjdflka...@mycompany.com

Oct 14 12:44:46 mail postfix/smtpd[2527]: generic_checks: name=reject_unauth_destination status=0

Oct 14 12:44:46 mail postfix/smtpd[2527]: generic_checks: name=reject_unknown_sender_domain

Oct 14 12:44:46 mail postfix/smtpd[2527]: reject_unknown_address: ch...@senderdomain.org

Oct 14 12:44:46 mail postfix/smtpd[2527]: ctable_locate: move existing entry key ch...@senderdomain.org

Oct 14 12:44:46 mail postfix/smtpd[2527]: reject_unknown_mailhost: senderdomain.org

Oct 14 12:44:46 mail postfix/smtpd[2527]: lookup senderdomain.org type MX flags 0

Oct 14 12:44:46 mail postfix/smtpd[2527]: dns_query: senderdomain.org (MX): OK

Oct 14 12:44:46 mail postfix/smtpd[2527]: dns_get_answer: type MX for senderdomain.org

Oct 14 12:44:46 mail postfix/smtpd[2527]: generic_checks: name=reject_unknown_sender_domain status=0

Oct 14 12:44:46 mail postfix/smtpd[2527]: generic_checks: name=reject_unlisted_recipient

Oct 14 12:44:46 mail postfix/smtpd[2527]: >>> CHECKING RECIPIENT MAPS <<<

Oct 14 12:44:46 mail postfix/smtpd[2527]: ctable_locate: move existing entry key lksjdflka...@mycompany.com

Oct 14 12:44:46 mail postfix/smtpd[2527]: maps_find: recipient_canonical_maps: lksjdflka...@mycompany.com: not found

Oct 14 12:44:46 mail postfix/smtpd[2527]: match_string: mycompany.com ~? localhost

Oct 14 12:44:46 mail postfix/smtpd[2527]: match_string: mycompany.com ~? mail.mycompany.com

Oct 14 12:44:46 mail postfix/smtpd[2527]: match_list_match: mycompany.com: no match

Oct 14 12:44:46 mail postfix/smtpd[2527]: maps_find: recipient_canonical_maps: @mycompany.com: not found

Oct 14 12:44:46 mail postfix/smtpd[2527]: mail_addr_find: lksjdflka...@mycompany.com -> (not found)

Oct 14 12:44:46 mail postfix/smtpd[2527]: maps_find: canonical_maps: lksjdflka...@mycompany.com: not found

Oct 14 12:44:46 mail postfix/smtpd[2527]: match_string: mycompany.com ~? localhost

Oct 14 12:44:46 mail postfix/smtpd[2527]: match_string: mycompany.com ~? mail.mycompany.com

Oct 14 12:44:46 mail postfix/smtpd[2527]: match_list_match: mycompany.com: no match

Oct 14 12:44:46 mail postfix/smtpd[2527]: maps_find: canonical_maps: @mycompany.com: not found

Oct 14 12:44:46 mail postfix/smtpd[2527]: mail_addr_find: lksjdflka...@mycompany.com -> (not found)

Oct 14 12:44:46 mail postfix/smtpd[2527]: maps_find: virtual_alias_maps: lksjdflka...@mycompany.com: not found

Oct 14 12:44:46 mail postfix/smtpd[2527]: match_string: mycompany.com ~? localhost

Oct 14 12:44:46 mail postfix/smtpd[2527]: match_string: mycompany.com ~? mail.mycompany.com

Oct 14 12:44:46 mail postfix/smtpd[2527]: match_list_match: mycompany.com: no match

Oct 14 12:44:46 mail postfix/smtpd[2527]: maps_find: virtual_alias_maps: @mycompany.com: not found

Oct 14 12:44:46 mail postfix/smtpd[2527]: mail_addr_find: lksjdflka...@mycompany.com -> (not found)

Oct 14 12:44:46 mail postfix/smtpd[2527]: generic_checks: name=reject_unlisted_recipient status=0

Oct 14 12:44:46 mail postfix/smtpd[2527]: >>> END Recipient address RESTRICTIONS <<<

Oct 14 12:44:46 mail postfix/smtpd[2527]: > mail.senderdomain.org[173.255.XXX.XXX7]: 250 2.1.5 Ok

Oct 14 12:44:46 mail postfix/smtpd[2527]: watchdog_pat: 0x2b5e30523930

Oct 14 12:44:50 mail postfix/smtpd[2527]: < mail.senderdomain.org[173.255.XXX.XXX7]: quit

Oct 14 12:44:50 mail postfix/smtpd[2527]: > mail.senderdomain.org[173.255.XXX.XXX7]: 221 2.0.0 Bye

