Zimbra generates an invalid Return-Path header by concatenating multiple local-domain recipient addresses with commas when messages arrive from Microsoft Exchange Online (Office 365) with multiple recipients on the same local domain in To: or Cc: fields. This violates RFC 5321 section 4.5.1 (SMTP envelope sender must contain exactly one mailbox), causing potential delivery failures, bounce loops, or DMARC/SPF misalignment on downstream systems.
Environment
- Zimbra Release: 10.1.15.GA.0126 (0126)
OS: Ubuntu 22.04 LTS
Components involved: Postfix smtpd → amavisd-new → cleanup → lmtp delivery
Configuration: No custom modifications to postfix_header_checks, smtpd_recipient_restrictions, or MTA parameters. DKIM/SPF/DMARC alignment passes on incoming messages.
Specific Conditions Triggering the Issue
The malformed Return-Path occurs exclusively under these precise conditions:
Sender: Microsoft Exchange Online (*.onmicrosoft.com tenant, outbound via *.outbound.protection.outlook.com)
Recipients: Multiple addresses on the same local Zimbra domain in To: and/or Cc: fields
Mixed recipients: Additional recipients from different domains are ignored in the concatenation (only same-domain locals are grouped)
Does NOT occur when:
Recipients on same domain are single (one in To: or Cc:)
Multiple recipients but different domains in To:
Non-Exchange Online senders (Gmail, custom MTAs, internal Zimbra)
Exchange Online sends a single SMTP transaction with multiple RCPT TO: commands for local-domain recipients, which triggers Zimbra/Postfix to aggregate them into one invalid envelope sender during local MTA rewriting.
Reproduction Steps
Setup: Configure Zimbra domain example.com with accounts user1@example.com, user2@example.com
From Exchange Online account, send test emails with these recipient combinations:
- Case 1 (Triggers): To: user1@example.com, user2@example.com
Case 2 (No trigger): To: user1@example.com, external@otherdomain.com
Case 3 (Triggers): To: user1@example.com, user2@example.com, external@otherdomain.com
Case 4 (Triggers): To: user1@example.com, external@otherdomain.com / Cc: user2@example.com, user3@example.com
Expected vs Observed Return-Path:
Test Case To: Recipients Cc: Recipients Expected Return-Path Observed Return-Path
- Case 1 user1@local, user2@local - <user1@example.com> <user1@example.com,user2@example.com> INVALID
Case 2 user1@local, external@other - <user1@example.com> <user1@example.com> ✓
Case 3 user1@local, user2@local, external@other - <user1@example.com> <user1@example.com,user2@example.com> INVALID
Case 4 user1@local, external@other user2@local, user3@local <user1@example.com> <user1@example.com,user2@example.com,user3@example.com> INVALID
Troubleshooting Activities Performed
- Normal flow: smtpd → amavis → smtp → lmtp
- Exchange sends: single DATA with multi-RCPT TO: user1@local,user2@local
- LMTP delivery shows: "for user1@local" (single rcpt per delivery)
- No header_checks actions logged (no DISCARD/REPLACE/FILTER)
- Post-amavis Postfix line shows malformed Return-Path already present
2. Network Analysis:
tcpdump -i any -s0 -w capture.pcap port 25 or port 587
→ Confirmed Exchange single SMTP session → multi-RCPT TO: → Zimbra aggregates locals
3. Negative Testing (verified no issue):
✓ Gmail sender → multi-local rcpts → single correct Return-Path
✓ Single local rcpt → always correct
✓ Internal Zimbra→Zimbra → correct
✓ Different domains only → correct
4. Configuration Verification:
5. Workarounds Tested (ineffective):zmprov gcf zimbraMtaMyNetworks zimbraMtaHeaderChecksEnabled # Defaults OK
postconf -n | grep -E "(header_checks|smtpd_recipient)" # No custom rules
postconf smtpd_milters lmtp_milters # Standard Zimbra
Custom header_checks: /^Return-Path:.*,.*@/ IGNORE # Applied too late
zimbraMtaSmtpRestrictEnvelopeFrom FALSE # Outbound-only param
Amavis policy tweaks (bypass_header_checks) # Skips issue but masks
Postfix cleanup regex rules # Post-rewrite phase
Custom header_checks: /^Return-Path:.*,.*@/ IGNORE # Applied too late- Confirmed on clean 10.1.15.GA.0126 install
- Suspected Postfix 3.6+ + Zimbra MTA integration regression
- No impact on outbound mail or non-O365 inbound
Impact & Severity
- High: Invalid envelope sender breaks RFC 5321 compliance
DMARC/SPF: Downstream systems reject due to envelope mismatch
Bounces: Return-Path undeliverable → NDR loops possible
Specific: Only affects Exchange Online → Zimbra multi-rcpt flows
Root cause analysis of Postfix cleanup/envelope rewriting phase during multi-RCPT TO: handling from Exchange Online. Expected fix: preserve single envelope sender per LMTP delivery, not aggregate local-domain recipients into comma-separated Return-Path.
I hope anybody could help to solve this as soon as possible,
kind regards all.
Andrea