[SOLVED] detected undelivered mail to

[algorges]

I'm having trouble with two domains that send messages to my users.

The messages are stuck in the postfix queue with the following message:

D76C12740B 178921 Tue Feb 3 19:22:31 msprvs1=20494iL6NYVzL=bounces-321255@domain.com
(host 127.0.0.1[127.0.0.1] said: 451 4.4.0 detected undelivered mail to <user@domain.com.br> (in reply to end of DATA command))
user@domain.com.br

DC07D26A55 84919 Tue Feb 3 11:12:29 0100019c23d8f34b-c9c6d85a-eb76-4aa4-abfa-2780936b3aa0-000000@ses.domain.com.br
(host 127.0.0.1[127.0.0.1] said: 451 4.4.0 detected undelivered mail to <user2@domain.com.br> (in reply to end of DATA command))
user2@domain.com.br


When I force the queue with `postqueue -f`, the following appears in mail.log.



2026-02-04T15:23:15.280271-03:00 pmg4 postfix/lmtp[183192]: D76C12740B: to=<user@domain.com.br>, relay=127.0.0.1[127.0.0.1]:10024, delay=72044, delays=72026/3.8/14/0.02, dsn=4.4.0, status=deferred (host 127.0.0.1[127.0.0.1] said: 451 4.4.0 detected undelivered mail to <user@domain.com.br> (in reply to end of DATA command))
2026-02-04T15:23:18.413163-03:00 pmg4 pmg-smtp-filter[183254]: 2026/02/04-15:23:18 CONNECT TCP Peer: "[127.0.0.1]:44370" Local: "[127.0.0.1]:10024"
2026-02-04T15:23:18.471585-03:00 pmg4 pmg-smtp-filter[183254]: 2238269838E966F601: message has ambiguous content: ERROR
2026-02-04T15:23:18.472176-03:00 pmg4 pmg-smtp-filter[183254]: fast exit because of errors (free 288780288 bytes)

2026-02-04T15:23:18.474580-03:00 pmg4 postfix/lmtp[183209]: DC07D26A55: to=<user2@domain.com.br>, relay=127.0.0.1[127.0.0.1]:10024, delay=101449, delays=101428/3.8/18/0.02, dsn=4.4.0, status=deferred (host 127.0.0.1[127.0.0.1] said: 451 4.4.0 detected undelivered mail to <user2@domain.com.br> (in reply to end of DATA command))
2026-02-04T15:23:18.722638-03:00 pmg4 pmg-smtp-filter[183256]: 2026/02/04-15:23:18 CONNECT TCP Peer: "[127.0.0.1]:44378" Local: "[127.0.0.1]:10024"
2026-02-04T15:23:18.787487-03:00 pmg4 pmg-smtp-filter[183256]: 2238369838E96BAC1B: unable to parse message - part did not end with expected boundary
2026-02-04T15:23:18.788134-03:00 pmg4 pmg-smtp-filter[183256]: fast exit because of errors (free 288780288 bytes)


pmgversion -v
proxmox-mailgateway: 9.0.0 (API: 9.0.4/f3ea3fa12b03, running kernel: 6.17.4-2-pve)
pmg-api: 9.0.4
pmg-gui: 5.0.4
proxmox-kernel-helper: 9.0.4
proxmox-kernel-6.17.4-2-pve-signed: 6.17.4-2
proxmox-kernel-6.17: 6.17.4-2
proxmox-kernel-6.17.2-2-pve-signed: 6.17.2-2
proxmox-kernel-6.14.11-5-pve-signed: 6.14.11-5
proxmox-kernel-6.14: 6.14.11-5
clamav-daemon: 1.4.3+dfsg-1
ifupdown2: 3.3.0-1+pmx11
libarchive-perl: 3.7.4.1
libjs-extjs: 7.0.0-5
libproxmox-acme-perl: 1.7.0
libproxmox-acme-plugins: 1.7.0
libpve-apiclient-perl: 3.4.2
libpve-common-perl: 9.1.7
libpve-http-server-perl: 6.0.5
libxdgmime-perl: 1.2.0
lvm2: 2.03.31-2+pmx1
pmg-docs: 9.0.5
pmg-i18n: 3.6.6
pmg-log-tracker: 3.0.1
proxmox-mini-journalreader: 1.6
proxmox-spamassassin: 4.0.2-1
proxmox-widget-toolkit: 5.1.5
pve-firmware: 3.17-2
pve-xtermjs: 5.5.0-3
zfsutils-linux: 2.3.4-pve1