Oct 14 12:44:50 mail postfix/smtpd[2527]: match_hostname: mail.senderdomain.org ~? 67.192.XXX.XXX/32

Oct 14 12:44:50 mail postfix/smtpd[2527]: match_hostaddr: 173.255.XXX.XXX7 ~? 67.192.XXX.XXX/32

Oct 14 12:44:50 mail postfix/smtpd[2527]: match_hostname: mail.senderdomain.org ~? 127.0.0.0/8

Oct 14 12:44:50 mail postfix/smtpd[2527]: match_hostaddr: 173.255.XXX.XXX7 ~? 127.0.0.0/8

Oct 14 12:44:50 mail postfix/smtpd[2527]: match_list_match: mail.senderdomain.org: no match

Oct 14 12:44:50 mail postfix/smtpd[2527]: match_list_match: 173.255.XXX.XXX7: no match

Oct 14 12:44:50 mail postfix/smtpd[2527]: send attr request = disconnect

Oct 14 12:44:50 mail postfix/smtpd[2527]: send attr ident = smtp:173.255.XXX.XXX7

Oct 14 12:44:50 mail postfix/smtpd[2527]: private/anvil: wanted attribute: status

Oct 14 12:44:50 mail postfix/smtpd[2527]: input attribute name: status

Oct 14 12:44:50 mail postfix/smtpd[2527]: input attribute value: 0

Oct 14 12:44:50 mail postfix/smtpd[2527]: private/anvil: wanted attribute: (list terminator)

Oct 14 12:44:50 mail postfix/smtpd[2527]: input attribute name: (end)

Oct 14 12:44:50 mail postfix/smtpd[2527]: disconnect from mail.senderdomain.org[173.255.XXX.XXX7]

[Noel Jones]

On 10/14/2013 3:00 PM, Chad Elliott wrote:
> Sorry if this question gets asked too often, but I followed the
> instructions to stop backscatter email from my server, yet it
> continues to send bounces. Here is the output of postconf -n:

Without context, we can't provide much help.

- what instructions did you follow?
- what is being bounced?
- what address class (local, virtual-alias, virtual-mailbox, ...) is
bouncing?
- NON VERBOSE logs demonstrating the problem?




-- Noel Jones

[Chad Elliott]

>Without context, we can't provide much help.


>- what instructions did you follow?

I set up "local_recipient_maps = $virtual_alias_maps" and
"unknown_local_recipient_reject_code = 550" per instructions located
here:
http://www.postfix.org/BACKSCATTER_README.html

- what is being bounced?

mail sent to non-existent aliases/users (not in virtual_alias_maps)

- what address class (local, virtual-alias, virtual-mailbox, ...) is
bouncing?

virtual-alias

- NON VERBOSE logs demonstrating the problem?

Oct 14 13:37:37 mail postfix/smtpd[17348]: A887A1A084D7:
client=mail-ie0-f180.google.com[209.85.223.180]
Oct 14 13:37:37 mail postfix/cleanup[21208]: A887A1A084D7:
message-id=<CAAa=gco6hrAfJx9BdU+W47Rk+K7...@mail.gmail.com>
Oct 14 13:37:37 mail postfix/qmgr[21037]: A887A1A084D7:
from=<myperso...@gmail.com>, size=1490, nrcpt=1 (queue active)
Oct 14 13:37:37 mail postfix/virtual[20895]: A887A1A084D7:
to=<testb...@myserver.com>, relay=virtual, delay=0.09,
delays=0.09/0/0/0, dsn=5.1.1, status=bounced (unknown user:
"testb...@myserver.com")
Oct 14 13:37:37 mail postfix/bounce[21056]: A887A1A084D7: sender
non-delivery notification: B87541A084D9
Oct 14 13:37:37 mail postfix/qmgr[21037]: A887A1A084D7: removed

[Charles Marcus]

On 2013-10-14 4:41 PM, Chad Elliott <waypost...@gmail.com> wrote:

- what is being bounced?
mail sent to non-existent aliases/users (not in virtual_alias_maps)

This is the DESIRED result... what is the problem?

--

Best regards,

Charles

[Charles Marcus]

On 2013-10-14 4:00 PM, Chad Elliott <waypost...@gmail.com> wrote:

Sorry if this question gets asked too often, but I followed the instructions to stop backscatter email from my server,

and

On 2013-10-14 4:41 PM, Chad Elliott <waypost...@gmail.com> wrote:

- what is being bounced?
mail sent to non-existent aliases/users (not in virtual_alias_maps)

This is NOT 'backscatter'...

Methinks you have some reading to do...

