Local EAI address works for local mail but not SMTP mail

I'm using postfix 3.5.8 on FreeBSD 12.2, the packaged version

I have set up a Chinese EAI domain with some Chinese addresses.

The domain is in virtual_alias_domains, and I have an address map:

# virtual addresses
回声@xn--zbs01c.xn--5nqx41au4nqohsp3axcg.xn--fiqs8s echo
#@xn--zbs01c.xn--5nqx41au4nqohsp3axcg.xn--fiqs8s echo
回声@声.电子邮件测试.中国 echo
#@声.电子邮件测试.中国 echo

(The echo user sends back a copy of the message, for debugging.)

When I send a message locally to the EAI address it works.  When I send a message to the same
address from outside via SMTP, it says it's not in the table.  Any suggestions?

Feb 14 10:26:16 eaicheck postfix/qmgr[48768]: CBA778933E: from=<[hidden email]>, size=345, nrcpt=1 (queue active)
Feb 14 10:26:16 eaicheck postfix/smtpd[48778]: connect from localhost[127.0.0.1]
Feb 14 10:26:16 eaicheck postfix/smtp[48776]: discarding EHLO keywords: STARTTLS
Feb 14 10:26:16 eaicheck postfix/smtpd[48778]: DED2E89340: client=localhost[127.0.0.1]
Feb 14 10:26:16 eaicheck dkimproxy.out[48448]: DKIM signing - signed; message-id=<[hidden email]>, signer=<@eaicheck.services.net>, from=<[hidden email]>
Feb 14 10:26:16 eaicheck postfix/cleanup[48774]: DED2E89340: message-id=<[hidden email]>
Feb 14 10:26:16 eaicheck postfix/qmgr[48768]: DED2E89340: from=<[hidden email]>, size=1078, nrcpt=1 (queue active)
Feb 14 10:26:16 eaicheck postfix/smtp[48776]: CBA778933E: to=<[hidden email]>, orig_to=<�M-^[M-^^声@声.�M-^T��M-^P�M-^B�件�M-^K�M-^U.中�M-^[�>, relay=127.0.0.1[127.0.0.1]:10027, delay=0.18, delays=0.03/0.01/0.05/0.09, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as DED2E89340)
Feb 14 10:26:17 eaicheck postfix/smtpd[48778]: disconnect from localhost[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 quit=1 commands=6
Feb 14 10:26:17 eaicheck postfix/qmgr[48768]: CBA778933E: removed
Feb 14 10:26:17 eaicheck postfix/local[48781]: DED2E89340: to=<[hidden email]>, relay=local, delay=0.11, delays=0.09/0.01/0/0.01, dsn=2.0.0, status=sent (delivered to command:  /home/johnl/doecho)
Feb 14 10:26:17 eaicheck postfix/qmgr[48768]: DED2E89340: removed
Feb 14 10:31:25 eaicheck postfix/postfix-script[48806]: refreshing the Postfix mail system
Feb 14 15:31:25 eaicheck postfix/master[35605]: reload -- version 3.5.8, configuration /usr/local/etc/postfix
Feb 14 10:31:51 eaicheck postfix/smtpd[48813]: connect from gal.iecc.com[64.57.183.53]
Feb 14 10:31:52 eaicheck postfix/smtpd[48813]: NOQUEUE: reject: RCPT from gal.iecc.com[64.57.183.53]: 550 5.1.1 <�M-^[M-^^声@�M-^[M-^^声.�M-^T��M-^P�M-^B�件�M-^K�M-^U.中�M-^[�>: Recipient address rejected: User unknown in virtual alias table; from=<[hidden email]> to=<�M-^[M-^^声@�M-^[M-^^声.�M-^T��M-^P�M-^B�件�M-^K�M-^U.中�M-^[�> proto=ESMTP helo=<gal.iecc.com>
Feb 14 10:31:52 eaicheck postfix/smtpd[48813]: disconnect from gal.iecc.com[64.57.183.53] ehlo=2 starttls=1 mail=1 rcpt=0/1 quit=1 commands=5/6
 

--
Regards,
John Levine, [hidden email], Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

John Levine:

On 2021-02-14 16:49, John Levine wrote:
make a map that converts eai to idn, then then there is no problem, is
it safe to do virtual alias eai to idn ?

its not safe to have smtpd eai enabled yet

or make postfix have it internaly so both eai and idn is common
supported, problem is postfix is basicly ready for eia but no dns
servers to support this yet

Sorry, this is just wrong.  DNS supports IDN domains just fine using IDNA2008,
and Postfix has good EAI support.

I've gotten EAI addresses to work fine with the domain in mydestination, so this
appears to have something to do with virtual aliases.