 

[Stoiko Ivanov]

Hmm - seems the mails from these domains are malformed - could you ask the sender to send them to a 3rd party mailbox and share them here?

 

[algorges]

Checking the content via postcat, these are automated emails from billing systems.

Can I save the email via postcat -qbh ID > email.eml and send it to you privately?

Another question, if I add the sender's domain to the whitelist, shouldn't the email go through without filtering?

 

[algorges]

I checked the header of one of the emails and found this problem.

Content-Type: application/pdf
Content-Description: "Pedido_100005093_1725.pdf"
Content-Disposition: attachment; filename="Pedido_100005093_1725.pdf"; filename*=UTF-8''Pedido_100005093_1725.pdf; size=60929
Content-Transfer-Encoding: base64

Could that be a reason?
Checking other emails stuck in the queue, this pattern doesn't match, and apparently the email is structured correctly.

 

[algorges]

we noticed that it started to queue after the updates below


Start-Date: 2026-02-03 08:50:06
Commandline: apt upgrade
Upgrade: pmg-docs:amd64 (9.0.4, 9.0.5), libmime-tools-perl:amd64 (5.515-1, 5.515-1+pmg1), pmg-api:amd64 (9.0.3, 9.0.4), proxmox-backup-client:amd64 (4.1.1-1, 4.1.2-1), libpve-common-perl:amd64 (9.1.4, 9.1.7)
End-Date: 2026-02-03 08:51:09

 

[Onslow]

There is a post reporting similar symptom and a similar time (and version, AFAICS) concidence:

K

Thread 'Unable to parse message'

Feb 5, 2026

Not sure if this is a coincidence but I updated PMG this past Tuesday and I have a user reporting they're not receiving mail.

pmgversion
pmg-api/9.0.4/f3ea3fa12b03 (running kernel: 6.17.4-2-pve)

Some logs

*** outgoing mail server logs ***
Feb  4 11:00:00 outgoingmailserver.edu postfix/smtpd[1393939]: connect from cdsmailserver.edu [x.x.x.x]
Feb  4 11:00:00 outgoingmailserver.edu dovecot: auth-worker(1393940): Warning: userdb passwd: Move templates args to override_fields setting
Feb  4 11:00:00 outgoingmailserver.edu postfix/smtpd[1393939]: 5737B91: client=cdsmailserver.edu[x.x.x.x]...

• kransom
• Replies: 2
• Forum: Mail Gateway: Installation and configuration

 

[algorges]

I downgraded to API 9.0.3 and the problem was solved.
There's something wrong with API 9.0.4.

------
apt install pmg-api=9.0.3

DOWNGRADING:
pmg-api

Summary:
Upgrading: 0, Installing: 0, Downgrading: 1, Removing: 0, Not Upgrading: 7
Download size: 307 kB
Space needed: 0 B / 1,360 MB available

Continue? [Y/n] y
Get:1 http://download.proxmox.com/debian/pmg trixie/pmg-no-subscription amd64 pmg-api all 9.0.3 [307 kB]
Fetched 307 kB in 1s (337 kB/s)
dpkg: warning: downgrading pmg-api (9.0.4) to (9.0.3)
(Reading database ... 97628 files and directories currently installed.)
Preparing to unpack .../archives/pmg-api_9.0.3_all.deb ...
Unpacking pmg-api (9.0.3) over (9.0.4) ...
Setting up pmg-api (9.0.3) ...
Analyzing/Upgrading existing Databases...done
Processing triggers for man-db (2.13.1-1) ...