--

Best regards,

Charles

[Charles Marcus]

Sorry, I misread the logs, I guess it is in fact bounced instead of rejected...

[Charles Marcus]

On 2013-10-14 4:00 PM, Chad Elliott <waypost...@gmail.com> wrote:

virtual_alias_maps = hash:/etc/postfix/virtual

virtual_mailbox_base = /var/spool/mail

virtual_mailbox_domains = hash:/etc/postfix/mydomains

There are no wildcards in virtual_alias_maps or alias_maps

Tests against your maps?

What do

postmap -q myserver.com hash:/etc/postfix/mydomains

postmap -q inv...@myserver.com hash:/etc/postfix/virtual

postmap -q va...@myserver.com hash:/etc/postfix/virtual

return?

--

Best regards,

Charles

[Chad Elliott]

On Mon, Oct 14, 2013 at 5:27 PM, Charles Marcus
<CMa...@media-brokers.com> wrote:
> On 2013-10-14 4:00 PM, Chad Elliott <waypost...@gmail.com> wrote:
>
> virtual_alias_maps = hash:/etc/postfix/virtual
> virtual_mailbox_base = /var/spool/mail
> virtual_mailbox_domains = hash:/etc/postfix/mydomains
>
>
> There are no wildcards in virtual_alias_maps or alias_maps
>
>
> Tests against your maps?
>
> What do
>
> postmap -q myserver.com hash:/etc/postfix/mydomains

response was: "OK"

>
> postmap -q inv...@myserver.com hash:/etc/postfix/virtual
>

No Response, just a blank line

> postmap -q va...@myserver.com hash:/etc/postfix/virtual
>

This responded with the alias that the email address was mapped to, in
this case "INFO"

[Noel Jones]

On 10/14/2013 3:41 PM, Chad Elliott wrote:
>> Without context, we can't provide much help.
>
>
>> - what instructions did you follow?
> I set up "local_recipient_maps = $virtual_alias_maps" and
> "unknown_local_recipient_reject_code = 550" per instructions located
> here:
> http://www.postfix.org/BACKSCATTER_README.html

I don't see anywhere that document recommends setting
local_recipient_maps = $virtual_alias_maps. That looks like a hack
someone dreamed up for covering broken address classes.

Anyway, this won't have any effect for a virtual_mailbox_domain,
which is what it appears you're using.

>
> - what is being bounced?
> mail sent to non-existent aliases/users (not in virtual_alias_maps)
>

> - what address class (local, virtual-alias, virtual-mailbox, ...) is
> bouncing?
> virtual-alias

Make sure you understand address classes.
http://www.postfix.org/ADDRESS_CLASS_README.html

Each domain postfix is responsible for must be listed in *only one*
address class, one of:
- local addresses, domain listed in mydestination, valid recipients
listed in local_recipient_maps
- domains relayed elsewhere for final delivery, domains listed in
relay_domains, valid recipients listed in relay_recipient_maps.
- virtual alias domains, domain listed in virtual_alias_domains,
valid recipients listed in virtual_alias_maps (and must be aliased
to another domain).
- virtual mailbox, domains listed in virtual_mailbox_domains, valid
users listed in virtual_mailbox_maps


Usually people break recipient validation by using @domain <>
@domain rewriting in virtual_alias_maps or in canonical maps. Don't
do that.

>
> - NON VERBOSE logs demonstrating the problem?
>
> Oct 14 13:37:37 mail postfix/smtpd[17348]: A887A1A084D7:
> client=mail-ie0-f180.google.com[209.85.223.180]
> Oct 14 13:37:37 mail postfix/cleanup[21208]: A887A1A084D7:
> message-id=<CAAa=gco6hrAfJx9BdU+W47Rk+K7...@mail.gmail.com>
> Oct 14 13:37:37 mail postfix/qmgr[21037]: A887A1A084D7:
> from=<myperso...@gmail.com>, size=1490, nrcpt=1 (queue active)
> Oct 14 13:37:37 mail postfix/virtual[20895]: A887A1A084D7:
> to=<testb...@myserver.com>, relay=virtual, delay=0.09,
> delays=0.09/0/0/0, dsn=5.1.1, status=bounced (unknown user:
> "testb...@myserver.com")

Apparently this is a virtual mailbox domain. Valid users must be
listed in virtual_mailbox_maps. Domain rewrite wildcards will break
recipient validation.

> Oct 14 13:37:37 mail postfix/bounce[21056]: A887A1A084D7: sender
> non-delivery notification: B87541A084D9
> Oct 14 13:37:37 mail postfix/qmgr[21037]: A887A1A084D7: removed
>
>

-- Noel Jones

[Chad Elliott]

> Make sure you understand address classes.