R's,
John


In article <[hidden email]> you write:

John Levine:
> Sorry, this is just wrong.  DNS supports IDN domains just fine using IDNA2008,
> and Postfix has good EAI support.
>
> I've gotten EAI addresses to work fine with the domain in mydestination, so this
> appears to have something to do with virtual aliases.
>
> R's,

I'm doing a systematic analysis, no need for other people to speculate.

        Wietse

On Sun, Feb 14, 2021 at 10:49:52AM -0500, John Levine wrote:
The problem does not reproduce. That is, Postfix
accepts mail for 回声@声.电子邮件测试.中国 and
回声@xn--zbs01c.xn--5nqx41au4nqohsp3axcg.xn--fiqs8s, successfully looks
up both virtual aliases, and attempts to deliver both to a local user
"echo" (which in my case does not exist).

I saved your virtual alias map to file, and replaced 'echo' with
'echo@localhost' so that mail would not leave the test machine.

    $ cat /etc/postfix/jl-virtual
    回声@xn--zbs01c.xn--5nqx41au4nqohsp3axcg.xn--fiqs8s     echo@localhost
    #@xn--zbs01c.xn--5nqx41au4nqohsp3axcg.xn--fiqs8s        echo@localhost
    回声@声.电子邮件测试.中国       echo@localhost
    #@声.电子邮件测试.中国  echo@localhost

    $ postmap /etc/postfix/jl-virtual

Verification:

    $ postmap -s hash:/etc/postfix/jl-virtual
    回声@声.电子邮件测试.中国 echo@localhost
    回声@xn--zbs01c.xn--5nqx41au4nqohsp3axcg.xn--fiqs8s echo@localhost

Postfix configuration:

    $ postconf -x virtual_alias_maps virtual_alias_domains smtputf8_enable smtpd_relay_restrictions smtpd_recipient_restrictions
    virtual_alias_maps = hash:/etc/postfix/jl-virtual
    virtual_alias_domains = 声.电子邮件测试.中国 xn--zbs01c.xn--5nqx41au4nqohsp3axcg.xn--fiqs8s
    smtputf8_enable = yes
    smtpd_relay_restrictions = reject_unauth_destination
    smtpd_recipient_restrictions =

SMTP commands, to show that 'known' aliases are found, and that 'unknown'
aliases are properly rejected:

    $ cat /tmp/echo.smtp
    ehlo wzv.porcupine.org
    mail from:<> SMTPUTF8
    rcpt to:<回声@声.电子邮件测试.中国>
    rcpt to:<回声@xn--zbs01c.xn--5nqx41au4nqohsp3axcg.xn--fiqs8s>
    rcpt to:<whatever@声.电子邮件测试.中国>
    rcpt to:<[hidden email]--fiqs8s>
    data
    whatever
    .
    quit

Test with netcat:

    # nc  -w 5 127.0.0.1 25 </tmp/echo.smtp
    220 wzv.porcupine.org ESMTP Postfix
    250-wzv.porcupine.org
    250-PIPELINING
    250-SIZE 10240000
    250-VRFY
    250-ETRN
    250-STARTTLS
    250-XCLIENT NAME ADDR PROTO HELO REVERSE_NAME PORT LOGIN DESTADDR DESTPORT
    250-ENHANCEDSTATUSCODES
    250-8BITMIME
    250-DSN
    250-SMTPUTF8
    250 CHUNKING
    250 2.1.0 Ok
    250 2.1.5 Ok
    250 2.1.5 Ok
    550 5.1.1 <whatever@声.电子邮件测试.中国>: Recipient address rejected: User unknown in virtual alias table
    550 5.1.1 <[hidden email]--fiqs8s>: Recipient address rejected: User unknown in virtual alias table
    354 End data with <CR><LF>.<CR><LF>
    250 2.0.0 Ok: queued as 4Ddw0z4T2fz4w8j
    221 2.0.0 Bye

maillog:

Feb 14 12:57:07 wzv postfix/smtpd[249245]: connect from localhost[127.0.0.1]
Feb 14 12:57:07 wzv postfix/smtpd[249245]: improper command pipelining after EHLO from localhost[127.0.0.1]: ...omitted...
Feb 14 12:57:07 wzv postfix/smtpd[249245]: 4Ddw0z4T2fz4w8j: client=localhost[127.0.0.1]
Feb 14 12:57:07 wzv postfix/smtpd[249245]: 4Ddw0z4T2fz4w8j: reject: RCPT from localhost[127.0.0.1]: 550 5.1.1 <whatever@声.电子邮件测试.中国>: Recipient address rejected: User unknown in virtual alias table; from=<> to=<whatever@声.电子邮件测试.中国> proto=ESMTP helo=<wzv.porcupine.org>
Feb 14 12:57:07 wzv postfix/smtpd[249245]: 4Ddw0z4T2fz4w8j: reject: RCPT from localhost[127.0.0.1]: 550 5.1.1 <[hidden email]--fiqs8s>: Recipient address rejected: User unknown in virtual alias table; from=<> to=<[hidden email]--fiqs8s> proto=ESMTP helo=<wzv.porcupine.org>
Feb 14 12:57:07 wzv postfix/cleanup[249248]: 4Ddw0z4T2fz4w8j: message-id=<[hidden email]>
Feb 14 12:57:07 wzv postfix/qmgr[249239]: 4Ddw0z4T2fz4w8j: from=<>, size=292, nrcpt=2 (queue active)
Feb 14 12:57:07 wzv postfix/smtpd[249245]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=2/4 data=1 quit=1 commands=6/8
Feb 14 12:57:07 wzv postfix/local[249249]: 4Ddw0z4T2fz4w8j: to=<echo@localhost>, orig_to=<回声@xn--zbs01c.xn--5nqx41au4nqohsp3axcg.xn--fiqs8s>, relay=local, delay=0.01, delays=0.01/0/0/0, dsn=5.1.1, status=bounced (unknown user: "echo")
Feb 14 12:57:08 wzv postfix/local[249254]: 4Ddw0z4T2fz4w8j: to=<echo@localhost>, orig_to=<回声@声.电子邮件测试.中国>, relay=local, delay=1.1, delays=0.01/0/0/1.1, dsn=5.1.1, status=bounced (unknown user: "echo")
Feb 14 12:57:08 wzv postfix/qmgr[249239]: 4Ddw0z4T2fz4w8j: removed

        Wietse

In article <[hidden email]> you write:
Sorry, pilot error.  Upon squinting harder at the address map I see I left out one character
in the address.

R's,
John

On Sun, Feb 14, 2021 at 10:49:52AM -0500, John Levine wrote:

> # virtual addresses
> 回声@xn--zbs01c.xn--5nqx41au4nqohsp3axcg.xn--fiqs8s echo
> 回声@声.电子邮件测试.中国 echo
>
> Feb 14 10:26:16 eaicheck postfix/smtpd[48778]: DED2E89340: client=localhost[127.0.0.1]
> Feb 14 10:26:16 eaicheck postfix/smtp[48776]: CBA778933E: to=<[hidden email]>, orig_to=<�M-^[M-^^声@声.�M-^T��M-^P�M-^B�件�M-^K�M-^U.中�M-^[�>, relay=127.0.0.1[127.0.0.1]:10027, delay=0.18, delays=0.03/0.01/0.05/0.09, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as DED2E89340)

Looks good so far, as you reported.
> Feb 14 10:31:25 eaicheck postfix/postfix-script[48806]: refreshing the Postfix mail system
> Feb 14 15:31:25 eaicheck postfix/master[35605]: reload -- version 3.5.8, configuration /usr/local/etc/postfix

Not sure why the reload here, did the configuration change?

> Feb 14 10:31:51 eaicheck postfix/smtpd[48813]: connect from gal.iecc.com[64.57.183.53]
> Feb 14 10:31:52 eaicheck postfix/smtpd[48813]: NOQUEUE: reject: RCPT from gal.iecc.com[64.57.183.53]: 550 5.1.1 <�M-^[M-^^声@�M-^[M-^^声.�M-^T��M-^P�M-^B�件�M-^K�M-^U.中�M-^[�>: Recipient address rejected: User unknown in virtual alias table; from=<[hidden email]> to=<�M-^[M-^^声@�M-^[M-^^声.�M-^T��M-^P�M-^B�件�M-^K�M-^U.中�M-^[�> proto=ESMTP helo=<gal.iecc.com>

Comparing:

> CBA778933E: orig_to=<�M-^[M-^^声@声.�M-^T��M-^P�M-^B�件�M-^K�M-^U.中�M-^[�>, relay=127.0.0.1[127.0.0.1]:10027, delay=0.18, delays=0.03/0.01/0.05/0.09, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as DED2E89340)
> reject:   550 5.1.1 <�M-^[M-^^声@�M-^[M-^^声.�M-^T��M-^P�M-^B�件�M-^K�M-^U.中�M-^[�>:

We observe that the reject address and the accepted addresses are not
the same in their domain parts:

             声.�M-^T��M-^P�M-^B�件�M-^K�M-^U.中�M-^[�
    �M-^[M-^^声.�M-^T��M-^P�M-^B�件�M-^K�M-^U.中�M-^[�

The second has some extra bytes at the front.  Did some friendly
application prepend a BOM?

Whatever you used to scrape the logs and insert the output into your
post seems to not have been UTF-8 transparent.  It would help if you
could avoid the transformation from:

    声.电子邮件测试.中国

to:

   声.�M-^T��M-^P�M-^B�件�M-^K�M-^U.中�M-^[�

So that at least we could tell what UTF-8 sequences were actually sent.

--
    Viktor.