 

[CHoe]

Same here. After a downgrade to 9.0.3 everything works fine again.

 

[BastianR]

Looks like a new version was rolled out, at least for the non subscription lab rats:

root@pmg1:~# dpkg -l|grep pmg-api
ii  pmg-api                            9.0.6                                all          Proxmox Mailgateway API Server Implementation

 

[algorges]

I read the changelog and now there's an option in pmg-gui for these cases. I'll update pmg-api to test it.

mail proxy: add checkbox for new 'accept-broken-mime' option.

 

[section1]

@algorges where is that option exactly ? im in 8.2.10 and i can't find it .

EDIT: well i added in pmg.conf in the mail section:

accept-broken-mime 1

 

[algorges]

@algorges where is that option exactly ? im in 8.2.10 and i can't find it .

EDIT: well i added in pmg.conf in the mail section:

accept-broken-mime 1

Configuration / Mail Proxy / Options - Accept Broken MIME Structure

 

[hawkeye]

Same problem here. Since 2 days our mail gateway reports many many errors like ...

message has ambiguous content - adding header
... said: 450 4.1.8 <double-bounce@mail4.localdomain>: Sender address rejected: Domain not found (in reply to RCPT TO command)
<postmaster@mail4.localdomain>: Sender address rejected: Domain not found (in reply to RCPT TO command))

Also I found a suspicious configuration in postfix/main.cf:

mydomain = localdomain
myhostname = mail4.localdomain

Last modify date/time of main.cf is a few minutes before the localdomain lines in mail.log started (Feb 24, 13:32). I never changed this configuration, nobody did!

Yesterday evening I fixed main.cf and also activated Accept Broken Mime. But the localdomain logs and defered mail with ambiguous content does happen again and again.

What did happen here? How can I fix this problem? We use PMG since 2 years without problems.

PMG 9.0.6 with subscription, all current updates installed. Thanks.


proxmox-mailgateway: 9.0.0 (API: 9.0.6/0a1e7f1cf8f3, running kernel: 6.17.4-2-pve)
pmg-api: 9.0.6
pmg-gui: 5.0.5
proxmox-kernel-helper: 9.0.4
proxmox-kernel-6.17.4-2-pve-signed: 6.17.4-2
proxmox-kernel-6.17: 6.17.4-2
proxmox-kernel-6.17.2-2-pve-signed: 6.17.2-2
proxmox-kernel-6.14.11-5-pve-signed: 6.14.11-5
proxmox-kernel-6.14: 6.14.11-5
clamav-daemon: 1.4.3+dfsg-1
ifupdown2: 3.3.0-1+pmx11
libarchive-perl: 3.7.4.1
libjs-extjs: 7.0.0-5
libproxmox-acme-perl: 1.7.0
libproxmox-acme-plugins: 1.7.0
libpve-apiclient-perl: 3.4.2
libpve-common-perl: 9.1.7
libpve-http-server-perl: 6.0.5
libxdgmime-perl: 1.2.0
lvm2: 2.03.31-2+pmx1
pmg-docs: 9.0.6
pmg-i18n: 3.6.6
pmg-log-tracker: 3.0.1
proxmox-mini-journalreader: 1.6
proxmox-spamassassin: 4.0.2-1
proxmox-widget-toolkit: 5.1.5
pve-firmware: 3.17-2
pve-xtermjs: 5.5.0-3
zfsutils-linux: 2.3.4-pve1

 

[Stoiko Ivanov]

Same problem here. Since 2 days our mail gateway reports many many errors like ...

message has ambiguous content - adding header

The change is related to a potential security issue addressed in:

Post in thread 'Proxmox Mail Gateway - Security Advisories'

Feb 17, 2026

Subject: PSA-2026-00005-1: Bypass of mail filters through confusion of the MIME Parser​

Advisory date: 2026-02-17

Packages: pmg-api, libmime-tools-perl

Details: The parser initially processing e-mails for further analysis was set to not cause an error on non-standard and ambiguous information in the 'Content-Type' header:
- multiple occurrences of a 'Content-Type' header
- mulitple boundary parameters for multipart messages
- backslash as part of the boundary parameter for multipart messages
- non-printable and non ASCII characters as part of the boundary...