We are not a virtual mailbox domain, we are a virtual alias domain
because we use UNIX accounts for the few mailboxes we have, and alias
several other addresses to them. Here is the definition of a virtual
alias domain straight from the manual:

The virtual alias domain class.

Purpose: hosted domains where each recipient address is aliased to a
local UNIX system account or to a remote address. A virtual alias
example is given in the VIRTUAL_README file.

Domain names are listed in virtual_alias_domains. The default value is
$virtual_alias_maps for Postfix 1.1 compatibility.

Valid recipient addresses are listed with the virtual_alias_maps
parameter. The Postfix SMTP server rejects invalid recipients with
"User unknown in virtual alias table". The default value is
$virtual_maps for Postfix 1.1 compatibility.

There is no mail delivery transport parameter. Every address must be
aliased to some other address.

>Apparently this is a virtual mailbox domain. Valid users must be listed in virtual_mailbox_maps. Domain rewrite wildcards will break recipient validation.

Again, it is not a virtual mailbox domain, and there are no wildcards
used anywhere I am aware of.

>I don't see anywhere that document recommends setting local_recipient_maps = $virtual_alias_maps. That looks like a hack someone dreamed up for covering broken address classes.

Because we are a virtual alias domain, this is where our users are all listed.

[Noel Jones]

On 10/15/2013 4:02 AM, Chad Elliott wrote:
>> Make sure you understand address classes.
>
> We are not a virtual mailbox domain, we are a virtual alias domain
> because we use UNIX accounts for the few mailboxes we have, and alias
> several other addresses to them.

Your setup is badly broken. The example log entry you showed
earlier of an invalid address bouncing showed postfix trying to
deliver the message with the "virtual" delivery agent. This happens
when postfix thinks the domain is a virtual mailbox domain.

- Make sure each domain is listed in only one address class
- Use the documented method for listing valid recipients in each
address class. This does not include "local_recipient_maps =
$virtual_alias_maps".
- Remove any domain1 <-> domain2 rewrites.



-- Noel Jones

[Chad Elliott]

Eureka! I have changed the following in main.cf:

virtual_mailbox_domains = hash:/etc/postfix/mydomains

SHOULD BE

virtual_alias_domains = hash:/etc/postfix/mydomains


Many thanks to Noel Jones for pointing out that postfix thought we
were a virtual mailbox domain, and to everyone who chimed in on this
issue.

Chad Elliott.

[Stan Hoeppner]

On 10/15/2013 4:02 AM, Chad Elliott wrote:
>> Make sure you understand address classes.
>
> We are not a virtual mailbox domain, we are a virtual alias domain

> because we use UNIX accounts for the few mailboxes we have, ...

Noel is correct. You're broken. And you are using
virtual_mailbox_domains. Look at your "postconf -n":

...

virtual_alias_maps = hash:/etc/postfix/virtual
virtual_mailbox_base = /var/spool/mail
virtual_mailbox_domains = hash:/etc/postfix/mydomains

If I understand you correctly, you simply want additional aliases for
your users, correct? To do that you use a *standard Postfix config* and
simply add a virtual_alias_maps file. The left side are the virtual
aliases. The right side are the UNIX account addresses (though they can
be any valid email address):

/etc/postfix/virtual
walter...@breakingbad.com mrw...@breakingbad.com
jessie_...@breakingbad.com jes...@breakingbad.com
gustav...@breakingbad.com g...@breakingbad.com

That's it. It's that simple. Now, if you don't want to accept SMTP
mail to the UNIX acct addresses, only the virtual aliases, simply put
them in an access(5) table and have the following, in this order, in

smtpd_recipient_restrictions
...
check_recipient_access hash:/etc/postfix/shield_acct_names
reject_unlisted_recipient
...

/etc/postfix/shield_acct_names

mrw...@breakingbad.com
jes...@breakingbad.com
g...@breakingbad.com


As long as your check is before virtual alias expansion this should
work. Postfix should reject any mail to UNIX addresses, and any
addresses not in /etc/aliases or /etc/postfix/virtual

I've been using the first half of this setup for years so I know it
works. I've not tested the 'UNIX address shielding', but it should work
as well.

--
Stan

[Stan Hoeppner]

On 10/15/2013 7:31 AM, Stan Hoeppner wrote:

This should have read:

/etc/postfix/shield_acct_names

mrw...@breakingbad.com REJECT unknown user
jes...@breakingbad.com REJECT unknown user
g...@breakingbad.com REJECT unknown user


--
Stan