• ProxmoxSecurityAdvisory

You can selectively allow broken mails by adding rules that match on the added X-Proxmox-Broken-Message header - see the documentation:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_mailproxy_broken_mime

Also I found a suspicious configuration in postfix/main.cf:

mydomain = localdomain
myhostname = mail4.localdomain

Last modify date/time of main.cf is a few minutes before the localdomain lines in mail.log started (Feb 24, 13:32). I never changed this configuration, nobody did!

The postfix configuration in PMG is handled by the templateing system - and it gets rewritten when you change variables in pmg.conf (through the GUI):
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_template_engine

the localdomain part is usually taken from /etc/resolv.conf - see:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_configuration_files_overview

I hope this helps!

 

[hawkeye]

the localdomain part is usually taken from /etc/resolv.conf - see:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_configuration_files_overview

I hope this helps!

resolvconf and unbound are installed, resolv.conf contains only our main domain and nameserver 127.0.0.1. PMG is also configured to use 127.0.0.1 as DNS.

I'll add a rule to match Broken Mime header. But I don't see a solution for the many defered mails based on this problem:

host ... said: 450 4.1.8 <postmaster@mail4.localdomain>: Sender address rejected: Domain not found (in reply to RCPT TO command)

Where does this localdomain part come from? Is it taken from /etc/hosts? Only this file contains localhost.localdomain for 127.0.0.1, localdomain can't be found anywhere else. The hosts file is unchanged since 2 years, and everything works fine before feb 24th.

A few hundred mails from a few thousend mails per day reports this problem.

 

[Stoiko Ivanov]

'll add a rule to match Broken Mime header. But I don't see a solution for the many defered mails based on this problem:

host ... said: 450 4.1.8 <postmaster@mail4.localdomain>: Sender address rejected: Domain not found (in reply to RCPT TO command)

* please run `pmgconfig sync -restart 1` - then check the main.cf again.
* do you have any overrides in /etc/pmg/templates?

if this does not help, please do share the contents of /etc/resolv.conf, /etc/hosts, and the rendered /etc/postfix/main.cf

 

[laurensb]

I wonder what's causing the messages to be flagged broken. I had this issue with multiple mails now, all with pdf-files attached.

In one case just renaming the attached pdf-file made the mail to be accepted, while with the original filename it was flagged broken. AFAIK the filename does not contain special characters. The file itself was not changed, only the filename.

 

[Stoiko Ivanov]

I wonder what's causing the messages to be flagged broken. I had this issue with multiple mails now, all with pdf-files attached.

The log-lines give already a good hint at the area of the issue - with those (and the complete mail as .eml) it's usually possible to find the issue.

 

[laurensb]

The log-lines give already a good hint at the area of the issue - with those (and the complete mail as .eml) it's usually possible to find the issue.

I've sent you a PM.
Edit: Seems I can't send you a PM. I also can't attach the eml and log lines here as the mail contains sensitive information. My knowledge is not sufficient to determine the cause of flagging this particular mail.

In general: Some users report hundreds of mails flagged as broken and I also had some mails that seem perfectly fine flagged as broken. The attachments I used are mostly pdf-files generated by the browser from mails using the print function or downloaded pdf's from trusted parties like banks and government institutes. Nothing shady, nothing out of the ordinary.

So I wonder if the broken-mime detection isn't too strict.